One of the first tasks when exploring any network is to reduce the (sometimes quite large) set of IP ranges to a list of active or interesting hosts. Scanning every port of every IP address is slow and unnecessary. Of course, what makes a host interesting for research is largely determined by the purpose of scanning. Network administrators may only be interested in hosts running a particular service, while those interested in security will be interested in all devices with IP addresses. Administrators' goals of discovering running hosts on a network can be satisfied with a simple ICMP ping, but people testing a network's ability to resist external attacks need to use a variety of query sets to bypass the firewall.

Because the tasks that require host discovery are so varied, Nmap provides a wide variety of options for different methods. The task of discovering hosts is sometimes called a ping scan, but it is far superior to the usual ICMP requests associated with the ubiquitous ping utilities. Users can skip the ping scan step entirely by using the scan to list option (-sL) or simply disable it (-PN), or scan the network using arbitrary combinations of multiport TCP SYN/ACK, UDP, and ICMP requests. The purpose of all these requests is to obtain responses indicating that the IP address is currently active (in use by the host or network device). On most networks, only a small percentage of IP addresses are active at all times. This is especially true for address spaces like 10.0.0.0/8. Such networks have 16 million IP addresses, but I have seen them used by companies with no more than a thousand machines. Host discovery can find these machines in this vast sea of ​​IP addresses.

If no host discovery options are specified, Nmap sends a TCP ACK packet on port 80 and an ICMP echo response request to each target machine. The exception is ARP scanning of all targets on the network. For unprivileged Unix shell users, a SYN is sent instead of an ACK packet using the connect system call. These defaults are equivalent to the -PA -PE options. Such scanning is sufficient for local networks, but for security research it is necessary to use more complex sets of queries.

The -P* options (which determine the type of ping scan) can be combined. You can increase your chances of bypassing a strict firewall by sending multiple requests. various types, using various TCP ports/flags and ICMP codes. Also keep in mind that even if you define different -P* options, the default when applied to targets local network ARP scanning (-PR) will also be performed, because it is almost always faster and more efficient.

By default, after detecting hosts, Nmap begins scanning the ports of each active machine. This will be the case even if you specify to use non-standard host discovery methods, such as using UDP requests (-PU). Read about the -sP option to learn how to perform host discovery only, or use the -PN option to skip host discovery and perform a port scan on all target machines. You can configure host discovery using the following options:

SL (Scanning to List)

This scan type is a "lite" version of host discovery, which will simply create a list of hosts on a given network without sending any packets to the target machines. By default, Nmap will still perform reverse DNS resolution to look up hostnames. It is often surprising how much useful information may contain regular hostnames. For example, fw.chi is the name of a Chicago company's firewall. At the end, Nmap also reports the total number of IP addresses. This type of scanning is also a good way to verify that you actually know the IP addresses of the targets you need. If the hostnames contain domain names that you are not familiar with, then it is worth doing further research to avoid scanning the wrong company's network.

Because Since the goal is simply to compile a list of target hosts, options with a greater level of functionality such as port scanning, OS detection or ping scanning cannot be combined with the option in question. If you want to disable ping scanning but want to use options with such a high level of functionality, then read about the -PN option.

-sP (Ping scan)

This option tells Nmap to perform a ping scan (determine hosts) and then list available hosts, i.e. those who responded to the requests. Route detection and NSE scripts are also used if necessary, however further testing (such as port scanning or OS detection) is not performed. By default, this option is considered one step more thorough than scanning for a simple list of hosts, and can be used for the same purposes. It allows you to explore the target network without attracting attention. Knowing which hosts on the network are currently running is more valuable to attackers than simply the list of IP addresses and network names provided by the -sL option.

This option is also useful for system administrators. It can be used to count the number of machines running on a network or monitor server availability. This is often called a "ping sweep" and the results provided by this option are more trustworthy than regular pinging of broadcast addresses because most hosts do not respond to such requests.

By default, the -sP option sends an ICMP request this reply and a TCP ACK packet to port 80. When used by an unprivileged user, it sends only a SYN packet (using the connect system call) to port 80 of the target machine. When a root user scans for local network targets, ARP requests are used until --send-ip is specified. For greater flexibility, the -sP option can be combined with any of the -P* options (except -PN). If any of these request types and options to specify port numbers are used, then the default requests (ACK and these are responses) are omitted. When there is a strict firewall between the Nmap machine and the target network, then the use of such advanced scanning methods is recommended. Otherwise, some of the hosts may not be defined, because The firewall blocked the request or response.

-PN (Do not use ping scanning)

Tells Nmap to skip the host discovery step entirely. Typically, Nmap uses this step to discover active machines that can be subject to a more in-depth scan. By default, Nmap performs in-depth scans such as port scanning, version detection, or OS detection of only detected running hosts. After disabling the host detection stage with the -PN option, Nmap will scan everyone specified target IP address. So, if a network with a Class B (/16) address space is defined for scanning, then all 65,536 IP addresses will be scanned. Because By skipping the step of discovering hosts and compiling a list of scan targets, Nmap will perform the requested functions as if each IP address was active. For machines on the local network, ARP scanning will be performed (until you specify --send-ip), because Nmap needs MAC addresses to further scan target hosts. This option was previously specified by the P0 flag (zero is used), but has been renamed to avoid confusion with PO IP pinging (the letter O is used).

-PS <список_портов> (TCP SYN ping)

This option sends an empty TCP packet with the SYN flag set. The default port is 80 (can be set at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in nmap.h). Alternative ports are specified as parameters. The syntax is the same as for the -p option, except that T: type specifiers are not allowed. Examples: -PS22 and -PS22-25,80,113,1050,35000. Keep in mind that there should not be a space between the list of ports and -PS. If several requests are given, they will be sent in parallel.

When the SYN flag is set, it indicates to the remote system that you are trying to establish a connection. If the destination port is closed, an RST (reset) packet is sent in response. If the port is open, the remote system will take the second step in the 3-step sequence of establishing a TCP connection by responding with a SYN/ACK TCP packet. The system running Nmap drops a nearly established connection by responding with an RST packet instead of an ACK, which would result in a full connection being established. The RST packet is sent by the kernel of the system running Nmap in response to an unexpected SYN/ACK packet, not by Nmap itself.

Nmap doesn't care if the port is open or closed. Replies with RST or SYN/ACK packets as described above indicate to Nmap that the host is available and can respond to requests.

On Unix machines, only the root user can typically send and receive raw TCP packets. For an unprivileged user, a connect system call is initiated for each target port. Therefore, when attempting to establish a connection, a SYN packet is sent to the target host. If the connect call receives a fast response or an ECONNREFUSED failure, then the TCP stack has received a SYN/ACK or RST packet, and the host is marked as available. If the connection is not established due to timeout, the host is marked as down. This mechanism is also used for connections using the IPv6 protocol, because raw IPv6 packet construction is not yet implemented in Nmap.

-PA <список_портов> (TCP ACK ping)

This type of ping is very similar to the one described above. The difference is, as you might have guessed, that instead of setting the SYN flag, the TCP ACK flag is set. Such an ACK packet aims to recognize data during an established TCP connection, but such a connection does not exist, so remote hosts will always respond to such a request with an RST packet, thereby giving away their existence.

The -PA option uses the same default port as SYN requests (80), and can also accept a list of ports in the same format as a parameter. If an unprivileged user attempts to use this option or the target is in IPv6 format, then the mechanism using the connect call described above is used. This mechanism is imperfect, because when using the connect call, a SYN is sent instead of an ACK packet.

The reason Nmap provides both types of pings (SYN and ACK) is to improve the chances of bypassing firewalls. Many administrators configure routers or other simple firewalls to block incoming SYN packets except those intended for public services such as a website or mail server. This prevents all other connections, while at the same time allowing users to access the Internet unhindered. This approach does not require a lot of resources from firewalls/routers and is widely supported by various hardware and software filters. To implement this approach, it has the --syn option. When a firewall uses these rules, requests with the SYN (-PS) flag set that are sent to closed ports are likely to be blocked. In such cases, it is more profitable to use requests with the ACK flag, because they are not subject to these rules.

Another popular type of firewall is a firewall that blocks all unexpected packets. Initially, this feature was only supported in the most advanced firewalls, although it has become increasingly popular over the years. The Linux firewall Netfilter/iptables implements this mechanism using the --state option, which categorizes packets depending on the state of the connection. It is better to use SYN packets against such systems, because unexpected ACK packets are likely to be detected as bogus and blocked. The solution to this predicament is to send both SYN and ACK requests by specifying the -PS and -PA options.

-PU <список_портов> (UDP ping)

Another function used to discover hosts is UDP ping, which sends an empty (until the --data-length option is specified) UDP packet to given ports. The list of ports is specified in the same format as for the -PS and -PA options described above. If ports are not specified, the default is 31338. The default port can be set at compile time by changing DEFAULT_UDP_PROBE_PORT_SPEC in nmap.h . By default, a non-widespread port is selected, because sending requests to open ports is not desirable for this type of scanning.

The purpose of a UDP request is to receive an ICMP packet with a "port unreachable" error in response. This indicates to Nmap that the machine is running and accessible. Other types of ICMP errors, such as host/network unreachable or TTL exceeded, indicate that the machine is down or unreachable. Lack of response is interpreted in the same way. If such a request is sent to an open port, most services will simply ignore the empty packet and send no response. Therefore, the default port is 31338, because... it is unlikely to be used by any service. Only some services, such as the Character Generator (chargen) protocol, will respond to an empty UDP packet, and this will also indicate to Nmap that the machine is available.

The main advantage of this type of scanning is that it allows you to bypass firewalls that filter only TCP requests. For example, I once had a Linksys BEFW11S4 wireless broadband router. The device's internal interface filtered all TCP ports by default, while responding to UDP requests with a "port unreachable" error message, rendering its operation useless.

-PE ; -PP ; -PM (ICMP ping packet types)

In addition to non-standard host discovery methods using TCP and UDP requests, Nmap can also send standard packets used by the ubiquitous ping program. Nmap sends an ICMP packet of type 8 (echo request) to the target IP address, expecting a packet of type 0 (echo reply) from the available host in response. Unfortunately for network researchers, many hosts and firewalls now block such packets instead of responding to them as required by RFC 1122. For this reason, scanners that use only ICMP requests are rarely useful when scanning unknown targets on the Internet. But they can be useful to system administrators who monitor the internal network. Use the -PE option to enable this type of scanning.

But Nmap uses more than just the standard echo request. The ICMP standard (RFC 792) also defines timestamp requests, information requests, and address mask requests with codes 13, 15, and 17, respectively. Although they serve to find out some information such as an address mask or the current time, they can be easily applied to detect targets. The system that answers them is working and available. Currently Nmap does not use information queries because... they are not widely used. RFC 1122 specifies that « the host SHOULD NOT send such messages» . Timestamp or address mask requests can be sent by specifying the -PP and -PM options, respectively. A response to a timestamp request (ICMP code 14) or an address mask request (code 18) indicates that the host is reachable. These requests can be useful when administrators are blocking echo request packets but are unaware that other types of ICMP requests can be used for the same purposes.

-PO <список_протоколов> (ping using IP protocol)

The newest option for host discovery is IP ping, which sends IP packets with a protocol number specified in the packet header. The protocol list is specified in the same format as the port list in the TCP and UDP host discovery options described above. If no protocol is specified, the default IP packets will be ICMP (protocol 1), IGMP (protocol 2) and IP-in-IP (protocol 4). Default protocols can be set at compile time by changing DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h . Keep in mind that for ICMP, IGMP, TCP (Protocol 6) and UDP (Protocol 17), packets are sent with the "correct" protocol headers, while for other protocols packets are sent without additional information after the IP header (not yet specified). option --data-length).

This method expects responses based on the protocol of the original request, or an ICMP unreachable message, indicating that the protocol is not supported by the remote host. Both answer options indicate that the target host is accessible.

-PR (ARP ping)

One of the most popular uses for Nmap is scanning local area networks (LANs). On most local area networks, especially those that use the private address ranges defined in RFC 1918, a large number of IP addresses are not in use at any given time. When Nmap attempts to send a raw IP packet, such as an ICMP echo request, the operating system must determine the MAC address (ARP) corresponding to the destination IP in order to correctly address the frame. This is often slow and problematic because... operating systems were not written with the expectation that they would have to send millions of ARP requests to unreachable hosts in a short period of time.

ARP scanning allows Nmap to use its own optimized algorithms instead of ARP requests. And if Nmap gets a response, then it doesn't even need to worry about other types of host discovery based on IP packets. This makes ARP scanning faster and more reliable. Therefore, it is used by default for scanning local networks. Even if other scan types are specified (such as -PE or -PS), Nmap still uses ARP scanning for machines on the local network. If you absolutely do not want to use this type of scanning, then specify the --send-ip option.

--traceroute (Trace the path to the host)

Tracking occurs after a scan, using the results of that scan to determine the port and protocol that can be used to achieve the target. The procedure works with all types of scanning except scanning using the connect system call (-sT) and lazy scanning (-sI). All tracking uses Nmap's dynamic timing model and is carried out in parallel.

The route snooping procedure works by sending low TTL (time-to-live) packets in an attempt to receive an ICMP Time Exceeded message in response from intermediate nodes between the scanner and the target host. Standard implementations of the route snooping procedure begin with the TTL equal to 1 and then increase it until the target host is reached.In Nmap's implementation of this procedure, the TTL is first set high, and then the TTL is decreased until it becomes 0. This allows Nmap to use "smart" caching algorithms to increase the speed of route tracing. On average, Nmap sends 5-10 packets per host, depending on network conditions. In the case of scanning a single subnet (for example, 192.168.0.0/24), it may be necessary to send only one packet per every host.

--reason (Show reasons for port and host states)

Shows information about the reasons why each port is set to a certain state, and why each host is running or not. This option displays the packet type from which the port or host state was determined. For example, an RST packet from a closed port or an echo response from a running host. The information that Nmap can provide is determined by the type of scan or ping. SYN scanning and SYN pinging (-sS and -PS) are described in great detail, and information about scanning using TCP connections (-sT) is limited to the implementation of the connect system call. This feature is automatically enabled when the debug option (-d) is used, and the results of its operation are stored in XML files, even if this option was not specified.

-n (Do not resolve DNS names)

Indicates Nmap never do not perform reverse DNS name resolution for each detected active IP address. DNS resolution can be slow even with Nmap's built-in parallel IP address resolver, so this option can reduce scan time.

-R (Resolve DNS names for all purposes)

Specify Nmap Always Perform reverse DNS name resolution for each target IP address. Typically, DNS resolution is applied only to accessible hosts.

--system-dns (Use system DNS resolver)

By default, Nmap resolves IP addresses by sending queries directly to the name servers specified on your system and then parsing the responses. Many queries (often dozens) are executed in parallel to increase performance. Set this option to use your system IP address resolver (one IP address per getnameinfo system call). This is slow and rarely useful until you find a bug in the Nmap parallel resolver (if you find it, please notify us). The system converter is always used to scan using the IPv6 protocol.

--dns-servers [, [,... ] ] (Servers for reverse DNS resolution)

By default, Nmap determines the DNS server (for rDNS resolution) from your resolv.conf file (Unix) or from the registry (Win32). You can use this option to specify alternative servers. This option is ignored if you use --system-dns or IPv6 scanning. Using multiple DNS servers will often increase scanning speed, especially if you choose official servers for your target's IP space. This option can also increase stealth because... your queries can be forwarded by any recursive DNS server on the Internet.

This option is also useful when scanning private networks. Sometimes only a few nameservers provide the correct rDNS information, and you may not even know where they are. You can scan the network for an open port 53 (possibly using the version detection function), then try to list (-sL) by specifying all the nameservers in turn with the --dns-servers option until you find one that works .

Today, almost any user can answer the question of what an IP network scanner is. This is a special sniffer program that identifies a specific computer terminal on a local network or when establishing an Internet connection. How this system works is anyone's guess. What is a network scanner? Conventionally, all commands or programs of this type can be divided into several classes depending on the parameters being defined. It should be clear that a software network scanner must operate in several modes, including determining the external and internal IP addresses of connected devices, recognizing wireless networks, launching a diagnostic system and having access to resources based on the HTTP and FTP protocols.

Windows operating system tools for scanning

In operating systems of the Windows family, there is a special tool for determining IP addresses that is already built into the operating system. IP addresses, as a rule, are automatically set by providers during their current use. In the network settings, you just need to set this setting - Obtain IPad dress automatically. In the same mode, the gateway and subnet mask are set. The primary and alternative DNS servers are not used in this case. In some cases, their addresses must be entered manually, especially if the configuration is carried out through Google services. However, you can recognize any internal address by using the simplest ping command, which must be entered from the appropriate console indicating the internal address local computer or a terminal that connects to a corporate network. To view all addresses of devices that are currently connected to one of the network protocols, you must use the ipconfig command. Many users underestimate the command line. But it is here that, when specifying an addition to the main command in the form of renew or release6, you can apply automatic IPv6 protocol settings or even update the configuration with DHCP server settings.

External request based on ping command

As for external requests received via the ping command, they are made for the most part only by the network administrator or provider. The disadvantage of this method is to determine the external address of the IP device connected to the Internet. In this case, the internal address can be hidden or assigned automatically. When checking virtual WLAN networks, only pinging of the ADSL modem or router is performed. Its address does not correspond in any way to the address of the local computer terminal.

Wi-Fi Network Scanner

Let’s move on directly to the consideration of software products. It’s probably not worth mentioning that in the same Google Play you can download a free utility that can recognize virtual networks that are located near the user. If you search the Internet well, you can find not just a network scanner, but an entire software package that allows you to crack a password and even act as an anonymizer. This is a bit like using virtual proxies and access protocols. The essence of the question comes down to identifying an unused address or connecting to it. Thus, any scanner of IP addresses on the network determines them based on those allocated by the provider. The service itself, provided it uses a virtual proxy server, can only guess about this.

The simplest programs

Among all the variety that can be found on the Internet today, the most popular are the following software products:

— scanner of public wireless networks Free WiFi Detector;

— local port and IP address scanner Net Scan;

— a tool for wireless networks InSSiDer;

— a system for checking free addresses that are not involved in local connections - Angry IP Scanner.

All network scanners of the type mentioned above work on the same principle. This is the determination of the external IP address of the connected device, no matter whether you are using a mobile device, a laptop or a desktop computer. All applications that belong to the category of “Windows 7 Network Scanner” programs use a hidden ping command, which the user may not even be aware of. In this case, the external request is carried out not in the form of an operation performed by Windows, but based on its own developments, taking into account the protocol used and the DHCP server. In this case, failures may occur in the proxy server connection option. To change these settings, you must use network settings or network adapter. They must be set to prohibit the use of proxies for local addresses. These are at least the IPv4 protocol settings. At the same time, mobile applications are quite popular. In the simplest version, the following example can be given. Suppose a user comes to a cafe and urgently needs to send email or write a message. He does not know the password to access the virtual network. If you have the appropriate application installed on your tablet or smartphone, the network scanner will work automatically. It will detect the nearest wireless circuit. Depending on the software product, there may also be the possibility of passwordless access to the network. However, this option is illegal. There is probably no need to remind once again that today there are a huge number of hackers, which sometimes include applications of this type. At the same time, no one understands that a network IP address scanner only determines the source through which the Internet connection and network access are made.

Conclusion

The worst thing is that not a single program of this type, when scanning external and internal addresses, can bypass the hosts configuration file, which stores information about calls to standard addresses. Its contents may sometimes have entries that block certain resources. Access to these settings in operating systems of the Windows family has a very high priority, even in relation to proxy and DNS servers. Therefore, when installing a network scanner, you need to think about the advisability of using this software product. Unfortunately, applications in the form of scanners that are not controlled by the operating system Windows system, can cause conflicts at the system level. For example, the work of some dynamic libraries that are necessary for the correct functioning of Windows and device drivers may be blocked. You should also pay attention to the legality of penetrating certain virtual networks, not to mention installing software taken from unofficial sources.

TCP Scan.

Using the TCP connect method, nmap will scan the range of ports (1-65535) of a computer with an IP address, the -sV option is used to obtain versions of running services:

$ nmap -sV xxx.xxx.xxx.xxx -p 1-65535

It is also worth noting that we have SERVICE and STATE in the field.

The SERVICE field always displays the value from the /etc/services file corresponding to the port number. This does not mean that the service specified in the SERVICE field will be available on this port. run the Web server on port 22, and SSH on port 80, but nmap will still write that port 22 is ssh, and 80 is HTTP.

In the STATE field - In one case, the ssh port is open, in the other - filtered. The Filtered value means that the port rejects or drops traffic. This does not indicate whether there is service on this port or not.

T "Paranoid|Sneaky|Polite|Normal|Aggressive|Insane" - temporary modes. With "Paranoid" scanning will take a very long time, but then you have a greater chance of remaining undetected by scan detectors. And vice versa, use “Insane” when scanning fast or weakly protected networks.

ON/-oM "logfile" - output results to logfile in normal (-oN) or machine (-oM) form.

OS "logfile" - this option allows you to resume scanning if it was interrupted for some reason and the result was written to (the -oN "logfile" or -oM "logfile" option was enabled). To continue working, you need to run Nmap specifying only this function and the file in which the previous scan was recorded ("logfile").

Nmap is a very popular open-source network scanner source code, which can be used on both Windows and Linux. Nmap or Network Mapper was developed by Gordon Luon and is currently used by security professionals and system administrators around the world.

This program helps system administrators very quickly understand which computers are connected to the network, find out their names, and also see what software is installed on them, what operating system and what types of filters are used. The functionality of the program can be expanded with its own scripting language, which allows administrators to automate many actions.

For example, scripts can automatically detect new security vulnerabilities in your network. Namp can be used with good and bad intentions, be careful not to use nmap against the law. In this tutorial we will look at how to use namp to scan ports on the Linux operating system. But first you need to try to understand how this utility works.

In computer networks, all connected devices have their own IP address. Each computer supports the ping protocol, which can be used to determine whether it is connected to the network. We simply send a ping request to the computer, and if it responds, we assume that it is connected. Nmap takes a slightly different approach. Computers also react in a certain way to certain network packets; the utility simply sends the necessary packets and looks at which hosts sent the response.

But you probably already know about this. What's more interesting is how Nmap finds out what services are running on a machine. The essence of all network programs is based on ports. To receive a message from the network, the program must open a port on your computer and wait for incoming connections. And to send a message over the network, you need to connect to a different program (destination) port. The program will then need to open the port on which it will wait for a response.

The nmap utility, while scanning the network, goes through the available range of ports and tries to connect to each of them. If the connection is successful, in most cases, by transmitting several packets the program can even find out the version of the software that is listening for connections to this port. Now that we've covered the basics, let's look at how to use nmap to scan ports and networks.

Nmap Syntax

The Nmap launch command is very simple; all you need to do is pass it the target IP address or network in the parameters, and also specify options if necessary:

$ nmap options address

Now let's look at the main options that we will need in this article.

• -sL- just create a list of running hosts, but do not scan nmap ports;
• -sP- only check if the host is accessible using ping;
• -PN- consider all hosts accessible, even if they do not respond to ping;
• -sS/sT/sA/sW/sM- TCP scanning;
• -sU- UDP scanning nmap;
• -sN/sF/sX- TCP NULL and FIN scanning;
• -sC- run the script by default;
• -sI- lazy Indle scanning;
• -p- specify the range of ports to check;
• -sV- detailed examination of ports to determine service versions;
• -O- determine the operating system;
• -T- scanning speed, the higher the faster;
• -D- mask scanning using fictitious IPs;
• -S- change your IP address to the specified one;
• -e- use a specific interface;
• --spoof-mac- set your MAC address;
• -A- determination of the operating system using scripts.

Now that we've covered all the basic options, let's talk about how nmap port scanning works.

How to Use Nmap to Scan Ports on Linux

Next, let's look at nmap examples. First, let's look at how to find all devices connected to the network; to do this, just use the -sL option and specify the mask of our network. in my case it is 192.168.1.1/24. You can find your local network mask by running the command:

From the output for the interface you are using, take the number after the slash, and before the slash indicate the ip of your router. The command to scan the nmap network will look like this:

nmap -sL 192.168.1.1/24

Sometimes this scan may not produce any results because some operating systems have protection against port scanning. But this can be bypassed by simply using ping to scan all IP addresses on the network; for this there is the -sn option:

nmap -sn 192.168.1.1/24

As you can see, the program has now detected active devices on the network. Next, we can scan nmap ports for the desired host by running the utility without options:

sudo nmap 192.168.1.1

Now we can see that we have several ports open, all of which are used by some service on the target machine. Each of them can be potentially vulnerable, so it is not safe to have many open ports on a machine. But that’s not all you can do; next you’ll learn how to use nmap.

To find out more detailed information about the machine and the services running on it, you can use the -sV option. The utility will connect to each port and determine all available information:

sudo nmap -sV 192.168.1.1

Our machine is running ftp, so we can try to take a closer look at this service using standard nmap scripts. Scripts allow you to check the port in more detail and find possible vulnerabilities. To do this, use the -sC and -p option to set the port:

sudo nmap -sC 192.168.56.102 -p 21

We executed the default script, but there are also other scripts, for example, you can find all scripts for ftp with the command:

sudo find /usr/share/nmap/scripts/ -name "*.nse" | grep ftp

Then we will try to use one of them, for this we just need to specify it using the --script option. But first you can look at the information about the script:

sudo nmap --script-help ftp-brute.nse

This script will try to determine the FTP login and password on the remote host. Then run the script:

sudo nmap --script ftp-brute.nse 192.168.1.1 -p 21

As a result, the script picked up the login and password, admin/admin. This is why you don't need to use the default login options.

You can also run the utility with the -A option; it activates a more aggressive operating mode of the utility, with which you will get most of the information with one command:

sudo nmap -A 192.168.1.1

Please note that almost all the information we have seen before is here. It can be used to increase the protection of this machine.

The system administrator imagined himself to be the god of the network,
but the electrician rudely dispelled this myth.

IT humor

Introduction

Network scanning is one of the first steps in the process of hacking or preventing it, as it allows you to determine the most vulnerable and potentially dangerous open ports on a computer. Since each computer has a set of specific features, using a port scanner you can determine which services (FTP, web, mail server, etc.) are running on the computer, as well as which operating system controls it. The more services running on a computer, the higher the likelihood of it being hacked - after all, every software has vulnerabilities.

Network scanners are designed to scan a specific network address (IP address) or addresses and identify open and possibly insecure ports on the computer under investigation. Nevertheless, such programs are used, as a rule, by hackers to identify possible vulnerabilities and subsequently hack a computer, and not at all for the purpose of ensuring its security. It turns out that security and hacking, although antipodes in their essence, allow the use of the same means.

TCP Basics

To understand how scanning occurs, you need to understand what algorithm is used to make a TCP connection between computers. To establish a TCP connection between a client and a server, the client sends a request (TCP packet) with the SYN flag set to initiate the connection. If the server is listening on this port, it sends a packet to the client with the SYN and ACK flags set, thereby simultaneously acknowledging the client's request and asking it to establish a reverse connection. The client then sends a packet with the ACK flag set, acknowledging the SYN server's request. Next, data is transmitted, to confirm the receipt of which a packet with the ACK flag is sent each time. When the server or client has completely finished transmitting data, it sends a packet with the FIN flag set, thereby informing the other side to terminate the connection. The other side, having received a packet with the FIN flag, sends a return packet with the FIN flag set, confirming the end of the connection. In order to terminate the connection, either side can send a packet with the RST flag. The process of packet exchange is shown more clearly in Table. 1.

Table 1. Connection establishment and packet exchange process

Most scanners receive information about available open ports and the presence of a computer on the network based on this sequence.

Nmap network scanner and its capabilities

Since systems based on Linux and BSD OS have become increasingly popular lately, in this publication we will look at the most advanced network scanner for operating systems. Linux systems- Nmap. This program is one of the most common among Linux users and is distinguished by powerful tools and high speed.

The Nmap network scanner appeared in 1997 for UNIX-based operating systems and continues to improve to this day. It differs from similar programs for Windows-based OS by its powerful built-in tools, high speed, various related utilities, various scanning methods and popularity, since almost any Linux distribution is equipped with this network security scanner. However, like most highly specialized programs for Linux, it does not have a shell accessible to the end user and is launched from command line. Of course, there are additional interfaces for managing this utility, for example, such as Umit, Nmapfe, which use the Nmap engine and display information in windowed mode rather than on the command line. But still, this utility was originally developed to work on the command line, and “attached” utilities increase operating time and have a lot of disadvantages compared to the original, including in the design style. In addition, there is a version of this program for Windows-based operating systems. Since the working methods and many commands for both platforms are identical, this article will discuss the version of Nmap 4.1 for Linux systems. Since Nmap is included in almost every Linux distribution, you can use so-called LiveCDs to scan the network without reinstalling the operating system. Boot disks This type does not require installation and is loaded from a CD/DVD drive, and there is no need to partition the hard drive and create additional partitions - in this case, part of the computer’s RAM serves as the hard drive.

Currently, network scanners allow you to determine many additional parameters of the computer being scanned. Nmap can determine most of the basic parameters of a network adapter: MAC address, computer name in the domain, open ports, ports closed by a firewall, the manufacturer of the chipset of the network adapter of the computer being studied, OS version and services. Note that information about MAC addresses and the chipset manufacturer can only be obtained for computers that are on the same subnet as the scanning PC. To appreciate all the advantages of this program, let's look at the keys most commonly used in its operation.

As already mentioned, Nmap is launched from the command line. When you start the program without any switches or with or without the Nmap -h (--help) switch, a list of available keys and set parameters will be displayed on the screen (Fig. 1).

Rice. 1. List of switches when entering the Nmap command

The syntax for running the program is as follows: Nmap (target specification), where instead of Scan type the scan type is indicated (by default, if this space is left empty, Nmap will openly scan available ports). As options, all kinds of keys and scanning parameters are entered, and instead of target specification - either the computer's IP address, or a range of IP addresses (which is determined by the subnet mask), or the host name.

Subnet masks

Most likely, users who dealt with the settings of network adapters had to deal with such a parameter as the subnet mask (Netmask). However, not everyone understands what it is.

As you know, an IP address consists of four integer values ​​(octet) and is represented in the form xxx.xxx.xxx.xxx, where xxx can take values ​​from 0 to 254. But the IP address by itself is not sufficient, and In order for a network device to determine which subnet a computer belongs to, it also needs a subnet mask to indicate which part of the IP address is the Network ID and which part is the Host ID. The Network ID is essentially the address of the network itself, and the Host ID is the address of the node itself on the network. Consider a host with an IP address of 10.242.10.242 and a subnet mask of 255.0.0.0 - in this case, the computer belongs to the network 10.0.0.0. Here the network ID is 10.0.0.0 and the host ID is 242.10.242. To obtain a network address, knowing the IP address and subnet mask, you need to apply the bitwise conjunction operation to them. The result is bitwise ANDed between the IP address and the subnet mask:

For example, in the case of a more complex mask:

IP address: 00001100 00100010 00111000 1001110 (12.34.56.78)

Subnet mask: 11111111 11111111 11100000 0000000 (255.255.224.0)

Network address: 00001100 00100010 00100000 0000000 (12.34.32.0)

However, in order to scan the network while writing less text, you can use an alternative subnet mask entry using prefixes. In most cases for simple networks you can limit yourself to simple subnet masks such as 255.0.0.0, 255.255.0.0 and 255.255.255.0. The subnet mask is often written along with the IP address in the format "IP address/number of one bits in the mask." For example, the IP address 12.34.56.78 with a mask of 255.255.224.0 (that is, consisting of 19 ones and 13 zeros) can be written as 12.34.56.78/19. For the three types considered, there is an alternative input of the form ip/8, ip/16 and ip/24, which allows you to reduce the number of digits typed when entering on the command line. For the example above, the subnet mask could be written like this: 10.242.10.242/8, which is significantly shorter than 10.242.10.242 mask 255.0.0.0. Therefore, the IP address range for network 10.0.0.0 can be written as 10.0.0.0/8.

First scanning attempts

Let's return to the Nmap network scanner. As already mentioned, as a target specification you can specify an IP address, a range of addresses and a host name. If you need to scan many different IP addresses and hosts, entering everything manually into the command line is not very convenient (especially if the number of addresses exceeds 20) - for this Nmap supports loading a file with addresses. In table 2 lists possible keys associated with entering scanned addresses.

Table 2. Keys responsible for entering addresses

It is worth noting that the file containing the list of addresses must be formatted in text form. The new address or range of addresses must begin with new line. Examples of entering scanned addresses are shown in Fig. 2 and 3.

Rice. 2. Use of entering addresses from the command line

Knowing how you can set the addresses of the computers under study, let’s see what is ultimately displayed on the screen. Recruiting a team Nmap 10.0.0.62 10.0.0.53 to scan open ports on computers with these addresses.

Rice. 3. Specifying scanned addresses from a file

Scan results and their analysis

In Fig. Figure 4 shows the output of the scanning results. First, using the DNS server, Nmap tries to determine whether the name matches the IP address being scanned. If the operation was successful, then at the very beginning Nmap indicates the real name of the computer. As can be seen from the figure, the IP address 10.0.0.62 corresponds to the name pakhomov.computerpresspublishing.ru. But for the next examined address - 10.0.0.53 - there is no such correspondence. Next, Nmap displays information about closed or blocked ports (Not shown 1674 closed ports), and then displays (in three columns) ports that have a different status. The first column indicates the current port number, the second can take on different values ​​that will indicate the port status determined by Nmap:

• open (open port) - the port is open and the service accepts TCP or UDP connections on this port (this port is most vulnerable to hacking);
• filtered - the port is closed by a firewall, other blocking program or service (router rules, hardware firewall, etc.);
• closed - the port is closed because there is no service or other program listening on this port on the computer.

Rice. 4. Scan result

If a port is set to unfiltered, it suggests that Nmap was unable to accurately determine whether the port is open or closed, which is typically assigned by an ACK scan (discussed later). There are also two valid values: open|filtered and closed|filtered - in both cases Nmap was unable to determine the status of the port. To more accurately determine the value for the first case, you must use the FIN, Null, Xmas or UDP scanning method. Most likely, these scanning methods will provide more detailed information. As for the closed|filtered value, it appears only if the Idlescan scanning method is used.

The last column gives a little information about the intended service using this port. Let's say if port number 80 is open, Nmap informs you that this port is usually used by web servers (http). It should be noted that for greater security, some services are launched not on their standard port, but on another one, so it is impossible to say that the web server is running on port 80 (for a more accurate determination of the running service, the version scanning method is intended). After displaying a list of open ports, Nmap displays the physical (MAC) address of the network device, and also, if possible, determines the manufacturer of the network adapter chipset of the PC being examined and, in some cases, even its name.

Methods of scanning for the presence of a computer on a network

The examples discussed above are quite simple and do not require entering additional keys, but are usually suitable for most computers on the network. However, for aggressive scanning in order to obtain the maximum possible information about the computer being examined, it is necessary to correctly set the scanning parameters. To determine which computers are running on a network, Nmap allows you to use several network scanning methods - all of which fall under the Host Discovery section.

Detecting a computer using the Ping method

The simplest method is to detect running computers using Ping. To do this, you must use the -sP switch on the command line. Nmap's network scanner sends ICMP echo requests to a given IP address or addresses and waits for a response. If a response is received, it means that the computer being scanned is working, which is displayed as the scan result. In Fig. Figure 5 shows the result of using this method.

Rice. 5. Scanning result using -sP

However, today many computers that have at least some kind of firewall tend to block ICMP requests, so even if the computer is turned on, Nmap will report that the computer does not exist on the network. In this case, Nmap uses a different method to determine whether a computer is on the network. The Ping scanning example discussed is based on the connection establishment sequence table provided.

Discovery using SYN/ACK and UDP packets

If a service is listening on a port and Nmap tries to establish a connection to it (sends a packet with the SYN flag), the service can respond with a packet with the SYN/ACK flags, which will indicate that the computer exists on the network. But if there is no service on this port, the server responds with a packet with the RST flag, which also indicates that there is a computer at the given IP address. If nothing was received from the server in response to the sent SYN packet, this means that either the computer is turned off or the traffic is blocked by a firewall. To bypass firewall blocking, another scanning method has been developed. The Nmap scanner usually sends packets with SYN/ACK flags and a UDP packet on the standard port 80, which is most often used for web traffic and therefore is very rarely blocked by a firewall. Using the -PS, -PA and -PU switches, you can specify which packet will be sent to the server and on which port. An example of these commands is shown in Fig. 6. By the way, the name of the port is written together with the packet type: -PS80,81.

Rice. 6. Scanning result using -PA, -PS and -PU

Detecting a computer using various ICMP packets

The above method does not allow you to accurately determine the presence of a computer on the network. The Nmap network scanner has another ability to determine the presence of a computer on the network. To use this feature, you must specify the additional switches -PE, -PP, or -PM. The first method uses ICMP echo requests, however, as mentioned, ICMP traffic is often blocked, so this method is not always applicable, but following the ICMP specification, there are also timestamp requests and address mask requests ). Using these methods, you can also get a response from a remote computer, but often they do not give the desired result. To use the ICMP echo method, you must specify the -PE key, for the other two described methods - the -PP and -PM keys, respectively. In Fig. Figure 7 shows scanning attempts using three methods.

Rice. 7. Scanning result using -PE, -PP and -PM keys

Disable computer detection when scanning

As a rule, it is impossible to accurately determine whether a computer is on the network, or, if there is one, scanning it may be blocked by a firewall. In this regard, the -P0 option was introduced, in which the computer being examined is not scanned for its presence on the network (that is, it is not pinged at all), but only the computer’s ports are scanned. When using this option, Nmap automatically assumes that the IP addresses being scanned are on the network and does not send requests to determine the computer's presence on the network, which significantly increases scanning speed. This option is usually used for covert scanning using the methods that will be described below, since in this case no information about ICMP echo requests remains on the computer being examined.

By default, when scanning an IP address, Nmap obtains computer name information from the system DNS. To increase scanning speed, you can disable this option by adding the -n switch. By the way, in almost all programs and services that are in one way or another connected with the network environment, the -n switch is used in this very meaning (netstat -n, route -n, etc.). There are also several options that allow you to obtain the computer name using not only the system DNS, but also external DNS servers. To activate this option, you must run Nmap with the key --dns-servers , where serv1 and serv2 are DNS server addresses. In addition, you can use the -R switch. As mentioned, by default Nmap uses the system DNS to obtain the computer name. To specify this option manually, you must enter the key --system-dns. In Fig. Figure 8 shows examples of using the -n and -R --dns-servers switches.

Rice. 8. Using the -n and -R --dns-servers switches

Methods for scanning ports on a remote computer

The Nmap network scanner involves using a variety of scanning methods to obtain the necessary information. However, let’s make a reservation that many methods involve various manipulations with TCP packet flags at a low level, and therefore require root (superuser) authority in the system to work. The methods used can only function separately from each other; only UDP port scanning can be carried out simultaneously with other scanning methods. Port scanning is based on the same method of sending packets with changed flags when initiating TCP and UDP connections.

Scanning using the SYN method

The most common method, and the default one, is the TCP SYN scan. For most computers under study, this method is sufficient to determine open ports. TCP SYN scanning is the fastest compared to other methods - it can scan several hundred ports per second, while keeping the scanning computer in the shadows because it never terminates the TCP connection (most monitoring utilities do not log connection data). To use this method, you must have superuser (root) rights. The Nmap scanner sends a packet with the SYN flag to the computer under investigation, as if it wants to open a regular TCP connection, following the rules given at the beginning of the article. If a response (a packet with the SYN/ACK flags) is received from the requested host, the port will be designated as open, and if a packet with the RST flag is received, it will be designated as closed. If the scanned computer does not respond, it is assumed that this port is filtered by the firewall. To use this scanning method, you need to run Nmap with the -sS switch (Fig. 9).

Rice. 9. Scanning using the -sS switch (TCP SYN scanning)

As you can see from the picture, most of the ports are open, but some are blocked by the firewall.

Scanning using the connect() system function

There are situations when you do not have superuser permissions, but it is necessary to scan a remote computer. In this case, Nmap uses a method based on establishing a connection using the connect() system function, which is used by most applications - p2p clients, browsers and network applications. In this case, Nmap sends a request to the operating system itself, which establishes a TCP connection. If the connection is established, the port is marked as open, and if not, as closed. After determining the status of the port, Nmap terminates the connection, that is, using the connect() function, a packet with the RST flag is sent. However, this method has one drawback: since the connection is fully established, it remains in the logs and logs of the scanned system, and therefore monitoring systems will almost always determine which computer performed the scan. In this regard, this method is rarely used. To run the above scan, you need to run Nmap with the -sT switch. An example of using the scanning method using the connect() system function is shown in Fig. 10.

Rice. 10. Scan using the -sT switch (TCP connect() scan)

Scanning UDP protocol ports

Don't forget about UDP services, which are almost as widespread as services that use the TCP protocol. The most common services that use the UDP protocol are DNS, SNMP and DHCP. Because UDP scanning is more complex and slower than TCP scanning, many security systems neglect it and ignore listening (filtering) on ​​these ports. But in this case, services listening on these ports may also be vulnerable to hacking, since Nmap allows you to determine which ports are open and what services are listening on them. Since UDP is a different protocol than TCP, the scanning method is different from those discussed previously. Nmap sends a UDP packet with an empty header to all ports it examines and waits for a response. If in response it receives an ICMP packet with the error unreachable error, the port is considered closed. When receiving packets with other errors, Nmap assumes that the port is being filtered by the firewall. The received UDP response packet indicates the presence of the service, and the port is marked open. If a response is not received after several attempts, Nmap marks the port as open|filtered because it cannot determine for sure whether the port is open or whether the firewall is blocking traffic on that port. In addition, many computers can only send a limited number of ICMP error messages per second. This is done to protect against network overload. To clarify the status of a port, you can use the -sV switch (in this case, Nmap tries to determine the service running on the scanned port and its version), but then the scanning speed is reduced by an order of magnitude. UDP scanning can be run simultaneously with any of the TCP scanning methods, since they use different protocols. UDP scanning is launched when the -sU switch is specified. The differences in speed are demonstrated in Fig. 11, which provides sequential examples of scanning without the -sV option and using it.

Rice. 11. UDP scanning with and without the -sV switch

The figure shows that scanning using the service version detection option took almost 10 times longer (54 seconds versus 4) than without it. But this option helped determine that UDP ports 53 and 137 were open, although the previous scan could not accurately determine their status. At the same time, even this option does not always help to obtain reliable information - out of nine ports with an uncertain status, only two were accurately identified (53rd and 137th). Nmap also allows you to set the response time for the computer being examined, thereby weeding out slow hosts and significantly increasing the speed of UDP scanning. The option responsible for the response of the scanned computer can be used not only with UDP scanning, but also with all other methods. To use this option you must enter the key --hosts-timeout , where sec is the response time in milliseconds.

Scanning with FIN, Xmas and Null methods

Since a TCP connection is based on the three-way handshake discussed at the beginning of the article, by interrupting the connection sequence it is also possible to obtain information about the closed and open ports of the host being examined. There is a FIN scanning method in which packets with the FIN flag are sent to the remote host, which is usually used when closing a connection. In this case, the computer port is closed, according to the specification TCP protocol, must send a response packet with the RST flag. If the port is open or blocked by a firewall, there will be no response from it. As in the case of SYN scanning, the connection is not fully established, so there may be no information left in the system logs of the host under investigation, while at the same time most monitoring systems can record this type of scan. This method is more secretive than TCP connect scanning and allows you to determine whether a port is closed or open (blocked), so there are several modifications of this method. When using the null scan method, instead of a packet with the FIN flag, a packet with an empty header (0 bits, all flags disabled) is sent. This method works according to the principle described above. Another method that has a similar operating algorithm is called Xmas scanning. In this case, a packet is sent to the host, colored with several flags (FIN, PSH and URG) in the style of a Christmas tree. Each of the methods considered has its own keys: -sN, -sF and -sX (Null-, FIN- and Xmas-scanning, respectively). In Fig. 12 shows examples of scanning of all three types, and for comparison in Fig. 13 - SYN scanning method.

Rice. 12. Scanning using the -sN, -sF and -sX switches

When comparing scan results using SYN and Null, FIN and Xmas, it is clear that with their help many ports were not identified as exactly open, but only as open|filtered. This is because most Windows operating systems, Cisco network devices and others do not always follow the specification, so the result of such a scan for these types of systems will most likely be negative. At the same time, scanning with these three methods is suitable for identifying open ports on UNIX-based systems that follow the TCP protocol specification, and also allows you to bypass many firewalls and packet filtering.

Rice. 13. SYN scan

Scanning using various flags

Nmap allows you to set flags that will be used for this type of scanning, for which you need to run the program with the --scanflags switch. In this case, the types of flags can be different - URG, ACK, PSH, RST, SYN and FIN. The command syntax is as follows: Nmap --scanflags URGACKPSHRSTSYNFIN. In addition to this command, you can specify two scanning methods: -sA and -sF (if they are not specified, the SYN scanning method is used by default).

Scanning using ACK and Window methods

To determine which ports on a computer are in the filtered status and which are in the unfiltered status, there is a separate scanning type - ACK. It can also be enabled using the --scanflags ACK switch. Since many firewalls only look at SYN packets on a specific port, thereby performing filtering, by sending packets with the ACK flag, there is a high probability of determining whether a firewall exists on the computer being examined or not. In this case, the packet with the ACK flag is sent not as part of the connection, but separately. If the receiving side sends a return packet with the RST flag (accordingly, the port is not blocked by a firewall), the port is marked as unfiltered, but if the host does not respond to the packet, then a firewall is installed on it and the port is in the filtered status. To activate this method, you must run Nmap with the -sA switch. In Fig. Figure 14 shows an example of this scanning method.

Rice. 14. Scan using ACK method

Since a computer has already been examined using a SYN scan (see Figure 13), we can say that an ACK scan can determine the status of only some host ports. This method has an analogue that works on the same principle, but interprets the results received from the host slightly differently. TCP Window scanning assumes that on some hosts the services use a positive window field in the response packet (not zero). Therefore, using this method, Nmap analyzes the headers of incoming packets with the RST flag, and if the incoming packet contains a positive field value, then Nmap marks this port as open. Receiving a packet with a field value of zero means that the port is closed. To activate this scanning method, you must enter the -sW switch.

Maimon scanning

Another scanning method based on a three-way connection is the method described by a specialist named Uriel Maimon. Its method is almost identical to the FIN, Xmas and Null methods, except that packets are sent with the FIN/ACK flags. Here, if the port is closed, the host should respond with an RST packet. To activate this scanning method, you must enter the -sM switch.

All the above methods are based on the same three-way connection method for a TCP connection.

Covert scanning using the idlescan algorithm

None of the methods discussed allows you to completely hide the IP address of the scanning host. Since spoofing the IP address of an outgoing packet is not so difficult, a scanning method was found in which the host under investigation cannot determine the exact IP address of the computer from which the scan is being performed. The idlescan method is almost identical to SYN scanning in its operating algorithm. To understand how the IP address of the scanning computer is hidden, you need to know that each IP packet has its own fragment identification number (IPID). Many operating systems increment this number for each subsequent packet sent, so you can easily determine how many packets the host sent. It is worth considering that if a computer receives a packet with the SYN/ACK flags from an address from which it did not request a connection, then in response it will send a packet with the RST flag. This method involves using another “zombie” computer, on behalf of which packets will be sent to the scanned computer. Next, we will consider the algorithm of the idlescan method.

Let the scanning computer be the attacker, the zombie computer the zombie, and the computer being scanned the target.

The first case - the port being examined is open:

• attacker sends a packet with the SYN/ACK flags to zombie, and in response zombie sends a packet with the RST flag. This packet, for example, has an identification number (IPID) of 123;
• attacker sends a packet with the SYN flag on the desired port on behalf of the zombie computer;
• target sends a response request with SYN/ACK flags to the zombie computer. In response, zombie sends a packet with the RST flag to the target computer, since zombie did not intend to establish a connection with it. This packet has a number increased by one - IPID 124;
• attacker sends a packet with the SYN/ACK flag to computer zombie, in response zombie sends a packet with the RST flag. This package has an IPID increased by two - 125.

Second case - the port is closed:

• attacker sends a packet with the SYN/ACK flags to zombie, in response zombie sends a packet with the RST flag. This packet, for example, has an identification number (IPID) of 123;
• attacker sends a packet with the SYN flag on the desired port on behalf of the zombie computer;
• target sends a packet with the RST flag to the zombie computer. zombie does not send anything in response;
• attacker sends a packet with the SYN/ACK flag to computer zombie, in response zombie sends a packet with the RST flag. This packet has an IPID increased by one, 124.

Thus, by simple arithmetic you can calculate whether a port is open or closed on the computer under study. The advantage of this method is that it is very difficult to identify the IP address of the scanning computer, since the target computer believes that the scan was performed by the zombie computer, and the scanning computer's requests remain only in the zombie logs. To activate this scanning method, you must enter the -sI switch , where zombie is the name or IP address of the computer on whose behalf the scanning will be performed, and port is the port for communication between the scanning computer and zombie (80 by default, since on most computers this port is open for web traffic). An example of scanning using this method is shown in Fig. 15, an example of SYN scanning is also shown for comparison.

Rice. 15. Scanning using the idlescan method

As can be seen from the figure, the “zombie” computer was a PC with an IP address of 10.0.0.79, and the scanned computer had an IP address of 10.0.0.62. Having analyzed the results, it can be argued that the idlescan method does not always correctly determine the status of a port (whether it is open or blocked by a firewall). In addition, if we compare the scanning time, the speed of the SYN method is much higher, since when idlescan scanning Nmap sometimes has to send packets several times, since a zombie computer can also work intensively and actively exchange packets, thereby knocking down the IPID counter, which Nmap is calculated. This method is the most preferable if you need to hide the scan, however, it still does not give an accurate picture of open ports on the computer being examined. It is recommended to run this type of scan with the -P0 switch, since in this case Nmap does not poll the host before scanning. In some cases, if a zombie computer behaves aggressively and interferes with receiving scan results (cannot display scan results), and it is necessary to obtain information about open ports, you can use the -v -v (verbose mode) option. In this mode, Nmap displays all service and received information on the screen online.

Scan for open protocols

In some cases, it is necessary to define open protocols on the remote host. Because each transport layer IP protocol is assigned its own sequence number, and each IP packet has a protocol field that indicates the type of packet headers and protocol number, you can find out what protocols are open on the computer you are testing. To determine whether a protocol is available on a host, Nmap sends several packets with empty headers containing only the protocol number in the protocol field. If the protocol is unavailable, the computer will return the ICMP message “protocol unavailable”. If the host does not respond with any packets, this may mean that either the protocol is available or the firewall is blocking ICMP traffic. This situation is very similar to UDP scanning, where it is also impossible to accurately determine whether a port is open or filtered by a firewall. To enable protocol scanning, you must use the -sO switch. In Fig. Figure 16 shows an example of using this method.

Rice. 16. Scan for available protocols

Nmap outputs open and filtered protocols as a result because it can accurately determine this status. The remaining scanned protocols are marked as open|filtered.

Stealth scanning using the ftp bounce method

The Nmap network scanner supports the ftp bounce scanning method, the essence of which is the ability of the ftp server to send files to a third party. Since this function is very often used for other purposes (scanning, hacking attempts), many ftp servers no longer support it or block it. The ftp bounce method allows you to scan the ports of a remote computer on behalf of an ftp server. The scanning computer sends a request to the FTP server to establish a TCP connection on a specific port with the computer being scanned to transfer the file. Analyzing the received errors from the ftp server allows Nmap to determine whether a port is open or closed. In this case, scanning secrecy is ensured, since for the computer being examined, the connection initiator is the FTP server, and not the scanning computer. This method is primarily convenient because, as a rule, the firewall allows traffic from a known ftp server to pass through, since the latter usually has more access rights to both external and internal network resources. Thus, it becomes possible to bypass port filters and firewalls that do not allow traffic when scanning by other methods. In order to scan a computer using this method, you need to find a suitable ftp server that supports the described function and a login/password to log into this ftp server. To run Nmap when scanning with this method, you must specify the key -b , where username and password are the login and password for logging into the ftp server, and server is the name or IP address of the server. By default, if you do not use the:port key, Nmap will try to connect to the ftp server on standard port 21. In Fig. Figure 17 shows an example of this method.

Rice. 17. Scanning using the ftp bounce method

As can be seen from the figure, scanning with this method gave positive results. However, scanning with this method is not always possible, since very often the ftp server cannot establish a connection with a remote computer using privileged ports (below 1024). For such errors, Nmap displays the line your ftp bounce server doesn’t allow privileged ports or recv problem from ftp bounce server. As with idlescan scanning, to hide presence, it is recommended to specify the -P0 switch so that Nmap does not attempt to send ICMP echo requests to the computer being scanned. It is worth paying attention to the frequent freezing of Nmap when using ftp bounce to certain hosts. In order to still obtain the necessary information, you should run Nmap with the -v -v options, with the help of which the network scanner will display the received information online.

Scanned port settings

The Nmap scanner has many additional settings. In table 3 describes the settings regarding scanning ports.

Table 3. Scan port settings

By default, Nmap scans all ports, including privileged ports (0 to 1024) and ports defined in the Nmap-services file. This file is constantly updated by developers and includes ports used by common applications and services. The file contains the name of the service, its description and the protocol it uses. Since Nmap allows you to scan not only TCP but also UDP ports, using the -p switch you can clearly specify the protocol and its port. Scanning the 25th UDP and 80th TCP ports will look like this: Nmap -p U:25,T:80.

Determining versions of running services

As noted at the beginning of the article, Nmap with a high degree of probability allows you to determine the version of the operating system that is running on a remote computer. At the same time, Nmap can also identify versions of services running on a remote PC, provided that the ports of a particular service are open. Determining the version of the OS and services will help you get a clearer picture of how vulnerable the computer under investigation is and which holes in the services may remain open to hacking. To obtain information about the version of the running service or the operating system, Nmap uses its database, which includes specific tags specific to this particular software version. Information is collected after any scan using any method of analyzing open ports. Determining program versions does not always give a positive result, but in most cases, the information obtained in this way helps to get an idea of ​​​​the system used on the remote computer. In the event that Nmap receives information about a host but cannot match it to a specific description in its database, the program displays the result on the screen. If desired, if the version of the OS or service is known, but Nmap could not determine it, you can copy the output and send it to the developer - this descriptor will be included in the next version of the program. In table Figure 4 shows the keys for determining the versions of services running on the remote host.

Table 4. Scan settings to determine service versions

The -allports switch, shown in table. 4 is generally not used, because if this option is enabled, Nmap will also send packets on TCP port 9100. This is because many printers have the following disadvantage: when they receive packets on port 9100, they automatically print the received information and, To avoid mountains of damaged paper, TCP port 9100 is skipped when determining the version.

Determining the OS version on a remote computer

Of course, one of the most interesting options is to determine the operating system of the remote computer. In this case, a modernized method is used to determine the versions of running services. Nmap performs various tests by sending packets over different protocols under different conditions to the computer being tested. By comparing the results obtained with the reference values ​​specified in the Nmap-os-fingerprints file, the program produces a summary result for the computer. Depending on the quantity and quality of the information received, Nmap can determine the OS manufacturer, its approximate version and the type of equipment, since the end result of the scan is not always a computer - it can also be a router, a managed switch, etc. In order to activate this scanning method, you must specify the -O switch, as well as the -A switch, which activates the detection of the operating system version and versions of running services. In Fig. 18 shows an example of defining an OS.

Rice. 18. Operating system definition

Time delay settings

High operating speed is determined temporarily s parameters for replies and sending packets. By default, Nmap uses the most efficient timing settings to produce plausible scan results. However, security professionals who use this scanner may need special temporary settings for certain scanning methods. s x constants In this regard, the Nmap developers have provided for setting some constants manually, as well as the ability to set a scanning “schedule”. Some switches use a time setting, which by default is entered in milliseconds, but it is possible to write the time as s, m and h - these literal arguments are appended to the end numerical value, significantly shortening the recording and simplifying it. For example, 600000, 600s, 10m indicate the same time. Specifying possible keys temporarily s x parameters and performance are given in table. 5.

Table 5. Timing and performance settings

Scan Schedule

As stated above, Nmap allows you to set a scanning schedule to try to hide your presence from firewalls and security systems. There are six scanning schedules: Paranoid, Sneaky, Polite, Normal, Aggressive and Insane, with the Normal schedule being the default. Temporary s e delays and other associated factors are given in table. 6.

Table 6. Characteristics of various scan schedules

Additional command line options

Almost all the most important parameters command line are described above. Below are some commonly used parameters:

• -S - using someone else's IP address in packets sent to the computer. In this case, the server will return the response to the specified address;
• -e - use only a specific network interface, for example Nmap –e eth0;
• -v; -d- displaying the current scan status online. The -d directive enables debug mode, which displays all possible information about the current state of operation, as well as errors and their codes;
• -g (alternative --source-port ) - allows you to select the source port from which packets will be sent during scanning;
• -data-length - makes it possible to set the packet size in bytes. The default values ​​are 40 and 28 for TCP and ICMP requests, respectively;
• -ttl - allows you to set the time for an IP packet in the time-to-live field;
• -spoof-mac - allows you to set a different MAC address (physical) for frames. Application example: Dlink, 0, 01:02:03:04:05:06;
• -badsum- sends TCP and ICMP packets with a corrupted checksum. Firewalls or security systems will typically respond to such a packet;
• -6 - use scanning for IPv6 networks. In this case, you must specify an IPv6 address or host name;
• -log-errors- all errors are recorded in a log file;
• -oN; -oM; -oS; -oA; -oG - recording scans in a log. Record types differ in the method of storing information. The -oN option records after information appears on the screen, and the -oA option records all possible formats at once into files with the name file and various extensions (*.xml, *.gNmap, *.Nmap).

Conclusion

Of course, not all scanner options have been sufficiently considered. Most users are limited to standard scanning methods. The Nmap scanner is designed not only for ordinary network users, but also for system administrators and developers of security systems and many tools will be useful to them in their work. Nmap is constantly being updated and improved. Since, like many other programs for Linux systems, it is free, anyone can contribute to its writing.

In conclusion, I would like to note that network scanners and other similar programs are created primarily to prevent hacking or active attacks. By scanning your computer, it is quite possible to detect not only numerous open ports, but even a Trojan that was not noticed by the antivirus. Therefore, the ability to work with such software will always help in the difficult task of fighting hacking. The considered network scanner provides the user with the widest possible range of different types of scanning and additional monitoring capabilities. By selecting and combining different scanning techniques, you can find out information about a computer or network device running any operating system.