本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.6节TCP ACK Ping扫描,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。
2.6 TCP ACK Ping扫描表2.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——TCP ACK Ping扫描。
使用-PA选项可以进行TCP ACK Ping扫描,它与TCP SYN Ping扫描是非常类似的,唯一的区别是设置TCP的标志位是ACK而不是SYN,使用这种方式扫描可以探测阻止SYN包或ICMP Echo请求的主机。很多防火墙会封锁SYN报文,所以Nmap提供了TCP SYN Ping扫描与TCP ACK Ping扫描两种探测方式,这两种方式可以极大地提高通过防火墙的概率,我们还可以同时使用-PS与-SA来既发送SYN又发送ACK。在使用TCP ACK Ping扫描时,Nmap会发送一个ACK标志的TCP包给目标主机,如果目标主机不是存活状态则不响应该请求,如果目标主机在线则会返回一个RST包。
root@Wing:~# nmap -PA -v 192.168.121.1 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:43 CST Initiating Ping Scan at 11:43 Scanning 192.168.121.1 [1 port] Completed Ping Scan at 11:43, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:43 Completed Parallel DNS resolution of 1 host. at 11:43, 0.01s elapsed Initiating SYN Stealth Scan at 11:43 Scanning 192.168.121.1 [1000 ports] Discovered open port 135/tcp on 192.168.121.1 Discovered open port 139/tcp on 192.168.121.1 Discovered open port 445/tcp on 192.168.121.1 Discovered open port 912/tcp on 192.168.121.1 Discovered open port 49155/tcp on 192.168.121.1 Discovered open port 8000/tcp on 192.168.121.1 Discovered open port 902/tcp on 192.168.121.1 Discovered open port 7000/tcp on 192.168.121.1 Increasing send delay for 192.168.121.1 from 0 to 5 due to 126 out of 418 dropped probes since last increase. Discovered open port 49152/tcp on 192.168.121.1 Discovered open port 49153/tcp on 192.168.121.1 Discovered open port 49165/tcp on 192.168.121.1 Discovered open port 843/tcp on 192.168.121.1 Completed SYN Stealth Scan at 11:45, 139.14s elapsed (1000 total ports) Nmap scan report for 192.168.121.1 Host is up (1.0s latency). Not shown: 987 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 514/tcp filtered shell 843/tcp open unknown 902/tcp open iss-realsecure 912/tcp open apex-mesh 7000/tcp open afs3-fileserver 8000/tcp open http-alt 49152/tcp open unknown 49153/tcp open unknown 49155/tcp open unknown 49165/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 139.22 seconds Raw packets sent: 1723 (75.808KB) | Rcvd: 1014 (40.845KB) root@Wing:~#同时使用-PS与-PA选项,代码如下。
root@Wing:~# nmap -PA -PS 192.168.126.131 Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-09 20:39 CST Nmap scan report for 192.168.126.131 Host is up (0.00037s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 00:0C:29:E0:2E:76 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds root@Wing:~#接下来我们看一个被防火墙阻止的案例,首先使用TCP ACK Ping方式对目标主机进行扫描。
root@Wing:~# nmap -PA -v 192.168.22.22 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:46 CST Initiating Ping Scan at 11:46 Scanning 192.168.22.22 [1 port] Completed Ping Scan at 11:46, 2.01s elapsed (1 total hosts) Nmap scan report for 192.168.22.22 [host down] Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.04 seconds Raw packets sent: 2 (80B) | Rcvd: 0 (0B) root@Wing:~#从输出的结果中发现目标主机是没有存活的状态,尝试使用TCP SYN Ping进行扫描,对目标主机的存活状态进行判断。
root@Wing:~# nmap -PS -v 192.168.121.1 Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:50 CST Initiating Ping Scan at 11:50 Scanning 192.168.121.1 [1 port] Completed Ping Scan at 11:50, 1.00s elapsed (1 total hosts) Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 109.97 seconds Raw packets sent: 1760 (77.440KB) | Rcvd: 1020 (40.848KB) root@Wing:~#从输出的结果得知目标主机是存活状态,由此可以说明TCP ACK包被目标主机防火墙阻止了。
相关资源:敏捷开发V1.0.pptx