《Nmap渗透测试指南》—第2章2.7节UDP Ping扫描

本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.7节UDP Ping扫描，作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。

2.7　UDP Ping扫描
表2.6所示为本章节所需Nmap命令表，表中加粗命令为本小节所需命令——UDP Ping扫描。

使用UDP Ping扫描时Nmap会发送一个空的UDP包到目标主机，如果目标主机响应则返回一个ICMP端口不可达错误，如果目标主机不是存活状态则会返回各种ICMP错误信息。

root@Wing:~# nmap -PU -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:58 CST
Initiating Ping Scan at 11:58
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:58, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:58
Completed Parallel DNS resolution of 1 host. at 11:58, 0.01s elapsed
Initiating SYN Stealth Scan at 11:58
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 123 out of 409 dropped probes since last increase.
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Completed SYN Stealth Scan at 12:00, 110.73s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.00s latency).
Not shown: 987 closed ports
PORT　　　STATE　　SERVICE
135/tcp　 open　　 msrpc
139/tcp　 open　　 netbios-ssn
445/tcp　 open　　 microsoft-ds
514/tcp　 filtered shell
843/tcp　 open　　 unknown
902/tcp　 open　　 iss-realsecure
912/tcp　 open　　 apex-mesh
7000/tcp　open　　 afs3-fileserver
8000/tcp　open　　 http-alt
49152/tcp open　　 unknown
49153/tcp open　　 unknown
49155/tcp open　　 unknown
49165/tcp open　　 unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 110.79 seconds
　　　　　 Raw packets sent: 1724 (75.840KB) | Rcvd: 1009 (40.661KB)
root@Wing:~#

从输出的结果中可以得知目标主机是存活状态，这表明目标主机存活时会返回一个ICMP端口不可达的信息，这里我们使用Wireshark获取数据包分析。

如图2.4所示，捕获的包中有一条信息为“Destination unreachable”，这表明目标不可达，在详细信息面板中可以看到使用的端口为40125，也可以指定使用其他端口。

root@Wing:~# nmap -PU80,111 -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 12:26 CST
Initiating Ping Scan at 12:26
Scanning 192.168.121.1 [2 ports]
Completed Ping Scan at 12:26, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.01s elapsed
Initiating SYN Stealth Scan at 12:26
Scanning 192.168.121.1 [1000 ports]

如图2.5所示有两个ICMP包，且包的信息都是“Destination unreachable”，详细信息面板中的端口为25。