the*_*edp 11 networking sudo nmap macos
我正在尝试使用 nmap 进行简单的端口扫描:
$ nmap 192.168.56.101
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Nmap scan report for 192.168.56.101
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
5555/tcp open freeciv
24800/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
但是,当我尝试与 相同时sudo,它无法声称主机已关闭:
$ sudo nmap 192.168.56.101
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.48 seconds
注意:
我在 OS X Yosemite 上。
GNU bash,版本 3.2.57(1)-release (x86_64-apple-darwin14)
谢谢你。
Flo*_*abé 12
默认情况下,非特权扫描使用 -sT(TCP 连接),而特权(root)使用 -sS(TCP SYN Stealth)。
TCP Connect (-sT) Connect 扫描使用同名系统调用来扫描机器,而不是像大多数其他方法那样依赖原始数据包。它通常由非特权 Unix 用户和 1Pv6 目标使用,因为 SYN 扫描在这些情况下不起作用。
TCP SYN Stealth (-sS) 这无疑是最流行的扫描类型,因为它是扫描最流行协议 (TCP) 端口的最快方法。它比连接扫描更隐蔽,它适用于所有功能性 TCP 堆栈(与某些特殊用途的扫描如 FIN 扫描不同)。
1)要弄清楚您的机器发生了什么,我建议使用额外的详细模式(-vv)或--packet-trace来查看会发生什么。
$ sudo nmap --packet-trace -vv 192.168.56.101
2)另一种方法是使用以下命令以特权用户身份强制进行非特权扫描并查看结果。
$ sudo nmap -sT -vv 192.168.56.101
$ sudo nmap --unprivileged -vv 192.168.56.101
3)最后,nmap 停止扫描的原因是因为 IMCP Type 8(echo aka ping)不返回 ICMP Type 0(echo 回复)。此命令忽略 ping 并继续扫描:
$ sudo nmap -PN 192.168.56.101
你能试试这些命令并发布输出吗?
\nPORT SCANNING TECHNIQUES
\n Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an\n administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root\n privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far\n more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to\n run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more\n powerful and flexible.
\n\n--privileged (Assume that the user is fully privileged).
\n Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix\n systems. By default, Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may \n be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, \n OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.\n\n-sS (TCP SYN Scan).
\n TCP SYN Scan is the default scan option for privileged users. It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any\n restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than\n depending on the idiosyncrasies of specific platforms (as Nmap\'s other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.
\n This technique is often referred to as a Half-Open Scan, because it doesn\'t open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection \n and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is \n immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build \n these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an \n ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet (without the ACK flag) is received in response. \n This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection. (https://nmap.org/misc/split-handshake.pdf)\n
\n--unprivileged (Assume that the user lacks raw socket privileges).
\n This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or\n the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to \xe2\x80\x94unprivileged.\n\n-sT (TCP Connect Scan).
\n TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system \n is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong\n advantage to this technique is that it doesn\'t require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn\'t involve writing raw \n packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use \n to establish a connection.
\n When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient. \n Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it \n requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however, \n have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the \n connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs \n from a single system should know that she has been TCP Connect Scanned.\n
| 归档时间: |
|
| 查看次数: |
8587 次 |
| 最近记录: |