1. Port & Port Scanning

最新推荐文章于 2024-09-05 17:22:26 发布
最新推荐文章于 2024-09-05 17:22:26 发布
阅读量502 收藏
点赞数 1
分类专栏: 1. Fundamental Knowledge of Penetra 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42411636/article/details/107549474
版权

Port & Port Scanning

1. What is port?

  • 端口是计算机与外界进行通讯和数据交换的接口。
    1. 物理端口
    2. 虚拟端口:计算机内部或交换机路由器内的端口。TCP和UDP协议使用16bits的端口号来表示和区别网络中的不同应用程序
  • 为什么关注端口:如果将服务器比作一个房子,那么端口就像通向不同房间(服务)的门。通过对端口进行扫描,可以确定那些端口是开放的,从而可以猜测目标主机大致提供了哪些服务,进而猜测可能存在的漏洞。

2. 端口扫描具体细节

  • TCP端口原理:According to the original TCP specification, if a service is listening on a TCP port and a packet with the SYN Control Bit set arrives at that port, the TCP software must respond with a SYN-ACK packet. This response must be sent, regardless of the payload of the SYN packet. Which means even if we don’t know what service is listening on the target port, we can still measure whether it is open by simply sending it a SYN packet. That gives us a reliable method for determining whether a TCP port is open or closed.

  • Different Scenarios While TCP Scanning:

    1. The first scenario: The attacker machine send a SYN packet, and receives a SYN-ACK from the target. This means that the port is open and we move on to a different port. There is a very unlikely chance that there is a software sending a SYN-ACK packet for every port to trick the attacker but that is unlikely.
  1. The second scenario: The attacker sends a SYN packet and receives an ICMP port Unreachable message back, this most likely means that there is firewall that is blocking the connection. These ports are also called filtered ports.
  2. The third scenario: The attacker machine sends SYN packet and receives an RST-ACK packet back, this means that we cannot reach the port, its either closed or a firewall is not letting us access it.
  3. The fourth scenario: The attacker machine sends SYN packet and get nothing in response, usually the port scanning tools retry before moving on and the port is marked filtered. In this case either there is nothing listening on the end system (which has been configured via a personal firewall to silently drop all packets to closed ports) or a firewall is blocking our inbound SYN packet (again, silently rejecting it).
  4. Sum up: These are the most likely scenarios you will encounter while port scanning, the last scenario can cause the tool run for a long time, because it retries and then mark it as filtered after the timeout. This technique is also called half-open scanning. We don’t establish a full connection.
  • UDP Scanning & Scenarios:
    As we all know UDP is a connection less protocol, so there is no state of connection and no control bits, and because of this there is less option of scanning , often slower scanning and less reliable scanning and a lot of uncertainty from the results . Some scenarios you might encounter in UDP scanning are :
  1. Scenario A: The attacker machine sends a UDP packet and the target machine responds with a UDP packet. this means that there is something listening on that UDP port, which means the port is open.
  2. Scenario B: The attacker machine send a UDP packet and the target machine responds with a ICMP port unreachable, This means the port is close, but this is also one of the reasons of the UDP scanning being slow because some of the systems have a rate-limit for ICMP Packets, which makes the scan even more slow.
  3. Scenario C: The attacker machine sends a UDP packet and nothing comes back, now there could a lot of reasons why, some of the reason could be:
    a. Port Closed
    b. The firewall is blocking the packet coming in
    c. The firewall is blocking the packet coming to us
    d. The port is open but the service requires a specific payload in the packet
  • Reference
  • Sum up: 本节主要包括TCP/UDP端口扫描原理和扫描时可能遇到的情况。

3.Nmap端口扫描

  • 端口扫描的基本过程:

The basic nmap syntax is nmap scantype options target. The simplest way to run nmap is to provide the target host address after nmap. Address can be supplied as an ip address or as a domain name. Addresses can also be supplied as **a range of ip addresses **(eg: 127.0.0.1–125)

nmap 127.0.0.1

The result this yields is as follows:

Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:28 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
631/tcp open ipp
5432/tcp open postgresql

Thus we can see that there are 2 ports open at the target host.

Nmap can also be used to determine the OS running on the target host. This can be done simply adding a -O flag to the previous command

nmap -O 127.0.0.1

This returns a more detailed result:

Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:34 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
631/tcp open ipp
5432/tcp open postgresql
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.19 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.19, Linux 3.8–4.4
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.14 seconds

The result now shows the OS running on the host.

The -v flag can be used to get verbose information about the scan. The -sV flag can be used to show the software versions running on the open ports.

nmap -v -sV hostname

This will return the following:

Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 14:55 IST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 14:55
Scanning 104.236.66.200 [4 ports]
Completed Ping Scan at 14:55, 0.62s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:55
Completed Parallel DNS resolution of 1 host. at 14:55, 3.90s elapsed
Initiating SYN Stealth Scan at 14:55
Scanning (104.236.66.200) [1000 ports]
Discovered open port 22/tcp on 104.236.66.200
Discovered open port 443/tcp on 104.236.66.200
Discovered open port 3000/tcp on 104.236.66.200
Completed SYN Stealth Scan at 14:57, 97.05s elapsed (1000 total ports)
Initiating Service scan at 14:57
Scanning 4 services on (104.236.66.200)
Completed Service scan at 14:57, 16.07s elapsed (4 services on 1 host)
NSE: Script scanning 104.236.66.200.
Initiating NSE at 14:57
Completed NSE at 14:57, 4.00s elapsed
Initiating NSE at 14:57
Completed NSE at 14:57, 0.00s elapsed
Nmap scan report for (104.236.66.200)
Host is up (0.34s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7
443/tcp open ssl/http Apache httpd 2.4.7
3000/tcp open http Node.js Express framework
Service Info: Hosts: 104.236.66.200, localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.40 seconds
Raw packets sent: 1795 (78.956KB) | Rcvd: 1118 (44.740KB)

This test shows the port number, the state of the port (open,closed), the service (ssh, ssl, http, etc) and the version of the service. Also this test shows more details about the nmap connection, A -p flag can be used to check if a particular port is open or closed. The -p flag can be used to check the port by port number or port name. (Ports can also be specified in range, eg: 1–40)

nmap -p ssh 127.0.0.1

This will return the state of the ssh port of the host. It returns the port number, state and the service:

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
PORT STATE SERVICE
22/tcp closed sshNmap done: 1 IP address (1 host up) scanned in 0.03 seconds

This test can also be run using the port number as nmap -p 22 127.0.0.1

A -sn flag is used to check if a host is alive or not. Running this on a range of addresses will show the following result:

nmap -sn 127.0.0.1–25Starting Nmap 7.12SVN ( https://nmap.org ) at 2016–06–27 15:33 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000074s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00015s latency).
Nmap scan report for 127.0.0.3
Host is up (0.000093s latency).
Nmap scan report for 127.0.0.4
Host is up (0.000079s latency).
Nmap scan report for 127.0.0.5
Host is up (0.000069s latency).
….
Nmap scan report for 127.0.0.24
Host is up (0.000095s latency).
Nmap scan report for 127.0.0.25
Host is up (0.000085s latency).
Nmap done: 25 IP addresses (25 hosts up) scanned in 0.00 seconds

Nmap allows multiple flags to be used together, i.e. a command such as

nmap -v -sV -O 127.0.0.1

is valid and so is the command

nmap -sV -p 1–65535 192.168.1.1/24

(Here /24 is the network mask)

Nmap comes with a GUI Zenmap for those who are not comfortable working with the command line.

AgachilyPaul
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
pkdump - Port Scanning Detection-开源
04-26
"pkdump - Port Scanning Detection-开源" 这个标题提到的"pkdump"是一个用于端口扫描检测的工具,特别是针对TCP和UDP协议。"Port Scanning Detection"意味着该工具专注于识别和应对网络中的端口扫描行为,这是一种...
Unit 3: Port Scanning 3.1 Port Scanning Introduction to Port Scanning
11-25 149
Programs or services are the logical ways networking trafficgoes into and out of the machine. A service is a programthat runs in the background independent of a log on. The wayinto and out of a p...
Unit 3: Port Scanning 3.1 Port Scanning UDP Scan
11-27 119
>> So far, all the scans have involved TCP.However, there are some major protocols that use UDP at layer four instead of TCP.Most notably, DNS and DHCP.The UDP scan probes for such services...
Unit 3: Port Scanning 3.1 Port Scanning ACK Scan
11-27 138
You might be wondering if there's a way to get furtherinsight to a port that's being flagged as open or filtered. Theanswer is yes. The purpose of the ACK scan is simply toidentify if a port is f...
Unit 3: Port Scanning 3.1 Port Scanning Port Scanning Demos 1
11-27 118
The TCP Three-Way Handshake Demo >> I just opened up a browser and went to www.rit.eduwith Wireshark capturing the packets.Let's take a look at what I captured.I'm using a display filter o...
TCP全连接端口扫描器
weixin_45007073的博客
09-21 2339
全连接端口扫描器原理介绍普通扫描器高并发扫描器 原理介绍 TCP全连接端口扫描器是最基础的扫描器,它的原理是调用Socket的connect函数连接到目标IP的特定端口上,如果连接成功说明端口是开放的,如果连接失败,说明端口没有开放。 Go语言的net包提供的Dial与DialTimeout函数,对传统的socket函数进行了封装,无论想创建什么协议的连接,都只需要调用这两个函数即可。这两个函数的区别是DialTimeout增加了超时时间。 普通扫描器 以下代码片段利用DialTimeout实现了一个Con
Velociraptor, Java Port Scanning API-开源
07-10
Velociraptor 是一个简单的 java API,用于端口扫描和分析。 它提供了编写自定义端口扫描器客户端的接口。 它扫描给定范围内的所有端口以查看它们是否打开并分析它们以识别它们正在运行的协议。
Nmap in the Enterprise: Your Guide to Network Scanning.pdf
06-19
Start Nmap scanning, discover hosts, port scan, detecting operating systems, and detect service and application versions . Raise those Fingerprints Understand the mechanics of Nmap OS fingerprinting, ...
Port_Authority:阻止网站使用JavaScript进行端口扫描您的计算机网络,并动态阻止所有LexisNexis端点运行其侵入性数据收集脚本
05-12
港口管理局 阻止网站使用JavaScript进行端口扫描您的计算机/网络,并动态阻止所有LexisNexis端点运行其侵入性数据收集脚本。 Ebay试图运行ThreatMetrix脚本,但被港口管理局阻止。 ... Discord端口扫描您的计算机,以...
Android代码-Port Authority
08-06
Port Authority Overview A handy systems and security-focused tool, Port Authority is a very ...If the device you're scanning drops packets, it takes about 10 seconds to scan 1000 ports. If the devi
Nmap的介绍、安装 并进行网络扫描
Cheney ' blog
03-08 1万+
Nmap概述 Nmap(Network Mapper(网络映射器))是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。 正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客(又称脚本小子)爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 端口扫描
热门推荐
看着博客敲代码
01-22 1万+
简介 端口扫描是Nmap的强项,大多数Nmap应用都是应用于对端口的扫描。 一、Nmap对端口的扫描有以下几种状态。 Open 端口开放状态 应用程序正在该端口接收TCP或UDP报文。这也是端口扫描的主要目标。它显示了网络上哪些服务可供使用。 Closed 端口关闭状态 关闭的端口对于Nmap也是可以访问的,但没有应用程序在其上监听。它可以显示该IP地址上的主机是否在运行,对操作系统探测有帮助。 Filtered 过滤的 由于包过滤阻止探测报文到达端口,Nmap无法确定该端口是否开放。过滤可能来自专业的防
NMAP - A Stealth Port Scanner--reference
01-22 681
http://nmap.org/bennieston-tutorial/ 实例:nmap -sP 192.168.21.* Contents 1Introduction Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an optional graphic...
Nmap扫描原理(上)
super_m@n的博客
04-06 7801
Nmap是一款开源免费的网络发现(Network Discovery)和安全审计(Security Auditing)工具。软件名字Nmap是Network Mapper的简称。Nmap最初是由Fyodor在1997年开始创建的。随后在开源社区众多的志愿者参与下,该工具逐渐成为最为流行安全必备工具之一。最新版的Nmap6.0在2012年5月21日发布,详情请参见:www.nmap.org。 一般...
关于FTP主被动模式的详尽解释及错误处理
weixin_34381666的博客
08-09 874
2019独角兽企业重金招聘Python工程师标准>>> ...
nmap扫描的几种方式
k851819815的博客
02-21 6077
nmap扫描的方法 原文 the art of port scanning tcp connect() 这种方式最简单。直接与被扫描的端口建立tcp链接,如果成功,则说明端口开放,如果不成功则说明端口关闭的。这种扫描的特点是与被扫描端口建立完成的tcp链接,完整的tcp三次握手。优点主要是不需要root权限即可扫描端口。因为connect可以在用户态直接调用 TCP SYN scanning 这种...
浅谈网络安全的认识与学习规划
最新发布
qq_201729558
09-05 290
本文主要介绍网络安全认识与学习规划
【数据隐私与安全】数据隐私保护与安全管理
weixin_39372311的博客
09-01 946
数据隐私与安全已成为当今社会不可忽视的重要问题。企业需要在遵守法律法规的基础上,采取有效的技术和管理措施,确保数据的安全与隐私不受侵犯。在未来,随着安全技术的不断发展,数据隐私保护将会更加完善,为企业和个人的数据资产保驾护航。
九盾叉车U型区域警示灯,高效照明和安全警示
jiuxindianzi的博客
09-05 178
九盾叉车U型区域警示灯,LED光源,U型光线设计,覆盖广,亮度高,适应多车型,防护等级高,使用寿命长,有效防止叉车碰撞事故,提升作业安全性。
将下列代码转化为C++代码:import socket def scan_ports(host, start_port, end_port, protocol='tcp'): for port in range(start_port, end_port + 1): try: if protocol == 'tcp': sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) # 设置超时时间为1秒 result = sock.connect_ex((host, port)) if result == 0: print(f"Port {port} is open") sock.close() elif protocol == 'udp': sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(1) sock.sendto(b'Ping', (host, port)) data, addr = sock.recvfrom(1024) if data: print(f"Port {port} is open") sock.close() else: print(f"Unsupported protocol {protocol}") return except socket.error: pass if __name__ == '__main__': host = '127.0.0.1' # 目标IP地址 start_port = 1 # 起始端口号 end_port = 65535 # 终止端口号 protocols = ['tcp', 'udp'] for protocol in protocols: print(f"Scanning {protocol} ports...") scan_ports(host, start_port, end_port, protocol)
05-27
int start_port = 1; int end_port = 65535; const char* protocols[] = {"tcp", "udp"}; int i, num_protocols = sizeof(protocols) / sizeof(protocols[0]); for(i = 0; i ; i++) { std::cout << "Scanning ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值