読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

ポートスキャンをtcpdumpで覗く

■参考

 ポートスキャンのテクニック
 http://nmap.org/man/jp/man-port-scanning-techniques.html

■3WAYハンドシェイク(SYN⇒ACK/SYN⇒ACK)を観察する。
 SYNとACKが受信できればコネクト、FINで終了しリソースの開放を行う。

$ sudo tcpdump -i eth0 tcp port 21 or tcp port 80 or icmp

■外部からのスキャン。
 「-F」はデフォルトなので同じ結果
 対象はFTPとsshに絞ることにする。

$ man nmap | grep "\-F\:"
             -F: Fast mode - Scan fewer ports than the default scan

$ sudo nmap -F 192.168.45.11 | grep "^21\|^80"
21/tcp   open  ftp
80/tcp   open  http

16:52:39.641357 IP 192.168.45.1.48763 > 192.168.45.11.http
: Flags [S], seq 2652247419, win 1024, options [mss 1460], length 0
16:52:39.641450 IP 192.168.45.11.http > 192.168.45.1.48763
: Flags [S.], seq 1179407449, ack 2652247420, win 14600, options [mss 1460], length 0
16:52:39.643144 IP 192.168.45.1.48763 > 192.168.45.11.http
: Flags [R], seq 2652247420, win 0, length 0
16:52:39.645675 IP 192.168.45.1.48763 > 192.168.45.11.ftp
: Flags [S], seq 2652247419, win 3072, options [mss 1460], length 0
16:52:39.645735 IP 192.168.45.11.ftp > 192.168.45.1.48763
: Flags [S.], seq 4232210766, ack 2652247420, win 14600, options [mss 1460], length 0
16:52:39.650003 IP 192.168.45.1.48763 > 192.168.45.11.ftp
: Flags [R], seq 2652247420, win 0, length 0
16:52:39.641357 IP 192.168.45.1.48763 > 192.168.45.11.http
: Flags [S], seq 2652247419, win 1024, options [mss 1460], length 0
16:52:39.641450 IP 192.168.45.11.http > 192.168.45.1.48763
: Flags [S.], seq 1179407449, ack 2652247420, win 14600, options [mss 1460], length 0
16:52:39.643144 IP 192.168.45.1.48763 > 192.168.45.11.http
: Flags [R], seq 2652247420, win 0, length 0
16:52:39.645675 IP 192.168.45.1.48763 > 192.168.45.11.ftp
: Flags [S], seq 2652247419, win 3072, options [mss 1460], length 0
16:52:39.645735 IP 192.168.45.11.ftp > 192.168.45.1.48763
: Flags [S.], seq 4232210766, ack 2652247420, win 14600, options [mss 1460], length 0
16:52:39.650003 IP 192.168.45.1.48763 > 192.168.45.11.ftp
: Flags [R], seq 2652247420, win 0, length 0

■よく使うのはconnectスキャン。
 リモートのsshサービスが動いているかといった場合

$ sudo nmap -sT 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp   open  ftp
80/tcp   open  http

16:58:10.079207 IP 192.168.45.1.52097 > 192.168.45.11.ftp
: Flags [S], seq 3199752865, win 5840, options [mss 1460,sackOK,TS val 1778607 ecr 0,nop,wscale 6], length 0
16:58:10.079265 IP 192.168.45.11.ftp > 192.168.45.1.52097
: Flags [S.], seq 66600797, ack 3199752866, win 14480, options [mss 1460,sackOK,TS val 529195 ecr 1778607,nop,wscale 3], length 0
16:58:10.080458 IP 192.168.45.1.52097 > 192.168.45.11.ftp
: Flags [.], ack 1, win 92, options [nop,nop,TS val 1778607 ecr 529195], length 0
16:58:10.087225 IP 192.168.45.1.52097 > 192.168.45.11.ftp
: Flags [R.], seq 1, ack 1, win 92, options [nop,nop,TS val 1778609 ecr 529195], length 0
16:58:10.097727 IP 192.168.45.1.60773 > 192.168.45.11.http
: Flags [S], seq 3233660269, win 5840, options [mss 1460,sackOK,TS val 1778609 ecr 0,nop,wscale 6], length 0
16:58:10.097778 IP 192.168.45.11.http > 192.168.45.1.60773
: Flags [S.], seq 399508339, ack 3233660270, win 14480, options [mss 1460,sackOK,TS val 529199 ecr 1778609,nop,wscale 3], length 0
16:58:10.116394 IP 192.168.45.1.60773 > 192.168.45.11.http
: Flags [.], ack 1, win 92, options [nop,nop,TS val 1778612 ecr 529199], length 0
16:58:10.116420 IP 192.168.45.1.60773 > 192.168.45.11.http
: Flags [R.], seq 1, ack 1, win 92, options [nop,nop,TS val 1778612 ecr 529199], length 0

■SYNスキャン
 TCP接続のオープン処理を開始するSYNフラグをセットし、
 双方のシーケンス番号とACK番号を同期させる。
 TCPコネクションを確立しないため、比較的秘匿性が高い。
 「SYN DOS」として使われる可能性がある。

$ sudo nmap -sS 192.168.45.11 -p 21,80 | grep ^[0-9]
21/tcp open  ftp
22/tcp open  ssh

16:59:49.368553 IP 192.168.45.1.40612 > 192.168.45.11.http: Flags
 [S], seq 2779294566, win 3072, options [mss 1460], length 0
16:59:49.368848 IP 192.168.45.11.http > 192.168.45.1.40612: Flags
 [S.], seq 2441272261, ack 2779294567, win 14600, options [mss 1460], length 0
16:59:49.370035 IP 192.168.45.1.40612 > 192.168.45.11.ftp: Flags
 [S], seq 2779294566, win 3072, options [mss 1460], length 0
16:59:49.370085 IP 192.168.45.11.ftp > 192.168.45.1.40612: Flags
 [S.], seq 3637198344, ack 2779294567, win 14600, options [mss 1460], length 0
16:59:49.373641 IP 192.168.45.1.40612 > 192.168.45.11.http: Flags
 [R], seq 2779294567, win 0, length 0
16:59:49.373782 IP 192.168.45.1.40612 > 192.168.45.11.ftp: Flags
 [R], seq 2779294567, win 0, length 0

■ACKスキャン
 TCP接続中(オープン時以外)の処理に有効であるべきACKフラグをセット。
 TCP接続確立の2番目以降のすべてのTCPパケットにおいてこのACKフラグがセットされている。

$ sudo nmap -sA 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp unfiltered ftp
80/tcp unfiltered http

17:01:38.568070 IP 192.168.45.1.45046 > 192.168.45.11.http: Flags [.], ack 2447807901, win 1024, length 0
17:01:38.568177 IP 192.168.45.11.http > 192.168.45.1.45046: Flags [R], seq 2447807901, win 0, length 0
17:01:38.575376 IP 192.168.45.1.45046 > 192.168.45.11.ftp: Flags [.], ack 2634314616, win 3072, length 0
17:01:38.575429 IP 192.168.45.11.ftp > 192.168.45.1.45046: Flags [R], seq 2634314616, win 0, length 0

■FINスキャン
 TCP接続を終了するフラグをセット。

$ sudo nmap -sF 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp   open|filtered ftp
80/tcp   open|filtered http

17:03:37.080504 IP 192.168.45.1.40230 > 192.168.45.11.http: Flags [F], seq 3979127009, win 2048, length 0
17:03:37.087531 IP 192.168.45.1.40230 > 192.168.45.11.ftp: Flags [F], seq 3979127009, win 4096, length 0
17:03:38.185711 IP 192.168.45.1.40231 > 192.168.45.11.ftp: Flags [F], seq 3979192544, win 1024, length 0
17:03:38.185800 IP 192.168.45.1.40231 > 192.168.45.11.http: Flags [F], seq 3979192544, win 2048, length 0

■NULLスキャン
 何のビットも設定しない(tcpヘッダのフラグは0)

$ sudo nmap -sN 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp   open|filtered ftp
80/tcp   open|filtered http

17:04:21.479327 IP 192.168.45.1.48171 > 192.168.45.11.http: Flags [F], win 3072, length 0
17:04:21.491991 IP 192.168.45.1.48171 > 192.168.45.11.ftp: Flags [F], win 3072, length 0
17:04:22.588517 IP 192.168.45.1.48172 > 192.168.45.11.ftp: Flags [F], win 1024, length 0
17:04:22.588709 IP 192.168.45.1.48172 > 192.168.45.11.http: Flags [F], win 2048, length 0

■Xmasスキャン
 FIN、PSH、URGのすべてのフラグをセット。

$ sudo nmap -sX 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp   open|filtered ftp
80/tcp   open|filtered http

17:05:14.540683 IP 192.168.45.1.55609 > 192.168.45.11.http: Flags [FPU], seq 974722143, win 3072, urg 0, length 0
17:05:14.548920 IP 192.168.45.1.55609 > 192.168.45.11.ftp: Flags [FPU], seq 974722143, win 2048, urg 0, length 0
17:05:15.647350 IP 192.168.45.1.55610 > 192.168.45.11.ftp: Flags [FPU], seq 974656606, win 1024, urg 0, length 0
17:05:15.647896 IP 192.168.45.1.55610 > 192.168.45.11.http: Flags [FPU], seq 974656606, win 2048, urg 0, length 0

■ウインドウサイズスキャン
 送信可能な最大のデータ量を判断。
 065545までの16bit。
 ※0は送信側にデータの送信を一時的に停止を要求。

$ sudo nmap -sW 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp closed ftp
80/tcp closed http

17:05:57.151231 IP 192.168.45.1.57961 > 192.168.45.11.ftp: Flags [.], ack 1971727656, win 1024, length 0
17:05:57.151300 IP 192.168.45.11.ftp > 192.168.45.1.57961: Flags [R], seq 1971727656, win 0, length 0
17:05:57.155992 IP 192.168.45.1.57961 > 192.168.45.11.http: Flags [.], ack 2740409288, win 1024, length 0
17:05:57.156090 IP 192.168.45.11.http > 192.168.45.1.57961: Flags [R], seq 2740409288, win 0, length 0

■TCP Maimonスキャン
 プローブがFIN/ACKであるという点以外は、Null、FIN、Xmasスキャンと同じ。

$ sudo nmap -sM 192.168.45.11 -p 21,80 | grep "^21\|^80"
21/tcp closed ftp
80/tcp closed http

17:07:38.165711 IP 192.168.45.1.33548 > 192.168.45.11.http: Flags [F.], seq 4039770283, ack 399449485, win 3072, length 0
17:07:38.165778 IP 192.168.45.11.http > 192.168.45.1.33548: Flags [R], seq 399449485, win 0, length 0
17:07:38.165983 IP 192.168.45.1.33548 > 192.168.45.11.ftp: Flags [F.], seq 4039770283, ack 1370093746, win 4096, length 0
17:07:38.166060 IP 192.168.45.11.ftp > 192.168.45.1.33548: Flags [R], seq 1370093746, win 0, length 0

■IPプロトコルスキャン
 IPプロトコル(TCP、ICMP、IGMPなど)がサポートされているか
 時間がかかる。

$ sudo nmap -sO 192.168.45.11 | grep "^P[0-9]"
PROTOCOL STATE         SERVICE
1        open          icmp
2        open|filtered igmp
6        open          tcp
17       open          udp
103      open|filtered pim
136      open|filtered udplite

■FTP バウンススキャン
 プロキシFTP接続の対応をしているかどうかのチェック

$ sudo nmap -b 192.168.45.11 -p 21,80 | nkf -f80
WARNING: No targets were specified, so 0 hosts scanned.
Hint: if your bounce scan target hosts aren't reachable from here, remember to use
-PN so we don't try and ping them prior to the scan

Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:37 JST Nmap done: 0 IP addresses
(0 hosts up) scanned in 0.21 seconds

■PN(No Ping)スキャン
 ホストの発見にpingを使わないだけで、常にpingを使うわけでもない。

$ sudo nmap -PN -b 192.168.45.11 -p 21,80 | nkf -f80
WARNING: No targets were specified, so 0 hosts scanned.
 Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:37 JST Nmap done: 0 IP
addresses (0 hosts up) scanned in 0.21 seconds

■ping

$ ping -c 1 192.168.45.11
PING 192.168.45.11 (192.168.45.11) 56(84) bytes of data.
64 bytes from 192.168.45.11: icmp_req=1 ttl=64 time=0.725 ms

--- 192.168.45.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.725/0.725/0.725/0.000 ms

17:35:12.680308 IP 192.168.45.1 > 192.168.45.11: ICMP echo request, id 4565, seq 1, length 64
17:35:12.680380 IP 192.168.45.11 > 192.168.45.1: ICMP echo reply, id 4565, seq 1, length 64

■fping

$ fping -c 1 192.168.45.11
192.168.45.11 : [0], 84 bytes, 1.06 ms (1.06 avg, 0% loss)

192.168.45.11 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 1.06/1.06/1.06

17:35:41.109004 IP 192.168.45.1 > 192.168.45.11: ICMP echo request, id 4566, seq 0, length 64
17:35:41.109092 IP 192.168.45.11 > 192.168.45.1: ICMP echo reply, id 4566, seq 0, length 64

■24bitマスク内のホストの発見

$ fping -c 1 -g 192.168.45.0/24 2>&1 | grep -v "Unreachable\|1\/0\/100%"
192.168.45.11  : [0], 84 bytes, 0.79 ms (0.79 avg, 0% loss)
192.168.45.1   : [0], 84 bytes, 0.18 ms (0.18 avg, 0% loss)

192.168.45.0   : xmt/rcv/%loss = 0/0/0%
192.168.45.1   : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.18/0.18/0.18
192.168.45.11  : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.79/0.79/0.79
192.168.45.255 : xmt/rcv/%loss = 0/0/0%

■Wheezy on Wheezyの環境ですが、「i686-pc-linux-gnu」までの特定といったところでしょうか。

$ sudo nmap -sS -O 192.168.45.0/24 | grep -v "^[0-9]\|^MAC"

Starting Nmap 5.00 ( http://nmap.org ) at 2013-06-08 17:48 JST
Interesting ports on 192.168.45.1:
Not shown: 998 closed ports
PORT     STATE SERVICE
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=6/8%OT=25%CT=1%CU=37160%PV=Y%DS=0%G=Y%TM=51B2EFDA%P=i686-p
OS:c-linux-gnu)SEQ(SP=F5%GCD=1%ISR=102%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M400CST11
OS:NW6%O2=M400CST11NW6%O3=M400CNNT11NW6%O4=M400CST11NW6%O5=M400CST11NW6%O6=
OS:M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF
OS:=Y%T=40%W=8018%O=M400CNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%I
OS:PL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 0 hops

Interesting ports on lpic303.test.local (192.168.45.11):
Not shown: 986 closed ports
PORT     STATE SERVICE
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=6/8%OT=21%CT=1%CU=37807%PV=Y%DS=1%G=Y%M=000C29%TM=51B2EFEC
OS:%P=i686-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=8)OPS(O1
OS:=M5B4ST11NW3%O2=M5B4ST11NW3%O3=M5B4NNT11NW3%O4=M5B4ST11NW3%O5=M5B4ST11NW
OS:3%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=
OS:Y%DF=Y%T=40%W=3908%O=M5B4NNSNW3%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

All 1000 scanned ports on 192.168.45.254 are filtered
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (3 hosts up) scanned in 35.03 seconds