Learning Kali Linux

Download 22,59 Mb. Pdf ko'rish
bet	102/225
Sana	14.05.2024
Hajmi	22,59 Mb.
	#232856

1 ... 98 99 100 101 102 103 104 105 ... 225

Bog'liq
learningkalilinux

Port Scanning | 103

Port Scanning with Nmap
The de facto port scanner today, and the first one that became mainstream, is
nmap
.
At this point,
nmap
has been around for more than 20 years and has made its way
into major motion pictures, like
The Matrix
. It has become such an important security
tool that the command-line switches used by
nmap
have been replicated by other port
scanners. While you may have an idea about what a port scanner is,
nmap
introduces
far more capabilities than just probing ports.
Starting off with port scanning, though, we can look at how
nmap
does with a TCP
scan. Before we get there, it’s important to realize that there are various types of TCP
scans. Even in the context of doing a scan involving the SYN message, there are a
couple of different ways of doing it. The first is just a simple SYN scan:
nmap
sends
out a SYN message and records whether there is an open port or a closed port. If the
port is closed,
nmap
receives a RST message and moves on. If
nmap
gets a SYN/ACK,
it then responds with a RST message in order to have the receiving end just close
down the connection and not hold it open. This is sometimes called a
half-open scan
.
Port Scanning | 103

In a
full-connect scan
,
nmap
completes the three-way handshake before closing the
connection. One advantage to this type of scan is that applications aren’t getting half-
open connections across the server. There is a slim chance that this may be less suspi‐
cious to a monitoring system or team than the half-open connections. There would
be no differences in the results between a full-connect and a half-open scan. It comes
down to which is more polite and potentially less likely to be noticed. In
Example 3-16
, you can see partial results from a full-connect scan. In this example,
I’m using
nmap
to scan the entire network. The
/24
designation tells
nmap
to scan all
hosts from 192.168.86.0-255. This is one way of denoting that. You can also provide
ranges or lists of addresses if that’s what you need to do.
Example 3-16. Full connect nmap scan
root@rosebud:~# nmap -sT -T
5
192.168.86.0/24
Nmap scan report
for
testwifi.here
(
192.168.86.1
)
Host is up
(
0.00092s latency
)
.
Not shown:
995
closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
5000/tcp open upnp
8080/tcp open http-proxy
8081/tcp open blackice-icecap
MAC Address: 18:D6:C7:7D:F4:8A
(
Tp-link Technologies
)
Nmap scan report
for
myq-d9f.lan
(
192.168.86.20
)
Host is up
(
0.0064s latency
)
.
Not shown:
999
closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 64:52:99:54:7F:C5
(
The Chamberlain Group
)
In the output,
nmap
provides not only the port number but also the service. This ser‐
vice name comes from a list of service identifiers that
nmap
knows and has nothing
to do with what may be running on that port.
nmap
can determine which service is
running on the port by getting application responses.
nmap
also helpfully provides a
lookup of the vendor ID from the MAC address. This vendor ID can help you iden‐
tify the device you are looking at. The first one, for instance, is from Tp-Link Tech‐
nologies. Tp-Link makes network hardware like wireless access point/router devices.
You may have noticed that I didn’t specify ports I wanted to scan. By default,
nmap
will scan the 1,000 most commonly used ports. This makes the scan faster than scan‐
ning all 65,536 ports, since you won’t see the vast majority of those ports in use. If you
want to specify ports, you can use ranges or lists. If you want to scan all the ports, you
can use the command-line switch
-p-
. This tells
nmap
to scan everything;
nmap
also
has a default speed at which it scans. This is the delay between messages that are sent.

Download 22,59 Mb.

1 ... 98 99 100 101 102 103 104 105 ... 225

Download 22,59 Mb.

Pdf ko'rish