■参考
ポートスキャンのテクニック
http://nmap.org/man/jp/man-port-scanning-techniques.html
■3WAYハンドシェイク(SYN⇒ACK/SYN⇒ACK)を観察する。
SYNとACKが受信できればコネクト、FINで終了しリソースの開放を行う。
$ sudo tcpdump -i eth0 tcp port 21 or tcp port 80 or icmp
■外部からのスキャン。
「-F」はデフォルトなので同じ結果
対象はFTPとsshに絞ることにする。
$ man nmap | grep "\-F\:"
-F: Fast mode - Scan fewer ports than the default scan
$ sudo nmap -F 192.168.45.11 | grep "^21\|^80"
21/tcp open ftp
80/tcp open http
16:52:39.641357 IP 192.168.45.1.48763 > 192.168.45.11.http
16:52:39.641450 IP 192.168.45.11.http > 192.168.45.1.48763
16:52:39.643144 IP 192.168.45.1.48763 > 192.168.45.11.http
16:52:39.645675 IP 192.168.45.1.48763 > 192.168.45.11.ftp
16:52:39.645735 IP 192.168.45.11.ftp > 192.168.45.1.48763
16:52:39.650003 IP 192.168.45.1.48763 > 192.168.45.11.ftp
16:52:39.641357 IP 192.168.45.1.48763 > 192.168.45.11.http
16:52:39.641450 IP 192.168.45.11.http > 192.168.45.1.48763
16:52:39.643144 IP 192.168.45.1.48763 > 192.168.45.11.http
16:52:39.645675 IP 192.168.45.1.48763 > 192.168.45.11.ftp
16:52:39.645735 IP 192.168.45.11.ftp > 192.168.45.1.48763
16:52:39.650003 IP 192.168.45.1.48763 > 192.168.45.11.ftp
■よく使うのはconnectスキャン。
リモートのsshサービスが動いているかといった場合
$ sudo nmap -sT 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp open ftp
80/tcp open http
16:58:10.079207 IP 192.168.45.1.52097 > 192.168.45.11.ftp
16:58:10.079265 IP 192.168.45.11.ftp > 192.168.45.1.52097
16:58:10.080458 IP 192.168.45.1.52097 > 192.168.45.11.ftp
16:58:10.087225 IP 192.168.45.1.52097 > 192.168.45.11.ftp
16:58:10.097727 IP 192.168.45.1.60773 > 192.168.45.11.http
16:58:10.097778 IP 192.168.45.11.http > 192.168.45.1.60773
16:58:10.116394 IP 192.168.45.1.60773 > 192.168.45.11.http
16:58:10.116420 IP 192.168.45.1.60773 > 192.168.45.11.http
■SYNスキャン
TCP接続のオープン処理を開始するSYNフラグをセットし、
双方のシーケンス番号とACK番号を同期させる。
TCPコネクションを確立しないため、比較的秘匿性が高い。
「SYN DOS」として使われる可能性がある。
$ sudo nmap -sS 192.168.45.11 -p 21,80 | grep ^[0-9]
21/tcp open ftp
22/tcp open ssh
16:59:49.368553 IP 192.168.45.1.40612 > 192.168.45.11.http: Flags
[S], seq 2779294566, win 3072, options [mss 1460], length 0
16:59:49.368848 IP 192.168.45.11.http > 192.168.45.1.40612: Flags
[S.], seq 2441272261, ack 2779294567, win 14600, options [mss 1460], length 0
16:59:49.370035 IP 192.168.45.1.40612 > 192.168.45.11.ftp: Flags
[S], seq 2779294566, win 3072, options [mss 1460], length 0
16:59:49.370085 IP 192.168.45.11.ftp > 192.168.45.1.40612: Flags
[S.], seq 3637198344, ack 2779294567, win 14600, options [mss 1460], length 0
16:59:49.373641 IP 192.168.45.1.40612 > 192.168.45.11.http: Flags
[R], seq 2779294567, win 0, length 0
16:59:49.373782 IP 192.168.45.1.40612 > 192.168.45.11.ftp: Flags
[R], seq 2779294567, win 0, length 0
■ACKスキャン
TCP接続中(オープン時以外)の処理に有効であるべきACKフラグをセット。
TCP接続確立の2番目以降のすべてのTCPパケットにおいてこのACKフラグがセットされている。
$ sudo nmap -sA 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp unfiltered ftp
80/tcp unfiltered http
17:01:38.568070 IP 192.168.45.1.45046 > 192.168.45.11.http: Flags [.], ack 2447807901, win 1024, length 0
17:01:38.568177 IP 192.168.45.11.http > 192.168.45.1.45046: Flags [R], seq 2447807901, win 0, length 0
17:01:38.575376 IP 192.168.45.1.45046 > 192.168.45.11.ftp: Flags [.], ack 2634314616, win 3072, length 0
17:01:38.575429 IP 192.168.45.11.ftp > 192.168.45.1.45046: Flags [R], seq 2634314616, win 0, length 0
■FINスキャン
TCP接続を終了するフラグをセット。
$ sudo nmap -sF 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp open|filtered ftp
80/tcp open|filtered http
17:03:37.080504 IP 192.168.45.1.40230 > 192.168.45.11.http: Flags [F], seq 3979127009, win 2048, length 0
17:03:37.087531 IP 192.168.45.1.40230 > 192.168.45.11.ftp: Flags [F], seq 3979127009, win 4096, length 0
17:03:38.185711 IP 192.168.45.1.40231 > 192.168.45.11.ftp: Flags [F], seq 3979192544, win 1024, length 0
17:03:38.185800 IP 192.168.45.1.40231 > 192.168.45.11.http: Flags [F], seq 3979192544, win 2048, length 0
■NULLスキャン
何のビットも設定しない(tcpヘッダのフラグは0)
$ sudo nmap -sN 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp open|filtered ftp
80/tcp open|filtered http
17:04:21.479327 IP 192.168.45.1.48171 > 192.168.45.11.http: Flags [F], win 3072, length 0
17:04:21.491991 IP 192.168.45.1.48171 > 192.168.45.11.ftp: Flags [F], win 3072, length 0
17:04:22.588517 IP 192.168.45.1.48172 > 192.168.45.11.ftp: Flags [F], win 1024, length 0
17:04:22.588709 IP 192.168.45.1.48172 > 192.168.45.11.http: Flags [F], win 2048, length 0
■Xmasスキャン
FIN、PSH、URGのすべてのフラグをセット。
$ sudo nmap -sX 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp open|filtered ftp
80/tcp open|filtered http
17:05:14.540683 IP 192.168.45.1.55609 > 192.168.45.11.http: Flags [FPU], seq 974722143, win 3072, urg 0, length 0
17:05:14.548920 IP 192.168.45.1.55609 > 192.168.45.11.ftp: Flags [FPU], seq 974722143, win 2048, urg 0, length 0
17:05:15.647350 IP 192.168.45.1.55610 > 192.168.45.11.ftp: Flags [FPU], seq 974656606, win 1024, urg 0, length 0
17:05:15.647896 IP 192.168.45.1.55610 > 192.168.45.11.http: Flags [FPU], seq 974656606, win 2048, urg 0, length 0
■ウインドウサイズスキャン
送信可能な最大のデータ量を判断。
0~65545までの16bit。
※0は送信側にデータの送信を一時的に停止を要求。
$ sudo nmap -sW 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp closed ftp
80/tcp closed http
17:05:57.151231 IP 192.168.45.1.57961 > 192.168.45.11.ftp: Flags [.], ack 1971727656, win 1024, length 0
17:05:57.151300 IP 192.168.45.11.ftp > 192.168.45.1.57961: Flags [R], seq 1971727656, win 0, length 0
17:05:57.155992 IP 192.168.45.1.57961 > 192.168.45.11.http: Flags [.], ack 2740409288, win 1024, length 0
17:05:57.156090 IP 192.168.45.11.http > 192.168.45.1.57961: Flags [R], seq 2740409288, win 0, length 0
■TCP Maimonスキャン
プローブがFIN/ACKであるという点以外は、Null、FIN、Xmasスキャンと同じ。
$ sudo nmap -sM 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp closed ftp
80/tcp closed http
17:07:38.165711 IP 192.168.45.1.33548 > 192.168.45.11.http: Flags [F.], seq 4039770283, ack 399449485, win 3072, length 0
17:07:38.165778 IP 192.168.45.11.http > 192.168.45.1.33548: Flags [R], seq 399449485, win 0, length 0
17:07:38.165983 IP 192.168.45.1.33548 > 192.168.45.11.ftp: Flags [F.], seq 4039770283, ack 1370093746, win 4096, length 0
17:07:38.166060 IP 192.168.45.11.ftp > 192.168.45.1.33548: Flags [R], seq 1370093746, win 0, length 0
■IPプロトコルスキャン
IPプロトコル(TCP、ICMP、IGMPなど)がサポートされているか
時間がかかる。
$ sudo nmap -sO 192.168.45.11 | grep "^P[0-9]"
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
103 open|filtered pim
136 open|filtered udplite
■FTP バウンススキャン
プロキシFTP接続の対応をしているかどうかのチェック
$ sudo nmap -b 192.168.45.11 -p 21,80 | nkf -f80
WARNING: No targets were specified, so 0 hosts scanned.
Hint: if your bounce scan target hosts aren't reachable from here, remember to use
-PN so we don't try and ping them prior to the scan
Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:37 JST Nmap done: 0 IP addresses
(0 hosts up) scanned in 0.21 seconds
■PN(No Ping)スキャン
ホストの発見にpingを使わないだけで、常にpingを使うわけでもない。
$ sudo nmap -PN -b 192.168.45.11 -p 21,80 | nkf -f80
WARNING: No targets were specified, so 0 hosts scanned.
Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:37 JST Nmap done: 0 IP
addresses (0 hosts up) scanned in 0.21 seconds
■ping
$ ping -c 1 192.168.45.11
PING 192.168.45.11 (192.168.45.11) 56(84) bytes of data.
64 bytes from 192.168.45.11: icmp_req=1 ttl=64 time=0.725 ms
--- 192.168.45.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.725/0.725/0.725/0.000 ms
17:35:12.680308 IP 192.168.45.1 > 192.168.45.11: ICMP echo request, id 4565, seq 1, length 64
17:35:12.680380 IP 192.168.45.11 > 192.168.45.1: ICMP echo reply, id 4565, seq 1, length 64
■fping
$ fping -c 1 192.168.45.11
192.168.45.11 : [0], 84 bytes, 1.06 ms (1.06 avg, 0% loss)
192.168.45.11 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 1.06/1.06/1.06
17:35:41.109004 IP 192.168.45.1 > 192.168.45.11: ICMP echo request, id 4566, seq 0, length 64
17:35:41.109092 IP 192.168.45.11 > 192.168.45.1: ICMP echo reply, id 4566, seq 0, length 64
■24bitマスク内のホストの発見
$ fping -c 1 -g 192.168.45.0/24 2>&1 | grep -v "Unreachable\|1\/0\/100%"
192.168.45.11 : [0], 84 bytes, 0.79 ms (0.79 avg, 0% loss)
192.168.45.1 : [0], 84 bytes, 0.18 ms (0.18 avg, 0% loss)
192.168.45.0 : xmt/rcv/%loss = 0/0/0%
192.168.45.1 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.18/0.18/0.18
192.168.45.11 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.79/0.79/0.79
192.168.45.255 : xmt/rcv/%loss = 0/0/0%
■Wheezy on Wheezyの環境ですが、「i686-pc-linux-gnu」までの特定といったところでしょうか。
$ sudo nmap -sS -O 192.168.45.0/24 | grep -v "^[0-9]\|^MAC"
Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:48 JST
Interesting ports on 192.168.45.1:
Not shown: 998 closed ports
PORT STATE SERVICE
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=6/8%OT=25%CT=1%CU=37160%PV=Y%DS=0%G=Y%TM=51B2EFDA%P=i686-p
OS:c-linux-gnu)SEQ(SP=F5%GCD=1%ISR=102%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M400CST11
OS:NW6%O2=M400CST11NW6%O3=M400CNNT11NW6%O4=M400CST11NW6%O5=M400CST11NW6%O6=
OS:M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF
OS:=Y%T=40%W=8018%O=M400CNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 0 hops
Interesting ports on lpic303.test.local (192.168.45.11):
Not shown: 986 closed ports
PORT STATE SERVICE
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=6/8%OT=21%CT=1%CU=37807%PV=Y%DS=1%G=Y%M=000C29%TM=51B2EFEC
OS:%P=i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=8)OPS(O1
OS:=M5B4ST11NW3%O2=M5B4ST11NW3%O3=M5B4NNT11NW3%O4=M5B4ST11NW3%O5=M5B4ST11NW
OS:3%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=
OS:Y%DF=Y%T=40%W=3908%O=M5B4NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
All 1000 scanned ports on 192.168.45.254 are filtered
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (3 hosts up) scanned in 35.03 seconds