因为防火墙或过滤设备(如路由器、防火墙软件)阻止了探测包的到达。 信息少 Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
大大增加扫描时间:This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically. Nmap会多次尝试发送数据包,以避免是因为网络阻塞而导致的数据包丢失。
-sS (TCP SYN scan) 半开放扫描 SYN 包 SYN-ACK 包/SYN包(开放)/RST包(关闭) RST包
(filtered) If no response is received after several retransmissions, the port is marked as filtered The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. 如果几次发包都没有响应/接收到 ICMP unreachable erro端口被标记为 filtered
1 2 3 4 5 6 7 8 9 10 11
-sT (TCP connect scan) 全连接扫描 when SYN scan(-sS) is not an option。(非root用户)
TCP Connect Scan:由于执行了完整的三次握手,连接尝试会被目标主机记录在日志中。
如果使用 -sT 扫描并连接到某个端口,目标主机的 syslog 或其他日志文件中可能会出现类似于以下内容的记录: Connection attempt from [IP] to [target port] closed without data. 这些记录会表明有一个扫描者尝试建立连接但没有发送任何数据。
-sU (UDP scans) 慢(因为open|filtered 重发包与等待、closed ICMP port unreachable包的默认速率限制(尤其是Linux and Solaris))
可与-sS同时进行,检测目标是否支持两个协议。 For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or --data-length options are specified.如无定义,一般是空包。
(closed)ICMP port unreachable error (type 3, code 3) (filtered)Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) (open)Occasionally, a service will respond with a UDP packet, proving that it is open (open|filtered) no response is received after retransmissions Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.-sV 版本探查可以进一步帮助区分开放的端口/过滤的端口
UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. some security auditors ignore these ports.
Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan take more than 18 hours.
1 2 3 4 5 6 7
-sY (SCTP INIT scan) 办连接扫描 It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. 每秒数千
-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) As long as none of those three bits(SYN, RST, or ACK bits) are included, any combination of the other three (FIN, PSH, and URG) are OK
(open|filtered) no response at all (closed) any packet not containing SYN, RST, or ACK bits will result in a returned RST (filtered)an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13)
Null scan(-sN): Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan(-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
sneak through certain non-stateful firewalls and packet filtering routers a little more stealthy than even a SYN scan(Don't count on this though—most modern IDS products can be configured to detect them.) A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though。主要对Unix有用
1 2 3 4 5 6 7 8
-sA (TCP ACK scan) 1. map out firewall rulesets 2. determining whether they are stateful or not and 3. which ports are filtered.
only the ACK flag set (unfiltered)When scanning unfiltered systems, open and closed ports will both return a RST packet。 (filtered) Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13)
1 2 3 4 5 6 7 8 9 10 11 12
-sW (TCP Window scan) an ACK scan + the TCP Window value(TCP Window field)
(open)positive (close)zero (filtered) Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13)
This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it.极少数的系统会使用。 Systems that don't support it will usually return all ports closed. 不支持该实现的系统的端口会被判断为closed
If most scanned ports are closed but a few common port numbers (such as 22, 25, 53) are filtered, the system is most likely susceptible.防火墙具有脆弱性。表明防火墙或某种过滤设备存在,但系统在某些方面仍然可能存在脆弱性。防火墙配置不当,或者某些服务未正确隐藏,攻击者可能会尝试通过其他方式绕过防火墙。 ccasionally, systems will even show the exact opposite behavior. If your scan shows 1,000 open ports and three closed or filtered ports, then those three may very well be the truly open ones.表明那3个关闭或过滤的端口实际上是真正开放的端口,而其他开放端口可能是故意隐藏或误报的。
1 2 3 4 5 6 7 8 9 10
-sM (TCP Maimon scan) This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. 只不过探针是FIN/ACK. (FIN/ACK 的标志组合)
BSD 衍生系统 (open)many BSD-derived systems simply drop the packet if the port is open。 (closed)响应一个 RST 包。 现代系统 RST packet,无论端口开放or关闭(可以用来检测主机状态)
--scanflags (Custom TCP scan)自定义规则 arbitrary TCP flags.自己设置特定的tcp标志 Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For example, --scanflags URGACKPSHRSTSYNFIN sets everything, --scanflags URGACKPSHRSTSYNFIN 顺序不重要
‘扫描者向僵尸主机发送数据包(例如 SYN 数据包),要求它与目标进行交互。僵尸主机随后会生成包含分片 ID 的响应数据包。 通过分析僵尸主机数据包中的分片 ID 变化,攻击者可以推测目标端口是 开放、关闭 还是 过滤。
可以利用僵尸主机来 映射 IP 基于信任的关系。如果某个僵尸主机被目标信任(例如,通过路由器或防火墙规则),你就可以利用它进行隐蔽的扫描。
通过僵尸主机的 IP 分片 ID 序列变化来推测目标端口的状态。
1 2 3 4 5 6 7
-sO (IP protocol scan) 协议扫描发送 IP 包头,并在八位 IP 协议字段 上迭代,试图识别哪些协议在目标主机上处于活动状态。扫描过程中发送的包头通常是空的,不包含数据,甚至没有正确的头部信息,除了 TCP、UDP、ICMP、SCTP 和 IGMP 协议外,对于这些协议,Nmap 会附加相应的协议头,因为某些系统不会自动发送这些协议的头部,且 Nmap 本身已经有功能来创建它们。
(open)port unreachable (type 3, code 3) (closed) An ICMP protocol unreachable error (type 3, code 2) (filtered)Other ICMP unreachable errors (type 3, code 0, 1, 9, 10, or 13) cause the protocol——prove that ICMP is open (open|filtered)no response is received after retransmissions,
1 2 3 4 5
-b <FTP relay host> (FTP bounce scan)
It takes an argument of the form <username>:<password>@<server>:<port>. <Server> is the name or IP address of a vulnerable FTP server.
If you are just trying to cover your tracks, you don’t need to (and, in fact, shouldn’t) limit yourself to hosts on the target network. Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way.
(-p-)The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. 可省略开始和结束的端口号,nmap和自动用1或65535去补充 (-sO协议范围) For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
-p U:53,111,137,T:21-25,80,139,8080
(protocol)If no protocol qualifier is given, the port numbers are added to all protocol lists.
(通配符) You can even use the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p ftp,http*.
([-1024]) the following will scan all ports in nmap-services equal to or below 1024: -p [-1024].
1 2 3
--exclude-ports <port ranges> (Exclude the specified ports from scanning) 需要排除哪些端口
