The article directories

  • preface
  • The installation
    • Manually add environment variables
  • Basic use of NMAP
    • Scan hosts in a continuous range
    • Scan the entire subnet (C-side live host probe)
    • Scan multiple discontinuous hosts (‘ -sn ‘)
    • Exclude the specified target from the scan (‘ –exclude ‘)
    • Scanning a list of addresses in a text file (‘ -il ‘)
    • Random determination of scan target (‘ -ir ‘)
  • Active Host discovery (‘ -sn ‘)
    • Introduction to active host discovery technology
    • Host discovery based on ARP
      • Introduction to ARP
      • Using ARP protocol in Nmap (‘ -pr ‘)
      • Packets sent using ARP in Nmap
    • ICMP – based host discovery
      • ICMP Protocol Introduction
      • Using ICMP in Nmap (‘ -pe ‘, ‘-pp’, ‘-pm’)
      • Ping scan (‘ -pi ‘)
    • Host discovery based on TCP
      • TCP Protocol Introduction
      • TCP is used in Nmap
        • TCP Connection Establishment (SYN:synchronous) Scan (‘ -ps’)
        • TCP Acknowledgement scan (‘ -PA ‘)
    • Udp-based host discovery
      • UDP Protocol Introduction
      • Using UDP in Nmap (‘ -pu ‘)
    • Host discovery based on SCTP
      • This section describes the SCTP protocol
      • Using the SCTP protocol in Nmap (‘ -py ‘)
    • IP protocol in Nmap
      • IP Protocol Introduction
      • Specify IP protocol in Nmap (‘ -po ‘)
    • DNS related options in Nmap (‘ -r ‘or’ -n ‘)
    • Other host discovery technology-related attributes
      • Skip host discovery (‘ -p0 ‘, ‘-pn’)
      • Scan for hosts on the same network segment
  • conclusion
    • Check the schedule
    • Observe the packet sent by Nmap (‘ –packet-trace ‘)
    • Basic usage and host discovery parameters

preface

At present, in the field of network security, many learners like to skip some basic knowledge and directly use advanced technology. In this way, although we can get obvious feedback in a short time, which helps us find the motivation to continue learning, it is not suitable for long-term development. Without some basic computer knowledge, many technologies are just like building a building in the middle and later stages. This blog is the blogger himself after reading a book “Eyes of the Gods -Nmap network security audit technology revealed” according to their summary of experience, and equivalent to the form of notes to share with you.

The installation

As a built-in kali tool, Nmap is easy to install on Windows. The installation process will not be described too much, and all options should be selected by default, unless you know exactly what you are clicking on, click next. You may be asked to install a third party plug-in in the middle, just install it on request.

Manually add environment variables

By default, nMAP will automatically add environment variables after you install it, but if you don’t add environment variables for some special reason, you can add them manually. (Type nmap in the console to see if an error is reported, or if no environment variables have been added, and vice versa.)



After adding nmap to the environment variables, we can view some basic information by typing nmap on the console (either CMD or Powershell)

Basic use of NMAP

The most basic way to use Nmap isNmap < Destination IP address >

Such as:Nmap 127.0.0.1

We can use Nmap to scan the local port and see what it scans

# Nmap7.8 is currently used at 2020-11-02 21:35
Starting Nmap 7.80 ( https://nmap.org ) at 2020- 11. 21:35? D1u + e x? E +??Generate host reports about 127.0.0.1
Nmap scan report for hub5emu.sandai.net (127.0.0.1)
# shows the state of the target host (up: means the host is turned on and connected to the Internet), and shows the host and the latency of our computer
Host is up (0.0016s latency).
# indicates that 990 port scans are closed
Not shown: 990 closed ports
# List of enabled ports: PORT: PORT, STATE: STATE (open: open, filtered), SERVICE: name of the running SERVICE
PORT     STATE    SERVICE
135/tcp  open     msrpc
443/tcp  open     https
445/tcp  open     microsoft-ds
902/tcp  open     iss-realsecure
912/tcp  open     apex-mesh
1001/tcp filtered webpush
5357/tcp open     wsdapi
8000/tcp open     http-alt
8080/tcp open     http-proxy
8082/tcp open     blackice-alerts
# Scan report (Nmap complete scan: scan 1 IP address (1 host startup) share 7.99 seconds)
Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
Copy the code

Scan hosts in a continuous range

We can add parameters if we think the following scan will take a long time-sn: (Nmap - sn 127.0.0.1) Only hosts are discovered, but ports are not scanned (used in earlier versions-sP, the effect is the same as this parameter.

Syntax: Nmap [IP address range]

Such as:Nmap 192.168.1.1-255orNmap 192.168.1. *(The gateway of my dormitory is shown below). If you are also a Windows system, you can execute Linux to find your LOCAL area network for scanning. If there is any device in the LAN, it will be scanned. (Including android, iOS and other mobile devices or smart speakers connected to the Internet of Things.)

Scan the entire subnet (C-side live host probe)

Nmap supports the use of Classless inter-domain Routing (CIDR), which is commonly referred to in the security field as c-end live host detection. There are two main methods: one is to use IP+ mask, and the other is to use * in the last bit of THE IP address.

Command syntax:Nmap [IP address/mask bit]Nmap [First three segments of an IP address.*]

Such as:Nmap 192.168.1.1/24orNmap 192.168.1. *(From the gateway information in my screenshot above, it can be seen that my subnet mask is 255.255.255.0, so my mask number is 24, both of these scans and the aboveNmap 192.168.1.1-255The effect is the same, I won’t repeat it here.)

Scan multiple hosts that are not contiguous (-sn)

Command syntax:Nmap [Scan target 1 Scan target 2.... scan target n]

Such as:Nmap-sn 192.168.1.102 192.168.1.162 192.168.1.186 192.168.1.197 192.168.1.217 192.168.1.224 192.168.1.243 192.168.1.249

Exclude specified targets during scanning (--exclude)

When scanning a LAN, the devices we are using are also in the LAN. At this time, we can choose to exclude our devices for scanning.

Command syntax:Nmap --exclude IP1, exclude IP2,.... exclude IPnUse commas if there are multiple excluded IP addresses.Separated)

Such as:Nmap-sn 192.168.1.1/24 --exclude 192.168.1.162(192.168.1.162: This is the IP address of my own computer) orNmap - sn 192.168.1.1/24 -- exclude 192.168.1.162, 192.168.1.1

Scan a list of addresses in a text file-iL)

If some addresses need to be scanned frequently, it would be very troublesome for us to have to enter them manually every time we scan them. You can store common addresses in a text file (.txt), you only need to set the text file as the target when scanning.

Command syntax:Nmap-il [text file]

Random determination of scanning targets (-iR)

Nmap can also generate random target scans. (PS: TO be honest, I don’t know what this function is for. I feel a little bit like I’m really looking for trouble!)

Command syntax:Nmap-ir [number of targets]

Active host discovery (-sn)

I have already mentioned the role of the -sn parameter in finding active hosts, because it also involves port scanning technology, I will add this parameter in all my commands to reduce the amount of scanning and speed up scanning. In addition to the above parameters, I will also use a parameter –packet-trace, which is very useful for us to analyze the principle of NMAP. It will return the information of the packets currently sent, so that we can intuitively see the packets sent.

Introduction to active host discovery technology

Active host: a host that is running and has normal network functions.

In real life, a host is inactive if it is permanently disconnected from the network or even powered down. Such hosts can be considered “perfectly safe”. Such hosts are not the focus of our penetration testing.

How do I find out if a host is active? Let’s say how does he determine if a house is currently occupied? The most direct way we can do this is to knock on the door, and if there’s someone in the room we’ll respond. The response might be “Who?” Or directly open the door and other operations. The person in the room responds by default, and the same process works with computers, but with packets instead of knocking. If the host responds, it is an active host.

The next question we need to solve is:

  1. What packet to send to the target host?
  2. Why does the target host respond to the packet it receives?

Understanding this part of the technology requires some knowledge of computer networking, at least the TCP/IP layered protocol, which is a simplified version of the OSI seven-layer model, combining the seven-layer model into a four-layer model.

  • Data link layer (also known as network interface layer): Directly acting on hardware, they are mainly responsible for receiving IP packets and sending these packets to the target network.
  • Network layer: Interconnects networks and sends packets from one network to another based on their IP addresses. The famous IP protocol, ARP protocol, ICMP protocol, IGMP protocol and so on are in this layer.
  • Transport layer: This layer is the least of the two protocols, mainly TCP and UDP, which provide end-to-end services for both hosts. If you’re interested, check out my previous blog post about Python using sockets for UDP and TCP communication
  • Application layer functions mainly for the request sent by customers, the server makes corresponding and provides corresponding services. Many protocols I am not familiar with are in this layer, such as HTTP (Hypertext Transfer Protocol), FTP (file transfer protocol), SMTP (email transfer protocol) and so on. The application layer has the largest number of protocols. To learn more about the protocol, check out the RFC documentation on the OFFICIAL RFC website, which is in English and supports multiple languages. If you want to read the Chinese version, go to protocol Analytics. When the active host is discovered, the protocols of the network layer, transport layer and application layer will be involved.

Host discovery based on ARP

Introduction to ARP

ARP: Address Resolution Protocol

  • TCP/IP protocol family: the network layer
  • Mainly solve the problem: logical address and physical address conversion relationship.

To understand this protocol we need to know what is a logical address? What is a physical address? Across the network, we typically use two types of addresses, one logical and one physical. The same network segment (which can be considered as the same LAN) generally uses physical addresses, while members of different network segments use logical addresses.

Why make so many addresses and not unify into a simple address? Here we can first look at an example: your mother wants to buy a feather duster online to beat you, so he needs to fill in his delivery address (Tianjin-Xiyu-Baishuicheng XXX community) by Courier boy to send home, but if she found at home (bedroom) already have a feather duster, this time you may have an accident. Here tianzhao-Xiyu – Baishuicheng xyz community is equivalent to logical address, and the bedroom is equivalent to physical address. We can see that logical address is suitable for long-distance transportation, but it is not very accurate, while physical address can be very accurate to express the location of an object. If your mother has a feather duster in the house, it would be a hassle to have it delivered to him by Courier using a logical address. And when we were designing the software, we were thinking about things like for, in order to avoid things like that, we used both logical addresses and physical addresses. We mentioned above that the same network segment uses a physical address, how to define the same network segment, connected to the same switch (used to be: hub, but has been obsolete), our current common router has built-in switch function.

The logical address of my current computer is 192.168.1.162. I want to communicate with host A at 192.168.1.1, but I do not know the physical address of host B. At this time, I need A protocol that can convert my logical address into A physical addressAddress resolution Protocol (ARP):RFC826

According to ARP rules, I will send an ARP request: the content is aboutHello, my logical address is 192.168.1.162 and my physical address is 9C:B6: d0:1b :8D:3D. Is the host whose logical address is 192.168.1.1 available? I need to communicate with you, please tell me your physical address, please reply upon receipt!The packet is broadcast to all devices in the network segment. But only Host A will respond to him. Big changeA: hi! I am the host whose logical address is 192.168.1.1. My physical address is 8C:AB:8E:97:3E:E1. After completing this process, I can communicate with host A normally.

Using THE ARP protocol in Nmap-PR)

  • Advantages: high accuracy, fast speed, accurate results, cut temporary no effective defense means (if you do not follow the ARP protocol, it will mean that the normal establishment of communication!)
  • Disadvantages: Scan only hosts on the same network segment
  • Application scenario: The target host and the host are on the same network segment

Command syntax:Nmap-pr [target]

Such as:Nmap - sn - PR 192.168.1.201

Packets sent using ARP in Nmap

I used packet capture software to capture Nmap, as shown below:

Frame 40: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{7F4955F9-7D3D-4E3F-87E3- 208309681200.}, id 0
    Interface id: 0 (\Device\NPF_{7F4955F9-7D3D-4E3F-87E3- 208309681200.})
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov  3.2020 19:12:27.387116000Chinese Standard Time [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1604401947.387116000 seconds
    [Time delta from previous captured frame: 0.136665000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 2.494133000 seconds]
    Frame Number: 40
    Frame Length: 42 bytes (336 bits)
    Capture Length: 42 bytes (336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:arp]
    [Coloring Rule Name: ARP]
    [Coloring Rule String: arp]
Ethernet II, Src: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d)
    Type: ARP (0x0806)
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d)
    Sender IP address: 192.168.1.162
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 192.168.1.201
Copy the code

Frame 41: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface \Device\NPF_{7F4955F9-7D3D-4E3F-87E3- 208309681200.}, id 0
    Interface id: 0 (\Device\NPF_{7F4955F9-7D3D-4E3F-87E3- 208309681200.})
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov  3.2020 19:12:27.493718000Chinese Standard Time [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1604401947.493718000 seconds
    [Time delta from previous captured frame: 0.106602000 seconds]
    [Time delta from previous displayed frame: 0.106602000 seconds]
    [Time since reference or first frame: 2.600735000 seconds]
    Frame Number: 41
    Frame Length: 42 bytes (336 bits)
    Capture Length: 42 bytes (336 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:arp]
    [Coloring Rule Name: ARP]
    [Coloring Rule String: arp]
Ethernet II, Src: MEIZUTec_a7:d9:07 (90:f0:52:a7:d9:07), Dst: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d)
    Destination: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d)
    Source: MEIZUTec_a7:d9:07 (90:f0:52:a7:d9:07)
    Type: ARP (0x0806)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: MEIZUTec_a7:d9:07 (90:f0:52:a7:d9:07)
    Sender IP address: 192.168.1.201
    Target MAC address: RivetNet_1b:8d:3d (9c:b6:d0:1b:8d:3d)
    Target IP address: 192.168.1.162
Copy the code

ICMP – based host discovery

ICMP Protocol Introduction

ICMP: Internet Control Message Protocol

  • TCP/IP protocol family: the network layer
  • The main problem is to transfer control messages between IP hosts and routers.

Compared with ARP,ICMP is more complex. As shown in the following figure,ICMP is divided into error report packets and query packets.

What we can use for host discovery is mainly in query messages

  1. The response request or response is used to test whether the TCP/IP protocol of the link at the sending and receiving ends and the target host is normal (once received, the TCP/IP protocol is normal). The ping command we use for a long time is the request sent based on this packet.
  2. Timestamp Request or Reply ICMP Timestamp requests allow a system to query the current time with another system.
  3. ICMP Address mask request or reply ICMP Address mask request is sent by the source host. It is used by a diskless system to obtain its own subnet mask during boot. Due to certain regulations (RFC), some authorization is required to answer the request. But not all devices follow these rules

Using ICMP in Nmap (-PE,-PP,-PM)

Note: from here on, do not use the same network segment host test, I will explain the specific reasons in the same network segment host scan section below!

  1. Send a response request or reply

    Command syntax:Nmap-pe [target]

    Such as:Nmap - sn - PE 218.199.144.6
  2. Send a timestamp request

    Command syntax:Nmap-pp [target]

    Such as:Nmap - sn - PP 218.199.144.6
  3. Send an address mask request or reply

    Command syntax:Nmap-pm [target]

    Such as:Nmap - sn - PM 218.199.144.6

Because ICMP is the key of many security mechanisms, the accuracy of all ICMP scan results is not high.

Ping scan (-PI)

Ping scan I don’t need to introduce more here, nMAP -pi scan principle is the same as we use the command line ping directly, can be pinged normal machine can be scanned by -pi parameter.

Host discovery based on TCP

TCP Protocol Introduction

TCP: Transmission Control Protocol

  • TCP/IP protocol family: transport layer
  • Purpose: a connection-oriented, reliable, byte stream – based transport-layer communication protocol.

If you have computer networking background, you probably know the TCP three-way handshake.

Three-way handshake process:

  1. The client sends a request to the server to establish a connection (SYN: Synchronous), carrying an X value, and enters the SYN_SEND state.
  2. After receiving a connection establishment packet, the server responds with an acknowledgement or connection establishment packet containing y and x+1 values and enters the acknowledgement state.
  3. The client receives an acknowledgement message from the server, responds to an ACK: Acknowledgement request, and carries a y+1 value. The Established state is displayed

When it comes to network layer applications, we have to mention port (POST). All protocols of the network layer will act on a certain port. The most vivid analogy of port is the door of a house commonly used on the Internet. SMTP service, etc.), will open a number of ‘doors’, different services from different doors into, and this’ door’ is the port. I’ll cover ports in more detail in port scanning techniques below.

The reason I mention ports here is because protocols like TCP or UDP, which run at the network layer, require not only the destination host IP, but also a port.

TCP is used in Nmap

TCP Connection establishment (SYN:synchronous) Scan (-PS)

Nmap will send linking the packets to the target host, send to the target host on port 80 by default, when the target host received Nmap sent after the establishment of a connection request packet will think we want to and one of his port connection is established, if the port is open, the target will be in accordance with regulations of the TCP three-way handshake agreement, send confirmation/build Connection. If the interface is closed, the target host rejects the connection and sends a reset (RST:reset) signal. However, we don’t care if the target host’s interface is open, as long as it responds to our probe it is an active host.

Command syntax:Nmap-ps' port 1, port 2, port 3.... '[Target]

Example: nmap-sn-ps –packet-trace 218.199.144.6

Multiple ports can be manually specifiedNmap - sn - PS 22,80,113,1050,35000 218.199.144.6orNmap - sn - PS22-25 218.199.144.6However, when only host discovery is performed (-sn), if the host is found to be an active host, it immediately stops scanning the remaining ports. If you want to scan multiple ports, it is best not to carry-snparameter

Note: If the target host is open, he sent it to usConfirm/establish a connectionNmap does not return the packetconfirm(ACK: Acknowledgement) signals to completely establish a connection, but will be sentreset(RST: RESET) signal to cancel the connection, because doing so may avoid logging of the other party and reduce the possibility of detection.

TCP Acknowledgement Scanning (ACK: Acknowledgement)-PA)

In this case, the TCP confirmation scan is not the final confirmation after the TCP three-way handshake, but is directly sent to the target hostconfirm(ACK: Acknowledgement) signal, the target host will obviously not know what is going on, can only give us a responseresetRST: reset signal.

Command syntax:Nmap-pa 'port 1, port 2, port 3.... '[Target]

Such as:Nmap - sn - PA 218.199.144.6

Note: In the real world, however, most security mechanisms will filter out such unintelligentpackets, resulting in Nmap false positives.

Udp-based host discovery

UDP Protocol Introduction

UDP: User Datagram Protocol

  • TCP/IP protocol family: transport layer
  • Purpose: UDP performs the same work as TCP, but UDP is non-connection-oriented.

My blog Python explains the differences between UDP and TCP using sockets. Because UDP does not have the three-way handshake to establish connections, the scanning difficulty of UDP ports is higher than that of TCP ports, but the reliability is not as high as that of TCP ports. Without establishing a connection, we can only use another feature of UDP for host discovery. If a UDP port receives a UDP packet, it is closed and sends back an ICMP port unreachable packet to the source. If it is open, no information is returned without specific Settings. According to this feature, we can use UDP for host discovery. With this interface, we try to avoid using the common UDP protocol ports (DNS: port 53, SNMP: port 161). Because if we send a UDP packet and get no response, not only could it be an inactive host, it could be an open interface. (Or maybe packets are lost in transit)

Using UDP in Nmap-PU)

Nmap automatically selects a port with a high value when we scan active hosts using UDP.

Command syntax:Nmap-pu [target]

Such as:Nmap - sn - PU 192.168.43.97

If we receive a response from the target host, we know that the target host is active.

Host discovery based on SCTP

SCTP: Stream Control Transmission Protocol

  • TCP/IP protocol family: transport layer
  • Purpose: a connection-oriented, reliable, message-flow-based transport-layer communication protocol that runs multi-address simultaneous connections.

SCTP is much less used than TCP and UDP, which are also at the network layer, largely because SCTP (RFC 2960) appeared 20 years later than TCP(RFC 793) and UDP(RFC 768).

This section describes the SCTP protocol

To learn more about THE SCTP protocol, see this blog: SCTP Protocol details

Using the SCTP protocol in Nmap-PY)

Currently, the number of hosts supporting this protocol is not large, so this protocol can only be used as a backup.

Command syntax:Nmap-py [target]

Such as:Nmap - sn - PY 192.168.43.97

IP protocol in Nmap

IP Protocol Introduction

IP protocol is the core protocol and carrier of TCP/IP protocol cluster (which consists of all protocols in the TCP/IP four-layer model). Both ICMP and IGMP protocols at the network layer and TCP and UDP at the transport layer are transmitted in IP packet format. The length of the protocol field is 8 bits, which identifies which protocol transmits data to IP. For example, ICMP is 1, IGMP is 2, IP-in-IP is 4, TCP is 6, UDP is 17, GRE is 47. By default,Nmap uses ICMP,IGMP, and IP-in-IP, but theoretically there are hundreds of different IP protocols available.

Specify IP protocols in Nmap (-PO)

Command syntax:Nmap-po [target]

Such as:Nmap - sn - PO 192.168.1.201The equivalent ofNmap - sn - PO '1, 4-trichlorobenzene 192.168.1.201(where the-POO is the capital letter in English words, not the number 0!

The content sent by this method is empty and easily filtered out by the target’s security mechanism. To avoid filtering, we can use parameters--data-length [random add character size]

Such asNmap-sn-po '6,17' --data-length 25 192.168.1.201

DNS related options in Nmap (-Ror-n)

DNS: Domain Name System

  • TCP/IP protocol family: application layer.
  • Main solution: will enter the site into the real IP site.

Most WEB servers that provide external services have their own domain names. We can reverse retrieve the domain name from the IP by using some parameters of Nmap. If the server of your current penetration test site is distributed, you can use this technique to obtain the domain name to obtain more relevant server IP. By default,Nmap scans only the active domain name of the target, but we can use -r to force the target domain name.

Command syntax:Nmap-r [destination IP address]



If the target host is not defended, we can scan the domain name bound to the IP address.

This can be used if we know the IP address of the host and only want to use DNS-related techniques to scan for active hosts-nParameters to replace-RParameters.

Other host discovery technology-related attributes

Skip host discovery (-P0,-Pn)

All host discovery methods of Nmap are active, so they may be detected by the target host for some defense and interception. However, according to the mechanism of Nmap, if the target host is found inactive after scanning, it may cause the failure of port scanning, system detection and other technologies.

If we know the exact IP address of the host by some special means, we can skip the host discovery phase and avoid being discovered and intercepted by the firewall of the other host. Skip operation is also very simple, we can use-P0,-PnIf either of these two parameters is added, the target will skip the host discovery phase and force the host to be set to the active state. The two parameters are the same as in earlier versions-P0, probably to avoid and-POConfusion, so it’s added-Pn.

Command syntax:Nmap-pn [destination IP address]

We can find a random closed IP such as:Nmap - sn - Pn 22.22.22.22

Scan for hosts on the same network segment

These when I was in the test, the basic use of are the same network segment host, actually such scanning is problematic, because Nmap found in this design will host first determines whether the target host is Nmap host on the same network segment, if it is the same network segment, is directly using ARP scanning mode, he will cover our specified scan mode.

nmap -sn --packet-trace 22.22.22.22
nmap -sn --packet-trace 192.168.1.201
Copy the code



Even if the scanning mode is forcibly specified, only ARP is used for scanning.

nmap -sn -PY --packet-trace 22.22.22.22
nmap -sn -PY --packet-trace 192.168.1.200
Copy the code

conclusion

Check the schedule

Nmap is slow to perform some scanning operations where we can randomly type things (e.gThe blank spaceYou can view the current scan progress.

PS: Don’t rely onCtrl+C!!!!!!!!! This is the command to stop scanning.

Observe the packets sent by Nmap (--packet-trace)

There are two ways to look at Nmap packets

  1. We can use--packet-traceParameter, which causes NMAP to output some relevant requests, not everything, but almost everything we want to see.
  2. Use packet capture software, because Nmap sends a wide variety of packets, so I recommend using itWiresharkIt is not only powerful, but also a free software that supports Chinese. (websiteUsing packet capture software, we can view the details of packets sent by NMAP.

Basic usage and host discovery parameters

parameter role
-sn Scan multiple discontinuous hosts
– exclude Excludes specified targets during scanning
-iL Scans a list of addresses in a text file
-iR Randomly determine the scan target
-sn Perform active host operations only
– packet – trace View the current sent packets
-PR ARP host discovery
-PE ICMP sent response request host discovered
-PP ICMP Sends a timestamp request for host discovery
-PM ICMP Sends an address mask to request host discovery
-PI Ping (ICMPecho request) Scanning
-PS TCP connection establishment (SYN:synchronous) The host is found during the scanning
-PA TCP acknowledgement (ACK: Acknowledgement) Scanning host discovery
-PB This is the default ping scan option. It uses TCP acknowledgement (ACK: Acknowledgement) scanning host discovery (-PT) and Ping (ICMPecho request) scanning (-PI) in parallel scanning.
-PU UDP scanning host detection
-PY SCTP detects host scanning
-PO IP protocol host discovery
– R or -n DNS related
P0, — the Pn Skipping host discovery