《Nmap渗透测试指南》—第2章2.4节无Ping扫描

本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.4节无Ping扫描，作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。

2.4　无Ping扫描
表2.3所示为本章节所需Nmap命令表，表中加粗命令为本小节所需命令——无Ping扫描。

无Ping扫描通常用于防火墙禁止Ping的情况下，它能确定正在运行的机器。默认情况下，Nmap只对正在运行的主机进行高强度的探测，如端口扫描、版本探测或者操作系统探测。用-P0禁止主机发现会使Nmap对每一个指定的目标IP地址进行所要求的扫描，这可以穿透防火墙，也可以避免被防火墙发现。需要注意的是，-P0的第二个字符是数字0而不是字母O。使用“nmap -P0【协议1、协议2】【目标】”进行扫描。

root@Wing:~# nmap -P0 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-09 19:17 CST
Nmap scan report for 192.168.126.131
Host is up (0.0044s latency).
Not shown: 977 closed ports
PORT　　 STATE SERVICE
21/tcp　 open　ftp
22/tcp　 open　ssh
23/tcp　 open　telnet
25/tcp　 open　smtp
53/tcp　 open　domain
80/tcp　 open　http
111/tcp　open　rpcbind
139/tcp　open　netbios-ssn
445/tcp　open　microsoft-ds
512/tcp　open　exec
513/tcp　open　login
514/tcp　open　shell
1099/tcp open　rmiregistry
1524/tcp open　ingreslock
2049/tcp open　nfs
2121/tcp open　ccproxy-ftp
3306/tcp open　mysql
5432/tcp open　postgresql
5900/tcp open　vnc
6000/tcp open　X11
6667/tcp open　irc
8009/tcp open　ajp13
8180/tcp open　unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
root@Wing:~#

如果没有指定任何协议，Nmap会默认使用协议1、协议2、协议4，如果想知道这些协议是如何判断目标主机是否存活可以使用 --packet-trace选项。

root@Wing:~# nmap -p0 --packet-trace scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 21:34 CST
SENT (0.4843s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=930 seq=0] IP [ttl=44 id=52743 iplen=28 ]
SENT (0.4847s) TCP 192.168.239.128:54907 > 45.33.32.156:443 S ttl=50 id=42216 iplen=44　seq=2415939166 win=1024 <mss 1460>
SENT (0.4853s) TCP 192.168.239.128:54907 > 45.33.32.156:80 A ttl=41 id=52925 iplen=40　seq=0 win=1024 
SENT (0.4855s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=32160 seq=0 orig=0 recv=0 trans=0] IP [ttl=54 id=27234 iplen=40 ]
RCVD (0.4864s) TCP 45.33.32.156:80 > 192.168.239.128:54907 R ttl=128 id=34681 iplen=40　seq=2415939166 win=32767 
NSOCK INFO [0.4880s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.4880s] nsock_connect_udp(): UDP connection requested to 192.168.239.2:53 (IOD #1) EID 8
NSOCK INFO [0.4880s] nsock_read(): Read request from IOD #1 [192.168.239.2:53](timeout: -1ms) EID 18
NSOCK INFO [0.4880s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.239.2:53]
NSOCK INFO [0.4880s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.239.2:53]
NSOCK INFO [0.8940s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.239.2:53](85 bytes)
NSOCK INFO [0.8940s] nsock_read(): Read request from IOD #1 [192.168.239.2:53](timeout: -1ms) EID 34
NSOCK INFO [0.8940s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [0.8940s] msevent_cancel(): msevent_cancel on event #34 (type READ)
SENT (0.8946s) TCP 192.168.239.128:55163 > 45.33.32.156:0 S ttl=51 id=39619 iplen=44　seq=1637668556 win=1024 <mss 1460>
RCVD (0.8966s) TCP 45.33.32.156:0 > 192.168.239.128:55163 RA ttl=128 id=34684 iplen=40　seq=1398889074 win=64240 
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0015s latency).
rDNS record for 45.33.32.156: li982-156.members.linode.com
PORT　STATE　SERVICE
0/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
root@Wing:~#

从以上返回的信息我们可以看到，有4行信息被标记为SENT，并显示为ICMP和IP包，如下所示：

SENT (0.4843s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=930 seq=0] IP [ttl=44 id=52743 iplen=28 ]
SENT (0.4847s) TCP 192.168.239.128:54907 > 45.33.32.156:443 S ttl=50 id=42216 iplen=44　seq=2415939166 win=1024 <mss 1460>
SENT (0.4853s) TCP 192.168.239.128:54907 > 45.33.32.156:80 A ttl=41 id=52925 iplen=40　seq=0 win=1024 
SENT (0.4855s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=32160 seq=0 orig=0 recv=0 trans=0] IP [ttl=54 id=27234 iplen=40 ]

如此可以判断目标主机是存活状态。我们也可以手动指定扫描目标主机的协议，Nmap支持的协议和编号如下所示：

① TCP：对应协议编号为6。

② ICMP：对应协议编号为1。

③ IGMP：对应协议编号为2。

④ UDP：对应协议编号为17。

我们指定使用TCP、UDP、IGMP协议向目标主机发送包并判断目标主机是否在线。

root@Wing:~# nmap -p06,17,2 --packet-trace scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 21:42 CST
SENT (0.0647s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=28812 seq=0] IP [ttl=51 id=19372 iplen=28 ]
SENT (0.0649s) TCP 192.168.239.128:49262 > 45.33.32.156:443 S ttl=39 id=16459 iplen=44　seq=1786395366 win=1024 <mss 1460>
SENT (0.0651s) TCP 192.168.239.128:49262 > 45.33.32.156:80 A ttl=51 id=47484 iplen=40　seq=0 win=1024 
SENT (0.0652s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=10265 seq=0 orig=0 recv=0 trans=0] IP [ttl=57 id=64987 iplen=40 ]
RCVD (0.0660s) TCP 45.33.32.156:80 > 192.168.239.128:49262 R ttl=128 id=34698 iplen=40　seq=1786395366 win=32767 
NSOCK INFO [0.0660s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0660s] nsock_connect_udp(): UDP connection requested to 192.168.239.2:53 (IOD #1) EID 8
NSOCK INFO [0.0660s] nsock_read(): Read request from IOD #1 [192.168.239.2:53](timeout: -1ms) EID 18
NSOCK INFO [0.0660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.239.2:53]
NSOCK INFO [0.0660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.239.2:53]
NSOCK INFO [0.0770s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.239.2:53](85 bytes)
NSOCK INFO [0.0770s] nsock_read(): Read request from IOD #1 [192.168.239.2:53](timeout: -1ms) EID 34
NSOCK INFO [0.0770s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [0.0770s] msevent_cancel(): msevent_cancel on event #34 (type READ)
SENT (0.0781s) TCP 192.168.239.128:49518 > 45.33.32.156:6 S ttl=45 id=62567 iplen=44　seq=2228648245 win=1024 <mss 1460>
SENT (0.0782s) TCP 192.168.239.128:49518 > 45.33.32.156:17 S ttl=47 id=21783 iplen=44　seq=2228648245 win=1024 <mss 1460>
SENT (0.0784s) TCP 192.168.239.128:49518 > 45.33.32.156:2 S ttl=48 id=60557 iplen=44　seq=2228648245 win=1024 <mss 1460>
RCVD (0.3605s) ICMP [45.33.32.156 > 192.168.239.128 Echo reply (type=0/code=0) id=28812 seq=0] IP [ttl=128 id=34700 iplen=28 ]
SENT (1.1801s) TCP 192.168.239.128:49519 > 45.33.32.156:2 S ttl=48 id=28002 iplen=44　seq=2228713780 win=1024 <mss 1460>
SENT (1.1803s) TCP 192.168.239.128:49519 > 45.33.32.156:17 S ttl=38 id=41636 iplen=44　seq=2228713780 win=1024 <mss 1460>
SENT (1.1805s) TCP 192.168.239.128:49519 > 45.33.32.156:6 S ttl=52 id=58195 iplen=44　seq=2228713780 win=1024 <mss 1460>
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0011s latency).
rDNS record for 45.33.32.156: li982-156.members.linode.com
PORT　 STATE　　SERVICE
2/tcp　filtered compressnet
6/tcp　filtered unknown
17/tcp filtered qotd

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
root@Wing:~#