NMAP - A Stealth Port Scanner--reference

One major problem with this technique is that,when a firewall blocks outgoing ICMP Port Unreachable messages,the port will appear open. These false-positives are hard to distinguish from real open ports.

Another disadvantage with UDP scanning is the speed at which it can be performed. Most operating systems limit the number of ICMP Port Unreachable messages which can be generated in a certain time period,thus slowing the speed of a UDP scan. Nmap adjusts its scan speed accordingly to avoid flooding a network with useless packets. An interesting point to note here is that Microsoft do not limit the Port Unreachable error generation frequency,and thus it is easy to scan a Windows machine’s 65,535 UDP Ports in very little time!!

UDP Scanning is not usually useful for most types of attack,but it can reveal information about services or trojans which rely on UDP,for example SNMP,NFS,the Back Orifice trojan backdoor and many other exploitable services.

Most modern services utilise TCP,and thus UDP scanning is not usually included in a pre-attack information gathering exercise unless a TCP scan or other sources indicate that it would be worth the time taken to perform a UDP scan.

The IP Protocol Scans attempt to determine the IP protocols supported on a target. Nmap sends a raw IP packet without any additional protocol header (see a good TCP/IP book for information about IP packets),to each protocol on the target machine. Receipt of an ICMP Protocol Unreachable message tells us the protocol is not in use,otherwise it is assumed open. Not all hosts send ICMP Protocol Unreachable messages. These may include firewalls,AIX,HP-UX and Digital UNIX). These machines will report all protocols open.

This scan type also falls victim to the ICMP limiting rate described in the UDP scans section,however since only 256 protocols are possible (8-bit field for IP protocol in the IP header) it should not take too long.

Results of an -sO on my Linux workstation are included below.

   1 [chaos]# nmap -sO 127.0.0.1
   2 
   3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
   4 Interesting protocols on chaos(127.0.0.1):
   5 (The 251 protocols scanned but not shown below are
   6         in state: closed)
   7 PROTOCOL STATE         SERVICE
   8 1        open          icmp                    
   9 2        open|filtered igmp                    
  10 6        open          tcp                     
  11 17       open          udp                     
  12 255      open|filtered unknown                 
  13 
  14 Nmap finished: 1 IP address (1 host up) scanned in
  15         1.259 seconds

Idle scanning is an advanced,highly stealthed technique,where no packets are sent to the target which can be identified to originate from the scanning machine. A zombie host (and optionally port) must be specified for this scan type. The zombie host must satisfy certain criteria essential to the workings of this scan.

This scan type works by exploiting "predictable IP fragmentation ID" sequence generation on the zombie host,to determine open ports on the target. The scan checks the IPID on the zombie,then spoofs a connection request to the target machine,making it appear to come from the zombie. If the target port is open,a SYN/ACK session acknowledgement will be sent from the target machine back to the zombie,which will RST the connection since it has no record of having opened such a connection. If the port on the target is closed,an RST will be sent to the zombie,and no further packets will be sent. The attacker then checks the IPID on the zombie again. If it has incremented by 2 (or changed by two steps in its sequence),this corresponds to the packet received from the target,plus the RST from the zombie,which equates to an open port on the target. If the IPID has changed by one step,an RST was received from the target and no further packets were sent.

Using this mechanism,it is possible to scan every port on a target,whilst making it appear that the zombie was the one doing the scanning. Of course,the spoofed connection attempts will likely be logged,so the target system will have the zombie IP address,and the zombie system’s logs are likely to contain the attacker’s IP address,so it is still possible,after acquiring logs through legal channels,to determine the attacker,but this method makes it much more difficult to do so than if the packets were sent directly from the attacker. In addition,some IDS and firewall software makes attempts to detect spoofed packets based on the network they arrive from. As long as the zombie host and the attacker are both "out on the Internet",or on the same network as each other,relative to the target,techniques to identify spoofed packets are not likely to succeed.

（编辑：财气旺网 - 财气网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!