NMAP - A Stealth Port Scanner--reference

The idle scan can also be used to determine IP trust based relationships between hosts (e.g. a firewall may allow a certain host to connect to port x,but not other hosts). This scan type can help to determine which hosts have access to such a system.

For more information about this scan type,read?http://www.insecure.org/nmap/idlescan.html

Version Detection collects information about the specific service running on an open port,including the product name and version number. This information can be critical in determining an entry point for an attack. The -sV option enables version detection,and the -A option enables both OS fingerprinting and version detection,as well as any other advanced features which may be added in future releases.

Version detection is based on a complex series of probes,detailed in the Version Detection paper at?http://www.insecure.org/nmap/vscan/

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls,this scan type sends ACK packets to a host. If an RST comes back,the port is classified "unfiltered" (that is,it was allowed to send its RST through whatever firewall was in place). If nothing comes back,the port is said to be "filtered". That is,the firewall prevented the RST coming back from the port. This scan type can help determine if a firewall is stateless (just blocks incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets).

Note that an ACK scan will never show ports in the "open" state,and so it should be used in conjunction with another scan type to gain more information about firewalls or packet filters between yourself and the victim.

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list,or the nmap-hackers mailing list for the full list of susceptible OS’).

RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service,and if so,which program,and version numbers are running on it. Decoys are not supported with RPC scans (see section on Timing and Hiding Scans,below).

List scanning simply prints a list of IPs and names (DNS resolution will be used unless the -n option is passed to Nmap) without actually pinging or scanning the hosts.

Nmap adjusts its timings automatically depending on network speed and response times of the victim. However,you may want more control over the timing in order to create a more stealthy scan,or to get the scan over and done with quicker.

The main timing option is set through the -T parameter. There are six predefined timing policies which can be specified by name or number (starting with 0,corresponding to Paranoid timing). The timings are Paranoid,Sneaky,Polite,Normal,Aggressive and Insane.

A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between each packet sent. This makes it almost impossible for a firewall to detect a port scan in progress (since the scan takes so long it would most likely be attributed to random network traffic). Such a scan will still show up in logs,but it will be so spread out that most analysis tools or humans will miss it completely.

A -T Insane (or -T5) scan will map a host in very little time,provided you are on a very fast network or don’t mind losing some information along the way.

Timings for individual aspects of a scan can also be set using the –host_timeout,–max_rtt_timeout,–min_rtt_timeout,–initial_rtt_timeout,–max_parallelism,–min_parallelism,and –scan_delay options. See the Nmap manual for details.

The -D option allows you to specify Decoys. This option makes it look like those decoys are scanning the target network. It does not hide your own IP,but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look more scary,but reduces the chance of you being traced from your scan (difficult to tell which system is the "real" source).

（编辑：PHP编程网 - 黄冈站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!