A few examples of working with a wonderful network scanner - NMAP
Scan the network for Active Hosts:
$ nmap -sn 192.168.1.0/24
Scanning a list of hosts/networks from a File:
$ nmap -iL input.txt
File format:
The entries can be in any of the formats that Nmap works with from the command line (IP addresses, hostnames, CIDR, IPv6, or octet ranges). Records must be separated by one or more spaces, tabs, or newlines.
$ cat input.txt server.test.com 192.168.1.0/ 24 192.168.2.1,2 ,3 192.168.3.0-200
Scan Multiple IP Addresses:
$ nmap 192.168.1.1 192.168.1.2 192.168.1.3 $ nmap 192.168.1.1,2 ,3
5. Excluding IP/Hosts/Networks from Scanning
Exclude Targets from Nmap scanning:
$ nmap 192.168.1.0/ 24 --exclude 192.168.1.1 $ nmap 192.168.1.0/ 24 --exclude 192.168.1.1 192.168.1.5 $ nmap 192.168.1.0/ 24 --exclude 192.168.1.1,2 ,3
Exclude List of hosts taken from file:
$ nmap 192.168.1.0/ 24 --excludefile exclude.txt
6. Scan Specific Ports
Scan One Port:
$ nmap -p 80 192.168.1.1
Scan Multiple Ports:
$ nmap -p 80,443 192.168.1.1
Scan Port Range:
$ nmap -p 80 -1000 192.168.1.1
Scan All Ports:
$ nmap -p "*" 192.168.1.1
Scan open ports
$ nmap -Pn 192.168.1.1
7. Definition of Supported IP Protocols
Determine which IP protocols (TCP, UDP, ICMP, etc.) the scanned host supports:
$ nmap -sO 192.168.1.1
8. Scan TCP/UDP Ports
Scan all TCP Ports:
$ nmap -sT 192.168.1.1
Scan specific TCP Ports:
$ nmap -p T:80 192.168.1.1
Scan all UDP Ports:
$ nmap -sU 192.168.1.1
Scan specific UDP Ports:
$ nmap -p U:53 192.168.1.1
Combining scans of different ports:
$ nmap -p U:53 .79 .113 .T:21 -25 .80 .443 .8080 192.168.1.1
9. Quick Scan
Activate Quick Scan Mode:
$ nmap -F 192.168.1.1
Show Port State Reason
Show the reason why Nmap thinks the port is in a certain state:
$ nmap --reason 192.168.1.1
11. Show Only Open Ports
Show Only Open Ports (or possibly open) :
$ nmap --open 192.168.1.1
Show only open 22nd ports:
nmap -p22 --open 192.168.1.1
12. OS definition
Enable OS detection:
$ nmap -O 192.168.1.1
* Identifies the remote operating system using the TCP/IP stack fingerprint.
13. Determining the Version of the Services
Enable Services Version Detection:
$ nmap -sV 192.168.1.1
* Determines the versions of programs running on the remote server.
14. Firewall detection
Find out if the computer is protected by any Packet Filters or Firewall:
nmap -oX output.xml 192.168.1.1nmap -A 192.168.1.2
This command will allow you to run all scripts and many other options, here is the description from the help menu: Enable OS detection, version detection, script scanning, and traceroute.
For example, for the Samba service (port 445), it will show the following:
Host results script:
| smb security mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_message_signing: disabled (dangerous, but default)
The system administrator fancied himself the god of the network,
but the electrician rudely dispelled this myth.
IT humor
Introduction
Network scanning is one of the first steps in the process of hacking or preventing it, as it allows you to determine the most vulnerable and potentially dangerous open ports on your computer. Since each computer has a set of specific features, using a port scanner you can determine which services (FTP-, web-, mail server etc.) are running on the computer, as well as which operating system controls it. The more services running on a computer, the more likely it is to be hacked - after all, every software has vulnerabilities.
Network scanners are designed to scan a specific network address(IP addresses) or addresses and identify open and possibly insecure ports on the computer under study. Nevertheless, such programs are used, as a rule, by hackers to identify possible vulnerabilities and then break into a computer, and by no means to ensure its security. It turns out that security and hacking, although inherently antipodes, allow the use of the same means.
Basics of the TCP Protocol
To understand how scanning takes place, you need to understand what algorithm is used to make a TCP connection between computers. To establish a TCP connection between a client and a server, the client sends a request (TCP packet) with the SYN flag set to initiate the connection. If the server is listening on this port, it sends a packet to the client with the SYN and ACK flags set, thereby simultaneously acknowledging the client's request and asking it to establish a reverse connection. The client then sends a packet with the ACK flag set, acknowledging the SYN server's request. Next, data is transmitted, to confirm receipt of which a packet with the ACK flag is sent each time. When the server or client has completely finished transmitting data, it sends a packet with the FIN flag set, thereby informing the other side to close the connection. The other side, having received a packet with the FIN flag, sends a return packet with the FIN flag set, acknowledging the end of the connection. In order to terminate the connection, either party can send a packet with the RST flag. More clearly, the process of exchanging packets is shown in Table. one.
Table 1. Connection Establishment and Packet Exchange Process
Most scanners obtain information about available open ports and the presence of a computer on the network based on this sequence.
Nmap network scanner and its features
Since systems based on Linux and BSD operating systems have become increasingly popular lately, in this publication we will look at the most advanced network scanner for operating systems. Linux systems- Nmap. This program is one of the most common among Linux users and is distinguished by powerful tools and high speed work.
Nmap network scanner appeared in 1997 for operating systems based on UNIX and continues to improve to this day. It differs from similar programs for Windows-based OS by powerful built-in tools, high speed, various related utilities, various scanning methods and popularity, since almost any Linux distribution equipped with this scanner network security. However, like most highly specialized programs for Linux, it does not have a shell available to the end user and is run from the command line. Of course, there are additional interfaces to control this utility, such as Umit, Nmapfe, which use the Nmap engine and display information in windowed mode, not on the command line. But still, this utility was originally developed to work on the command line, and "attached" utilities increase the operating time and have a lot of drawbacks compared to the original, including in the design style. In addition, there is a version of this program for Windows-based operating systems. Since the methods of operation and many commands are identical for both platforms, this article will consider the version of Nmap 4.1 for Linux systems. Since Nmap is included in almost every Linux distribution, in order to scan the network without rearranging the operating system, you can use the so-called LiveCD. Boot disks of this type do not require installation and boot from a CD / DVD drive, and there is no need to split HDD and create additional partitions - hard drive in this case the part random access memory computer.
Currently, network scanners allow you to define many additional parameters of the scanned computer. Nmap can determine most of the basic parameters network adapter: MAC address, computer name in the domain, open ports, ports closed by the firewall, the company - the manufacturer of the network adapter chipset of the computer under study, OS version and services. Note that MAC addresses and chipset manufacturer information can only be retrieved for computers that are on the same subnet as the scanning PC. To appreciate all the advantages of this program, consider the keys most commonly used in its operation.
As already mentioned, Nmap is launched from the command line. When you run the program without any switches or with the Nmap -h (--help) switch or without it, a list of available switches and parameters to be set will be displayed on the screen (Fig. 1).
Rice. 1. List of keys when entering the Nmap command
The syntax for starting the program is as follows: Nmap (target specification), where the type of scan is specified instead of Scan type (by default, if this place is left empty, Nmap will openly scan available ports). As options, all kinds of keys and scan parameters are entered, and instead of target specification - either the computer's IP address, or a range of IP addresses (which is determined by the subnet mask), or the host name.
Subnet masks
Most likely, users who dealt with network adapter settings had to deal with such a parameter as the subnet mask (Netmask). However, not everyone knows what it is.
As you know, an IP address consists of four integer values (an octet) and is represented in the form xxx.xxx.xxx.xxx, where xxx can take values from 0 to 254. But the IP address itself is not sufficient, and in order to In order for the network device to determine which subnet the computer belongs to, a subnet mask is also needed to show which part of the IP address is the Network ID and which part is the Host ID. The Network ID is essentially the address of the network itself, while the Host ID is the address of the node on the network itself. Consider a host with an IP address of 10.242.10.242 and a subnet mask of 255.0.0.0 - in this case, the computer belongs to the network 10.0.0.0. Here, the network ID is 10.0.0.0 and the host ID is 242.10.242. To get the network address, knowing the IP address and subnet mask, you need to apply the bitwise conjunction operation to them. The result is bitwise ANDed between the IP address and the subnet mask:
For example, in the case of a more complex mask:
IP address: 00001100 00100010 00111000 1001110 (12.34.56.78)
Subnet mask: 11111111 11111111 11100000 0000000 (255.255.224.0)
Network address: 00001100 00100010 00100000 0000000 (12.34.32.0)
However, in order to scan the network and write less text, you can use the alternative input of the subnet mask using prefixes. In most cases for simple networks you can limit yourself to simple subnet masks such as 255.0.0.0, 255.255.0.0, and 255.255.255.0. The subnet mask is often written along with the IP address in the format IP address/number of 1 bits in the mask. For example, an IP address of 12.34.56.78 with a mask of 255.255.224.0 (that is, 19 bits of 1's and 13 bits of 0's) can be written as 12.34.56.78/19. For the three types considered, there is an alternative input of the form ip/8, ip/16 and ip/24, which allows you to reduce the number of dialed digits when entering on the command line. For the example above, the subnet mask can be written as 10.242.10.242/8, which is significantly shorter than 10.242.10.242 mask 255.0.0.0. Therefore, the IP address range for the 10.0.0.0 network can be written as 10.0.0.0/8.
First scan attempts
Let's get back to the Nmap network scanner. As already mentioned, as (target specification) you can specify an IP address, a range of addresses and a host name. If you need to scan many different IP addresses and hosts, typing everything manually on the command line is not very convenient (especially if the number of addresses exceeds 20) - for this, Nmap supports loading a file with addresses. In table. 2 lists the possible keys associated with entering scanned addresses.
Table 2. Keys responsible for entering addresses
It should be noted that the file containing the list of addresses must be formatted in text form. The new address or range of addresses must start with newline. Examples of entering scanned addresses are shown in fig. 2 and 3.
Rice. 2. Using typing addresses from the command line
Knowing how you can set the addresses of the computers under study, let's see what is ultimately displayed on the screen. Recruiting a team Nmap 10.0.0.62 10.0.0.53 to scan the open ports of computers with those addresses.
Rice. 3. Setting scanned addresses from a file
Scan results and their analysis
On fig. 4 shows the output of the scan results. First, Nmap tries to match the name with the scanned IP address using the DNS server. If the operation was successful, then at the very beginning Nmap indicates the real name of the computer. As can be seen from the figure, the IP address 10.0.0.62 corresponds to the name pakhomov.computerpresspublishing.ru. And for the next investigated address - 10.0.0.53 - there is no such correspondence. Next, Nmap displays information about closed or blocked ports (Not shown 1674 closed ports), and then displays (in three columns) ports that have a different status. The first column indicates the current port number, the second can take on various values that will indicate the status of the port determined by Nmap:
- open (open port) - the port is open, and the service accepts TCP or UDP connections on this port (this port is most vulnerable to hacking);
- filtered - the port is closed by a firewall, other blocking program or service (router rules, hardware firewall, etc.);
- closed - the port is closed because there is no service or other program listening on this port on the computer.
Rice. 4. Scan result
If the port is set to unfiltered, this suggests that Nmap was unable to accurately determine whether the port is open or closed, usually this value is assigned when scanning with the ACK method (described later). There are also two valid values: open|filtered and closed|filtered - in both cases, Nmap was unable to determine the status of the port. To more accurately determine the value for the first case, you must use a FIN, Null, Xmas, or UDP scan. Most likely, these scanning methods will allow you to get more detailed information. As for the closed|filtered value, it only appears if the Idlescan scanning method is used.
The last column gives a little information about the intended service using this port. For example, if port number 80 is open, Nmap informs that this port is normally used by web servers (http). It should be noted that for greater security, some services do not run on their standard port, but on a different one, therefore it is impossible to assert that a web server is running on port 80 (the version scan method is used to more accurately determine the running service). After listing open ports, Nmap displays the physical (MAC) address of the network device, and, if possible, determines the manufacturer of the network adapter chipset of the PC under study and, in some cases, even its name.
Scanning methods for the presence of a computer on the network
The examples discussed above are quite simple and do not require additional keys, but are usually suitable for most computers on the network. However, for aggressive scanning in order to obtain the maximum possible information about the computer under investigation, it is necessary to set the scan parameters correctly. In order to determine which computers are working on the network, Nmap allows you to use several network scanning methods - all of them belong to the Host Discovery section (discovery of hosts (computers)).
Finding a computer using the Ping method
The simplest method is to discover running computers using Ping. To do this, use the -sP switch on the command line. The Nmap network scanner sends ICMP echo requests to the given IP address or addresses and waits for a response. If a response is received, then the scanned computer is running, which is displayed as a scan result. On fig. 5 shows the result of using this method.
Rice. 5. Scan result using -sP
However, today many computers with at least some kind of firewall usually block ICMP requests, so even if the computer is turned on, Nmap will report that the computer does not exist on the network. In this case, Nmap provides a different method for determining whether a computer is on the network. The ping-scan example we've discussed is based on the above table of connection establishment sequence.
Discovery with SYN/ACK and UDP packets
If a service is listening on a port and Nmap tries to establish a connection with it (sends a packet with the SYN flag), the service can respond with a packet with the SYN / ACK flags, which will show that the computer exists on the network. But if there is no service on this port, the server sends back a packet with the RST flag, which also indicates that there is a computer at the given IP address. If nothing came from the server in response to the sent SYN packet, this means that either the computer is turned off or the traffic is blocked by the firewall. Another scanning method has been developed to bypass firewall blocking. The Nmap scanner typically sends SYN/ACK packets and a UDP packet on the standard port 80, which is most commonly used for web traffic and therefore very rarely blocked by a firewall. Using the -PS, -PA and -PU switches, you can specify which packet will be sent to the server and on which port. An example of these commands is shown in fig. 6. By the way, the port name is written together with the package type: -PS80.81.
Rice. 6. Scan result using -PA, -PS and -PU
Computer discovery through various ICMP packets
The above method does not accurately determine the presence of a computer on the network. The Nmap network scanner has another option to determine if a computer is on the network. To use this feature, you must specify the additional switches -PE, -PP or -PM. The first method uses ICMP echo requests, however, as already mentioned, ICMP traffic is often blocked, so this method is not always applicable, but, following the ICMP specification, there are also date / time requests (timestamp requests) and netmask addresses (address mask requests ). Using these methods, you can also get a response from remote computer, but often they do not give the desired result. To use the ICMP echo method, you must specify the -PE key, for the other two methods described, the -PP and -PM keys, respectively. On fig. 7 shows attempts to scan by three methods.
Rice. 7. Result of scanning using -PE, -PP and -PM keys
Disable computer detection during scanning
As a rule, it is impossible to accurately determine the presence of a computer on the network, or if it is, its scanning may be blocked by a firewall. In this regard, the -P0 option was introduced, in which the computer under investigation is not scanned for presence on the network (that is, it does not ping at all), but only the computer's ports are scanned. When using this option, Nmap assumes that the scanned IP addresses are on the network and does not send requests to determine the presence of the computer on the network, which significantly increases the speed of scanning. This option is usually used for covert scanning using the methods that will be described later, since in this case no information about ICMP echo requests is left on the computer being examined.
By default, when scanning an IP address, Nmap obtains information about the computer name from the system DNS. To increase the scanning speed, you can disable this option by adding the -n switch. By the way, in almost all programs and services, one way or another connected with the network environment, the -n switch is used in this meaning (netstat -n, route -n, etc.). There are also several options that allow you to get the computer name using not only the system DNS, but also external DNS servers. To activate this option, you need to run Nmap with the key --dns-servers
Rice. 8. Using the -n and -R --dns-servers switches
Remote Computer Port Scan Methods
The Nmap network scanner involves the use of a variety of methods for scanning and obtaining the necessary information. However, let's make a reservation that many methods involve various manipulations with TCP packet flags at a low level, and therefore require root (superuser) privileges in the system to work. The methods used can only function separately from each other, only UDP port scanning can be performed simultaneously with other scanning methods. Port scanning relies on the same method of sending packets with changed flags when initiating TCP and UDP connections.
SYN Scan
The most common method, which is used by default, is the TCP SYN scan. For most of the computers under investigation, this method is sufficient to determine open ports. TCP SYN scanning is the fastest of the other methods - it allows you to scan several hundred ports per second, while keeping the scanning computer in the shadows, since it never ends the TCP connection (most monitoring utilities do not log connection data). Superuser (root) rights are required to use this method. The Nmap scanner sends a packet with the SYN flag to the computer under investigation, as if it wants to open a normal TCP connection, following the rules given at the beginning of the article. If a response (packet with SYN/ACK flags) is received from the requested host, the port will be marked as open, and when a packet with the RST flag is received, it will be marked as closed. If the scanned computer does not respond, it is assumed that this port is being filtered by the firewall. To use this scanning method, you need to run Nmap with the -sS switch (Fig. 9).
Rice. 9. Scanning using the -sS switch (TCP SYN scan)
As you can see from the picture, most of the ports are open, but some are closed by the firewall.
Scanning using the connect() system function
There are situations when there are no superuser rights, but it is necessary to scan a remote computer. In this case, Nmap uses a connection-based method using the connect() system call, which is used by most applications - p2p clients, browsers, and network applications. In this case, Nmap sends a request to the operating system itself, which establishes a TCP connection. If the connection is established, then the port is marked as open, and if not - as closed. After determining the status of the port, Nmap terminates the connection, that is, using the connect() function, a packet with the RST flag is sent. However, this method has one drawback: since the connection is established completely, it remains in the logs and logs of the scanned system, and therefore monitoring systems will almost always determine which computer scanned. As a result, this method is rarely used. To run the above scan, you need to run Nmap with the -sT switch. An example of using the scan method using the connect() system function is shown in fig. ten.
Rice. 10. Scanning using the -sT switch (TCP connect() scan)
Scanning UDP Ports
Let's not forget about UDP services, which are almost as common as services that use the TCP protocol. The most common services using the UDP protocol are DNS, SNMP, and DHCP. Since UDP protocol scanning is more complex and slower than TCP scanning, many security systems neglect it and ignore listening (filtering) on these ports. But in this case, services listening on these ports can also be vulnerable to hacking, since Nmap allows you to determine which ports are open and which services are listening on them. Since the UDP protocol is not similar to TCP, the scanning method is different from those discussed earlier. Nmap sends a UDP packet with an empty header on all ports it examines and waits for a response. If it receives an ICMP packet with an unreachable error in response, the port is considered closed. When receiving packets with other errors, Nmap assumes that the port is being filtered by the firewall. The received UDP response packet indicates the presence of the service, and the port is marked open. If no response is received after several attempts, Nmap marks the port as open|filtered because it cannot determine for sure whether the port is open or if the firewall is blocking traffic on that port. In addition, many computers can only send a limited number of ICMP error messages per second. This is done to protect against network congestion. To clarify the state of the port, you can use the -sV switch (in this case, Nmap tries to determine the service running on the scanned port and its version), but then the scanning speed decreases by an order of magnitude. A UDP scan can be run at the same time as any of the TCP scan methods because they use different protocols. UDP scanning is launched when the -sU switch is specified. The differences in speed are shown in fig. 11, which successively shows examples of scanning without the -sV option and using it.
Rice. 11. UDP scanning with and without the -sV switch
The figure shows that scanning with the service version detection option took almost 10 times longer (54 seconds vs. 4) than without it. But this option helped to determine that UDP ports 53 and 137 were open, although the previous scan could not accurately determine their status. At the same time, even this option does not always help to obtain reliable information - out of nine ports with an indeterminate status, only two were accurately identified (53rd and 137th). Nmap also allows you to set the response time for the computer under investigation, thereby weeding out slow hosts and significantly increasing the speed of UDP scanning. The option responsible for the response of the scanned computer can be used not only with UDP scanning, but also with all other methods. To use this option, you must enter the key --hosts-timeout
Scanning with FIN, Xmas and Null methods
Because a TCP connection is based on the three-way handshake discussed at the beginning of this article, by interrupting the connection sequence, you can also obtain information about the closed and open ports of the host under investigation. There is a FIN scan method that sends packets with the FIN flag to the remote host, which are usually applied when the connection is closed. In this case, the closed port of the computer, in accordance with the specification of the TCP protocol, must send a response packet with the RST flag. If the port is open or blocked by a firewall, there will be no response from it. As in the case of a SYN scan, the connection is not completely established, so there may not be any information in the system logs of the host under investigation, at the same time, most monitoring systems can fix this type of scan. This method is more stealthy than TCP connect-scan and allows you to determine whether the port is closed or open (blocked), so there are several modifications to this method. When using the null scan method, instead of a packet with a FIN flag, a packet with an empty header (0 bits, all flags are disabled) is sent. This method works as described above. Another method that has a similar algorithm of work is called Xmas scanning. In this case, a packet is sent to the host, colored with several flags (FIN, PSH and URG) in the manner of a Christmas tree. Each of the considered methods has its own keys: -sN, -sF and -sX (Null-, FIN- and Xmas-scan, respectively). On fig. 12 shows examples of scanning of all three types, and for comparison in fig. 13 - SYN scanning method.
Rice. 12. Scanning using the -sN, -sF and -sX switches
When comparing the results of scanning with SYN and Null, FIN and Xmas, it can be seen that with their help, many ports were determined not as exactly open, but only as open|filtered. This is because most operating systems Windows families, Cisco network devices and others do not always follow the specification, so the result of such a scan for these types of systems is likely to be negative. At the same time, scanning with these three methods is suitable for determining open ports on UNIX-based systems that follow the TCP protocol specification, and also allows you to bypass many firewalls and packet filtering.
Rice. 13. SYN scan
Scanning with different flags
Nmap allows you to set the flags that will be used for this type of scan, for which you need to run the program with the --scanflags switch. In this case, the types of flags can be different - URG, ACK, PSH, RST, SYN and FIN. The command syntax is as follows: nmap --scanflags URGACKPSHRSTSYNFIN. In addition to this command, you can specify two scan methods: -sA and -sF (if they are not specified, the SYN scan method is used by default).
Scanning with ACK and Window Methods
To determine which ports on the computer are in the filtered status, and which are in unfiltered status, there is a separately rendered scan type - ACK. It can also be enabled using the --scanflags ACK switch. Since many firewalls only look at SYN packets on a specific port, thereby performing filtering, by sending packets with the ACK flag, it is very likely that you can determine whether a firewall exists on the computer under investigation or not. The packet with the ACK flag in this case is not sent as part of the connection, but separately. If the receiving side sends a return packet with the RST flag (respectively, the port is not blocked by the firewall), the port is marked as unfiltered, but if the host does not respond to the packet, then a firewall is installed on it and the port is in the filtered status. To activate this method, you need to run Nmap with the -sA switch. On fig. 14 shows an example of using this scanning method.
Rice. 14. Scan by ACK method
Since the computer has already been examined by SYN scanning (see Figure 13), it can be said that ACK scanning can only determine the status of some host ports. This method has an analogue that works on the same principle, but interprets the results received from the host in a slightly different way. TCP Window scanning assumes that services on some hosts use a positive value for the window field in the response packet (not zero). Therefore, with the help this method Nmap analyzes the headers of incoming packets with the RST flag, and if the incoming packet contains a positive field value, then Nmap marks this port as open. Receiving a packet with a null field value means that the port is closed. To activate this scanning method, you must enter the -sW switch.
Scanning with the Maimon Method
Another method of scanning based on a three-way connection is the method described by a specialist named Uriel Maimon. Its method is almost identical to the FIN, Xmas, and Null methods, except that packets are sent with the FIN/ACK flags. Here, if the port is closed, the host should respond with an RST packet. To activate this scanning method, you must enter the -sM switch.
All of the above methods are based on the same 3-way connection method on a TCP connection.
Covert scanning using the idlescan algorithm
None of the considered methods allows you to completely hide the IP address of the scanning host. Since spoofing the IP address of an outgoing packet is not so difficult, a scanning method was found in which the host under investigation cannot determine the exact IP address of the computer from which the scan is performed. The idlescan method is almost identical to the SYN scan in its operation algorithm. To understand how this hides the IP address of the scanning computer, you need to know that each IP packet has its own number (fragment identification number, IPID). Many operating systems increase this number for each next packet sent, so you can easily determine how many packets a host has sent. In this case, it should be borne in mind that if the computer received a packet with SYN / ACK flags from an address from which it did not request a connection, then in response it will send a packet with the RST flag. This method involves the use of another "zombie" computer, on behalf of which packets will be sent to the scanned computer. Next, consider the algorithm of the idlescan method.
Let the scanning computer be attacker, the zombie computer be zombie, and the scanned computer be target.
The first case - the port under investigation is open:
- The attacker sends a packet with the SYN/ACK flags to zombie, and in response zombie sends a packet with the RST flag. This package, for example, has an identification number (IPID) 123;
- the attacker sends a packet with the SYN flag on the desired port on behalf of the zombie computer;
- target sends a response request with SYN/ACK flags to zombie. In response, zombie sends a packet with the RST flag to the target computer, since zombie did not intend to establish a connection with it. This packet has a number increased by one - IPID 124;
- The attacker sends a packet with the SYN/ACK flag to zombie, in response zombie sends a packet with the RST flag. This packet has an IPID already increased by two - 125.
The second case - the port is closed:
- The attacker sends a packet with the SYN/ACK flags to zombie, in response zombie sends a packet with the RST flag. This packet, for example, has an identification number (IPID) 123;
- the attacker sends a packet with the SYN flag on the desired port on behalf of the zombie computer;
- target sends a packet with the RST flag to zombie. In response, zombie does not send anything;
- The attacker sends a packet with the SYN/ACK flag to zombie, in response zombie sends a packet with the RST flag. This packet has an IPID incremented by one, 124.
Thus, by simple arithmetic, it is possible to calculate whether a port is open or closed on the computer under study. Advantage this method is that it is very difficult to determine the IP address of the scanning computer, because the target computer believes that the scan was performed by the zombie computer, and the requests of the scanning computer remain only in the zombie logs. To activate this scanning method, you must enter the -sI switch
Rice. 15. Scanning using the idlescan method
As you can see from the figure, the PC with the IP address 10.0.0.79 served as the “zombie” computer, while the scanned computer had the IP address 10.0.0.62. After analyzing the results, it can be argued that the idlescan method does not always correctly determine the status of the port (it is open or blocked by the firewall). In addition, if we compare the scan time, the speed of the SYN method is much higher, since Nmap idlescan sometimes has to send packets several times, since the zombie computer can also work intensively and actively exchange packets, knocking down the IPID counter, which Nmap is calculated. This method is the most preferable if you need to hide the scan, however, it still does not give an accurate picture of the open ports on the computer under study. This type of scan is recommended to be run with the -P0 switch, since in this case Nmap does not poll the host before scanning. In some cases, if the zombie computer behaves aggressively and prevents receiving scan results (cannot display scan results), and you need to get information about open ports, you can use the -v -v (verbose mode) option. In this mode, Nmap displays all service and received information on the screen in online mode.
Scanning for open protocols
In some cases, it is necessary to define open protocols on a remote host. Since each IP transport layer protocol has its own sequence number, and each IP packet has a protocol field that indicates the type of packet headers and protocol number, you can find out which protocols are open on the computer under investigation. To determine if a protocol is available on a host, Nmap sends several packets with empty headers containing only the protocol number in the protocol field. In case the protocol is unreachable, the computer will return an ICMP message "protocol unreachable". If the host does not send packets in response, this may mean that either the protocol is available or the firewall is blocking ICMP traffic. This situation is very similar to UDP scanning, where it is also impossible to determine for sure whether a port is open or filtered by a firewall. To enable protocol scanning, the -sO switch must be used. On fig. 16 shows an example of using this method.
Rice. 16. Scanning available protocols
Nmap outputs open and filtered protocols as a result, since it can accurately determine this status. Other scanned protocols are marked as open|filtered.
Stealth scanning via ftp bounce method
The Nmap network scanner supports the ftp bounce scanning method, the essence of which is the ability of an ftp server to send files to a third party. Since this feature is very often used for other purposes (scanning, hacking), many ftp servers no longer support it or block it. The ftp bounce method allows you to scan the ports of a remote computer on behalf of an ftp server. The scanning computer sends a request to the ftp server to establish a TCP connection on a specific port with the computer under test to transfer the file. Analyzing received errors from the ftp server allows Nmap to determine if the port is open or closed. In this case, the scanning is hidden, because for the computer under investigation, the initiator of the connection is the ftp server, and not the scanning computer. This method is primarily convenient because, as a rule, the firewall passes the traffic of a well-known ftp server, since the latter usually has more access rights to both external and internal network resources. Thus, it becomes possible to bypass port filters and firewalls that do not allow traffic when scanning by other methods. In order to scan a computer using this method, you need to find a suitable ftp server that supports the described function and a login / password to enter this ftp server. To start Nmap when scanning with this method, you must specify the key -b
Rice. 17. Scanning with the ftp bounce method
As can be seen from the figure, scanning by this method gave positive results. However, scanning by this method is not always possible, since very often the ftp server cannot establish a connection with a remote computer using privileged ports (below 1024). For such errors, Nmap prints out the line your ftp bounce server doesn't allow privileged ports or recv problem from ftp bounce server. As with idlescans, to hide presence, it is recommended to specify the -P0 switch so that Nmap does not attempt to send ICMP echo requests to the computer being scanned. Worth paying attention to frequent freezing Nmap when using ftp bounce to specific hosts. In order to still get necessary information, you should run Nmap with the -v -v options, with which the network scanner will display the received information online.
Scanned Ports Settings
The Nmap scanner has many advanced settings. In table. 3 discusses settings related to scan ports.
Table 3. Scan port settings
By default, Nmap scans all ports, including privileged ports (0 to 1024) and ports defined in the Nmap-services. This file is constantly updated by developers and includes ports used by common applications and services. The file contains the name of the service, its description, and the protocol it uses. Since Nmap allows you to scan not only TCP, but also UDP ports, when using the -p switch, you can clearly specify the protocol and its port. Scanning the 25th UDP and 80th TCP ports will look like this: Nmap -p U:25,T:80.
Determining versions of running services
As noted at the beginning of the article, Nmap with a high degree of probability allows you to determine the version of the operating system that is running on a remote computer. At the same time, Nmap can also identify the versions of services running on a remote PC, provided that the ports of a particular service are open. Determining the version of the OS and services will help to get a clearer idea of how vulnerable the computer under investigation is and what holes in the services may remain open for hacking. To get information about the version of a running service or operating system, Nmap uses its database, which includes specific labels specific to that particular version. software. Information is collected after any scan with any method of analyzing open ports. Determining software versions does not always give a positive result, but in most cases the information obtained in this way helps to get an idea of the system used on the remote computer. In the event that Nmap receives information about a host but cannot match it to a specific description in its database, the program prints the result to the screen. If desired, if the version of the OS or service is known, but Nmap could not determine it, you can copy the output result and send it to the developer - this descriptor will be included in the next version of the program. In table. Figure 4 shows the keys for determining the versions of the services running on the remote host.
Table 4. Scan settings for determining service versions
The -allports key, given in Table. 4 is usually not used, because if this option is enabled, Nmap will send packets on TCP port 9100 as well. This is because many printers have the following disadvantage: when receiving packets on port 9100, they automatically print the received information and, in order not to get mountains of damaged paper, TCP port 9100 is skipped by scanning when determining the version.
Determining the OS version on a remote computer
Of course, one of the most interesting options is to determine the operating system of the remote computer. In this case, a modified method is used to determine the versions of running services. Nmap performs various tests by sending packets using different protocols with different conditions to the computer under test. By comparing the obtained results with the reference values specified in the Nmap-os-fingerprints file, the program provides a summary result for the computer. Depending on the quantity and quality of the information received, Nmap can determine the OS manufacturer, its approximate version and type of equipment, since the end result of scanning is not always a computer - it can also be a router, a managed switch, etc. To activate this scanning method, you must specify the -O switch, as well as the -A switch, which activates the detection of the operating system version and versions of running services. On fig. 18 is an example of OS definition.
Rice. 18. Determining the operating system
Time delay settings
The high speed of operation is determined by the time s mi parameters of responses and sending packets. By default, Nmap uses the most efficient time settings to get realistic scan results. However, security professionals who use this scanner may need special time settings for certain scanning methods. s x constants. In this regard, the developers of Nmap provided for the installation of some constants manually, as well as the ability to set a “schedule” for scanning. Some switches use a time setting that defaults to milliseconds, however it is possible to write the time as s, m and h - these literal arguments are appended to the end numerical value, significantly reducing the recording and simplifying it. For example, 600000, 600s, 10m represent the same time. indication possible keys temporary s x parameters and performance are given in table. 5.
Table 5. Timing and performance settings
Scan Schedule
As mentioned above, Nmap allows you to schedule scans to try and hide your presence from firewalls and security systems. There are six scan schedules: Paranoid, Sneaky, Polite, Normal, Aggressive, and Insane, with Normal being the default. Temporary s e delays and other related factors are given in Table. 6.
Table 6. Characteristics of different scan schedules
Additional command line options
Almost all of the most important parameters command line described above. The following are some of the commonly used options:
- -S
- -e
- -v; -d- display the current state of scanning online. The -d directive turns on the debug mode, which shows all possible information about the current state of the work, as well as errors and their codes;
- -g
- -data-length
- -ttl
- -spoof-mac
- -bad sum- sends TCP and ICMP packets with a malformed checksum. Firewalls or security systems typically respond to such a packet;
- -6 - use of scanning for IPv6 networks. In this case, you must specify an IPv6 address or hostname;
- -log-errors- all errors are written to the log file;
- -on; -oM; -os; -oA; -oG
Conclusion
Of course, not all scanner options have been considered sufficiently. Most users are limited to standard scanning methods. The Nmap scanner is not only for ordinary network users, but also for system administrators and developers of security systems and many tools will be useful to them in their work. Nmap is constantly being updated and improved. Since, like many other programs for Linux systems, it is free, anyone can contribute to writing it.
In conclusion, I would like to note that network scanners and other similar programs are created primarily to prevent hacking or active attacks. Having scanned your computer, it is quite possible to detect not only numerous open ports, but even a Trojan that was not detected by the antivirus. Therefore, the ability to work with such software will always help in the difficult task of combating hacking. The considered network scanner provides the user with the widest possible range various types scanning and additional features for monitoring. By selecting and combining different scanning methods, you can find out information about a computer or network device with any operating system.
Today, almost any user can answer the question of what is an IP network scanner. This is a special sniffer program that identifies a specific computer terminal in local network or when establishing an internet connection. How this system works is anyone's guess. What is a network scanner? Conventionally, all commands or programs of this type can be divided into several classes depending on the parameters being determined. It should be clear that the software network scanner must function in several modes, including the determination of external and internal IP addresses of connected devices, recognition wireless networks, running the diagnostic system and having access to resources based on the HTTP and FTP protocols.
Windows operating system tools for scanning
In operating systems of the Windows family, to determine IP addresses, there is special agent, which is already built into the operating system. IP addresses are usually automatically set by providers in their current use. In the network settings, you just need to set this setting - Obtain iPad dress automatically. In the same mode, this sets the gateway and subnet mask. The primary and alternate DNS servers in this case are not involved. Their addresses in some cases must be entered manually, especially if the setting is carried out through Google services. However, any internal address can be recognized using the simplest ping command, which must be entered from the appropriate console, indicating the internal address. local computer or a terminal that connects to the corporate network. To view all addresses of devices that are currently connected to one of the network protocols, you must use the ipconfig command. Many users underestimate the command line. But it is in it that when specifying an addition to the main command in the form of renew or release6, you can apply automatic settings IPv6 protocol, or even update the configuration with DHCP server settings.
External request based on ping command
As for external requests received by the ping command, they are mostly made only by the network administrator or provider. The disadvantage of this method is to determine the external IP address of the device connected to the Internet. In this case, the internal address can be hidden or assigned automatically. In the case of checking virtual WLAN networks, only pinging the ADSL modem or router is performed. Its address does not correspond in any way to the address of the local computer terminal.
WiFi Network Scanner
Let's proceed directly to the consideration of software products. Probably, it is no longer worth talking about the fact that in the same Google Play you can download free utility, which is able to recognize virtual networks that are close to the user. If you search well on the Internet, you can find not just a network scanner, but a whole software package that allows you to crack a password and even act as an anonymizer. This is a bit like using virtual proxies and access protocols. The essence of the question is to determine the unused address or connect to it. Thus, any scanner of IP addresses on the network performs their determination based on those allocated by the provider. The service itself, when using a virtual proxy server, can only guess about it.
The simplest programs
Among all the variety that can be found on the Internet today, the most popular are the following software products:
— scanner of public wireless networks Free WiFi Detector;
- Scanner local ports and IP addresses Net Scan;
— a tool for wireless networks InSSiDer;
- a system for checking free addresses that are not involved in local connections– Angry IP Scanner.
All network scanners of the type mentioned above work on the same principle. This is the definition of the external IP address of the connected device, no matter mobile device Are you using a laptop or desktop computer. All applications that belong to the category of "Windows 7 Network Scanner" programs use a hidden ping command, which the user may not even be aware of. In this case, the external request is not carried out in the form of an operation performed by Windows, but on the basis of its own developments, taking into account the protocol used and the DHCP server. In the proxy server connection option, failures can be observed in this case. To change these settings, you must use the network or network adapter settings. They must be set to prohibit the use of proxies for local addresses. These are at least IPv4 protocol settings. Mobile applications at the same time are quite popular. The simplest example is the following. Suppose a user has come to a cafe and urgently needs to send email or write a message. He does not know the password for accessing the virtual network. If you have the appropriate application installed on your tablet or smartphone, the network scanner will work automatically. It will detect the nearest wireless circuit. Depending on the software product, there may also be the possibility of passwordless access to the network. However, this option is illegal. Probably, it is not necessary to remind once again that today there is great amount hackers, which sometimes include applications of this type. At the same time, no one understands that the network IP address scanner determines only the source through which the Internet connection and network access are made.
Conclusion
Worst of all is the fact that no program of this type, when scanning external and internal addresses, can bypass the configuration host file A that stores information about hits to standard addresses. Its content can sometimes have entries that block certain resources. Access to these settings in operating systems of the Windows family has a very high priority even in relation to proxy and DNS servers. Therefore, when installing a network scanner, you need to think about the advisability of using this software product. Unfortunately, applications in the form of scanners that are not controlled by the Windows operating system can cause conflicts at the system level. So, for example, the work of some dynamic libraries that are necessary for the correct functioning of Windows and device drivers may be blocked. You should also pay attention to the legality of penetration into certain virtual networks, not to mention the installation of software taken from unofficial sources.
TCP Scan.
The TCP connect nmap method will scan the port range (1-65535) of the computer with the IP address, the -sV option is used to get versions running services:
$ nmap -sV xxx.xxx.xxx.xxx -p 1-65535
It is also worth paying attention to what we have in the SERVICE and STATE fields.
The SERVICE - field always displays the value from the /etc/services file corresponding to the port number. This does not mean at all that the service specified in the SERVICE field will be on this port. run the Web server on port 22 and SSH on port 80, but nmap will still write that port 22 is ssh and 80 is HTTP.
In the STATE field - In one case, the ssh port is open (open), in the other - filtered (filtered). The Filtered value means that the port rejects (rejects) or drops (drops) traffic. It doesn't tell if there is a service on that port or not.
T "Paranoid|Sneaky|Polite|Normal|Aggressive|Insane" - temporary modes. With "Paranoid" the scan will take a very long time, but then you are more likely to remain undetected by the scan detectors. And vice versa, "Insane" is used when scanning fast or weakly protected networks.
ON/-oM "logfile" - output results to logfile in normal (-oN) or native (-oM) form.
OS "logfile" - this option allows you to resume scanning if it was interrupted for some reason and the result was written to (option -oN "logfile" or -oM "logfile" was enabled). To continue working, you need to start Nmap with only this function and the file in which the previous scan was recorded ("logfile").
Are you worried about the security of your or any other network? Protecting your router from unwanted connections is essential to the security of your network. One of simple methods is Nmap or Network Mapper. This is a scanning program that checks which ports are open and which are closed, as well as other details. Security professionals use this program to test network security. To learn how to use this program, see Step 1.
Steps
Using Zenmap
- Zenmap is available for operating Windows systems, Linux, and Mac OS X. You can find installers on the official Nmap website.
-
Run the program "Nmap - Zenmap" GUI. If during the installation you left all the items untouched, then the program icon should appear on your desktop. If not, look in the start menu and run Zenmap.
Enter the purpose of your scan. Zenmap makes network scanning a very simple process. First of all, select the purpose of the scan. You can enter a domain (example.com), an IP address (127.0.0.1), a network (192.168.1.0/24), or a combination of these.
- Depending on the download and the purpose of your scan, using Nmap may be in violation of your ISP's user policy. Always check local user rules when using Nmap in case it is scanned outside your own network.
-
Choose your profile. Profiles are a group of modifications that change the structure of a scan. Profiles allow you to quickly select different types scans without the need for a set of modifications on the command line. Choose the best profile for your needs:
- intensive scan- extensive scanning. Includes operating system, version, script detection, tracing, and has aggressive scan times.
- ping scan- this scan determines the online status of the target of your scan, and does not scan ports.
- Quick scan- Scans faster than regular scan with aggressive scan time and port sampling.
- regular scan are standard Nmap scans without any modifications. The result includes ping and open ports.
-
Click Scan to start scanning. Active scan results will be displayed in the Nmap Output tab. The scan time will depend on the selected profile, the physical distance to the target, and the network configuration.
See your results. After the scan is complete, you will see the message “Nmap is done” at the bottom of the Nmap Output tab. Now you can check your results, depending on the type of scan you have chosen. All results are collected in the Output tab, but by selecting other tabs, you can examine the resulting result in more detail.
- ports/hosts- this tab will show port scans including services running on those ports.
- topology- shows the trace for the completed scan. You can see how many "hops" your data takes to reach the desired goal.
- Host Details- shows full information about the target, number of ports, IP addresses, hostnames, operating systems, and more.
- scans- this tab records the history of your previous scans. This way you can quickly restart a scan done in the past with a specific set of parameters.
Download the Nmap installer. You can find the installer on the developers website and download it for free. It is recommended to download from the developers' site in order to avoid the risk of downloading viruses or spoofed files. By downloading Nmap you will also get Zenmap, a graphical interface for Nmap, which makes the program easy to use for beginners when performing scans without knowing the commands.
Using command line
-
Install nmap. Nmap is not big and free program. You can download the program from the developer's website. Follow the instructions based on your operating system:
Open your command prompt. Nmap commands work from the command line and show results immediately below the command. You can use the options to change the structure of the scan. You can run scans from anywhere on your command line.
-
Scan the ports you need. To start a simple scan, write nmap
. This will start pinging the selected target and scanning ports. This scan is very easy to recognize. The results will be visible on your screen. You may need to scroll to the top to see the full results. - Depending on the download and the purpose of your scan, using Nmap may be against your ISP's policies. Always check local user rules when using Nmap in case it is scanned outside your own network.
-
Run a modified scan. You can use command variables to change the scan settings, resulting in a more or less extensive scan. You can add multiple variables leaving a space between each. Variables are put before the target: nmap
- -ss is a hidden SYN scan. This scan is harder to detect than a regular scan, but may take longer to complete. Most new firewalls can detect the -sS scan.
- -sn is a ping scan. This scan does not use port detection, and only checks the target's online status.
- -O- This scan determines the operating system type of the target.
- -A- this variable enables detection of more extensive information: operating system, version, scripts, and trace.
- -F- Enables fast scanning, and reduces the number of scanned ports.
- -v- this variable shows large quantity your scan results, making them readable.
-
Output the results of your scan to an XML file. You can customize the output of your scan results to an XML file and, subsequently, easily open them in any web browser. To do this, use the variable -oX with the name of the output file. The complete command looks like this nmap –oX ScanResults.xml
. - Your XML file will be saved in the current directory of your command line.
- I wonder how the scan goes? Press the spacebar, or any button, while the scan is running to see the progress of Nmap.
- Target not responding? Try adding the "-P0" variable to your scan. As a result, Nmap scanning will start its work even if the program "thinks" that the target does not exist. This is useful when the computer is behind a firewall.
- If your scan takes a long time (more than 20 minutes), try adding the "-F" variable so Nmap scan will only affect recently used ports.
