본문으로 바로가기

Nmap으로 호스트 스캔

category 시스템/Nmap 2016. 3. 11. 11:44

BackTrack 또는 Kali 리눅스에서 실행합니다.
스캔대상 호스트에 패킷 트레이서를 설치하고 패킷을 확인하면 더욱 이해가 쉽습니다.



Nmap 홈페이지로 가기

Nmap은 포트 스캐닝 툴로 네트워크나 대상 호스트를 스캐닝할때 사용하는 시스템 보안 툴입니다.
(특정 사법권 내에서는 허가 받지 않은 포트 스캐닝이 불법으로 간주되기도 한다. -위키-)


옵션 내용 옵션 내용
-sT Connect() 함수를 이용한 Open 스캔    -f 스캔 시 방화벽을 통과할 수 있도록 패킷을 분할
-sS 세션을 성립시큸지 않는 TCP syn 스캔 -v 스캔 세부 사항 표시
-sF Fin 패킷을 이용한 스캔 -PO 스캔 전 Ping 을 하지 않고 ICMP Echo Request를
허용하지 않는 호스트에 대한 스캔 시 설정
-sN Null 패킷을 이용한 스캔
-sX XMas 패킷을 이용한 스캔 -PT Ping 대용으로 ICMP 패킷을 이용하지 않고,
TCP 패킷을 이용해 해당 시스템이 작동되는지 확인
-sP Ping 을 이용한 활성 호스트 확인
-sU UDP 포트 스캔 -PS TCP SYN패킷만을 보내 시스템 활성 여부 검사
-sR RPC 포트 스캔 -PI 시스템의 활성화 여부를 ICMP 로 검사
-sA Ack 패킷에 대한 TTL 값의 분석 -PB TCP와 ICMP 둘 다 사용해 호스트 활성 여부 검사
-sW Ack 패킷에 대한 윈도우 크기 분석 -S 출발지 IP 주소 Spoofing
-b FTP 바운스 스캔 FTP -O 시스템 운영체제 추정(OS Detection)
-D [Spoofed-IP] 공격자의 IP를 변경 -n DNS Lookup을 하지 않는다
-sV 서비스 스캔 -R DNS Lookup을 수행한다
-T 시간차 스캔
0: Paranoid 1: Sneaky 2: Polite
3: Normal 4: Aggressive 5: Isane 		-P 포트 지정 스캔
1: -p 21 or -p 1-65535
2 : -p U:53,TCP:21,1024-1000


  • UDP Open Scan
    . UDP 패킷을 이용해 상대방 시스템 포트스캔
    . 응답이 없을 경우 해당 시스템 포트 Active 상태 확인
    . UDP 패킷 전송 중 유실될 경우 해당 시스템의 포트가 Active로 오인 될 수 있음

root@kali:~# nmap -v -sU 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 21:59 EDT
Initiating ARP Ping Scan at 21:59
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 21:59, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:59
Completed Parallel DNS resolution of 1 host. at 21:59, 0.32s elapsed
Initiating UDP Scan at 21:59
Scanning 200.200.200.44 [1000 ports]
Discovered open port 137/udp on 200.200.200.44
Completed UDP Scan at 21:59, 8.10s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00031s latency).
Not shown: 999 open|filtered ports
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
           Raw packets sent: 2001 (57.696KB) | Rcvd: 3 (512B)


  • TCP Open Scan
    . 3 Way-Handshaking을 통해 대상 시스템의 포트 상태 확인
    . 3 Way-Handshaking을 통해 세션을 맺기 때문에 Log 발생

root@kali:~# nmap -v -sT 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:01 EDT
Initiating ARP Ping Scan at 22:01
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:01, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:01
Completed Parallel DNS resolution of 1 host. at 22:01, 0.33s elapsed
Initiating Connect Scan at 22:01
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed Connect Scan at 22:01, 4.63s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00084s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)


  • TCP Half Open Scan (스텔스 스캔)
root@kali:~# nmap -v -sS 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:07 EDT
Initiating ARP Ping Scan at 22:07
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:07, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:07
Completed Parallel DNS resolution of 1 host. at 22:07, 0.43s elapsed
Initiating SYN Stealth Scan at 22:07
Scanning 200.200.200.44 [1000 ports]
Discovered open port 139/tcp on 200.200.200.44
Discovered open port 445/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:07, 4.29s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00040s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.87 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)


  • Fin / Null / X-mas Scan
    . Fin - 종료 패킷을 보내서 포트 스캔
    . Null - Null 패킷을 보내서 포트 스캔
    . Xmas - Xmas 패킷을 보내서 포트 스캔
root@kali:~# nmap -v sF 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:13 EDT
Failed to resolve "sF".
Initiating ARP Ping Scan at 22:13
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:13, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:13
Completed Parallel DNS resolution of 1 host. at 22:13, 0.34s elapsed
Initiating SYN Stealth Scan at 22:13
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:13, 4.90s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00057s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.66 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)



root@kali:~# nmap -v sN 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:14 EDT
Failed to resolve "sN".
Initiating ARP Ping Scan at 22:14
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:14, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.33s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:14, 4.28s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00058s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)



root@kali:~# nmap -v sX 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:14 EDT
Failed to resolve "sX".
Initiating ARP Ping Scan at 22:14
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:14, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.33s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning 200.200.200.44 [1000 ports]
Discovered open port 139/tcp on 200.200.200.44
Discovered open port 445/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:15, 4.35s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00033s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds
           Raw packets sent: 2002 (88.072KB) | Rcvd: 6 (248B)


  • Ack Scan
root@kali:~# nmap -v sA 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:15 EDT
Failed to resolve "sA".
Initiating ARP Ping Scan at 22:15
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:15, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:15
Completed Parallel DNS resolution of 1 host. at 22:15, 0.37s elapsed
Initiating SYN Stealth Scan at 22:15
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:15, 4.61s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00080s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.24 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)



root@kali:~# nmap -v sW 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:16 EDT
Failed to resolve "sW".
Initiating ARP Ping Scan at 22:16
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:16, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:16
Completed Parallel DNS resolution of 1 host. at 22:16, 0.36s elapsed
Initiating SYN Stealth Scan at 22:16
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:16, 4.86s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00034s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.30 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)


  • IDS 회피를 위한 시간차 스캔
    . 0 - Paranoid : 5 ~10분 간격으로 스캔
    . 1 - Sneaky : Wan에서는 15초 단위로, Lan에서는 5초 단위로 스캔
    . 2 - Polite : 0.4초 단위로 스캔
    . 3 - Normal : 정상
    . 4 - Aggressive : 호스트 타임아웃 : 5분, 패킷 당 1.25초까지 응답을 기다린다.
    . 5  -Insane : 호스트 타임아웃 : 75초, 패킷 당 0.3초까지 응답 기다린다.
root@kali:~# nmap -v -sS -T 3 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 22:38 EDT
Initiating ARP Ping Scan at 22:38
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 22:38, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:38
Completed Parallel DNS resolution of 1 host. at 22:38, 0.33s elapsed
Initiating SYN Stealth Scan at 22:38
Scanning 200.200.200.44 [1000 ports]
Discovered open port 139/tcp on 200.200.200.44
Discovered open port 445/tcp on 200.200.200.44
Completed SYN Stealth Scan at 22:38, 4.90s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.0016s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.36 seconds
           Raw packets sent: 2001 (88.028KB) | Rcvd: 5 (204B)


  • Fragmented TCP Scan - 방화벽 통과
    . 스캔할 포트 번호를 숨겨서 방화벽 통과하는 방법
root@kali:~# nmap -v -f -sT 3 200.200.200.44

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 23:36 EDT
setup_target: failed to determine route to 3 (0.0.0.3)
Initiating ARP Ping Scan at 23:36
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 23:36, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:36
Completed Parallel DNS resolution of 1 host. at 23:36, 13.01s elapsed
Initiating Connect Scan at 23:36
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed Connect Scan at 23:36, 4.61s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00095s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.73 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)


  • Spoofed TCP Scan
    . 보내는 IP를 변경해서 스캔하는 방법
root@kali:~# nmap -v -sT 3 200.200.200.44 -D 200.200.200.2
WARNING: Decoys are irrelevant to the bounce or connect scans

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-16 23:38 EDT
setup_target: failed to determine route to 3 (0.0.0.3)
Initiating ARP Ping Scan at 23:38
Scanning 200.200.200.44 [1 port]
Completed ARP Ping Scan at 23:38, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:38
Completed Parallel DNS resolution of 1 host. at 23:38, 1.53s elapsed
Initiating Connect Scan at 23:38
Scanning 200.200.200.44 [1000 ports]
Discovered open port 445/tcp on 200.200.200.44
Discovered open port 139/tcp on 200.200.200.44
Completed Connect Scan at 23:38, 4.22s elapsed (1000 total ports)
Nmap scan report for 200.200.200.44
Host is up (0.00056s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:67:81:BB (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.87 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)


댓글 , 엮인글
이것저것
블로그 이미지 돌아온백수 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바