Basic operations of NMAP scanning

Hits: 0

Today, I will continue to introduce you to the relevant knowledge of [penetration testing] . The main content of this article is NMAP scanning.

The content described in this article is only for learning and communication. It is strictly prohibited to use the technology in the article to conduct illegal acts, otherwise you will be responsible for all serious consequences! [Please don’t do random NMAP] scans

1. PING scan using NMAP

Excuting an order:

nmap -sn

It can make NMAP scan all surviving hosts in the network segment. In the above command, the -sn parameter indicates that the PING scan is performed. The execution result of the command is as follows:
As can be seen from the above figure, there are a total of 4 hosts surviving in the current network.
If we use wireshark to capture packets when executing the above command, the result is as follows:
From the above, we can see a lot of ARP request packets, which are the packets sent by NMAP for PING scanning.

Second, use NMAP for semi-join scanning

Excuting an order:

nmap -sS -p 80,3306,22,53,631

The specified port of the specified host can be scanned. The -sS parameter specifies that the scanning method is semi-connection scanning (the so-called semi-link scanning is to send a TCP SYN packet to the specified port. When the returned RST packet is received, it is proved that the The port is closed. After receiving the returned SYN+ACK packet, it proves that the port is open, returns the RST packet, and ends the TCP connection. Since the semi-connection scan does not complete the process of the TCP three-way handshake, it is relatively hidden.), -p parameter The port to be scanned is specified later. The execution result of this command is as follows:
From the above results, it can be seen that the device has opened ports 22 and 80.
In the above command, in addition to using commas to specify ports, we can also use dashes to directly specify the port range, as shown below:
When NMAP performs port scanning, if we use NAMP to capture packets, we can see A large number of TCP SYN packets, as shown below, if we look closely, we will find the semi-connection scanning process of TCP.

3. Operating system scan using NMAP

In addition to port scanning, NAMP also supports operating system detection. Excuting an order:

nmap -O

The operating system of the target host can be detected. The -O parameter indicates that the target operating system is detected. The execution result of this command is as follows:
As can be seen from the above figure, NMAP detects that the operating system of the host is between versions 3.2 and 4.9. Linux operating system.
The principle of NMAP detecting the operating system is to send a large number of detection packets to the host, as shown below:
Different operating systems have different responses to these packets. NMAP is based on these subtle differences, to determine the target operating system.
Originality is not easy, please indicate the source for reprinting: /weixin_40228200

You may also like...

Leave a Reply

Your email address will not be published.