0


NMAP 六种端口状态解读

NMAP 简介

nmap 是一款功能非常强大的扫描工具,不仅能对端口扫描,还可以在扫描中指定自定义的标志位,对自己的 IP 地址进行隐藏伪装为别的 IP 地址,还可以根据 nmap 数据库,对被扫描主机进行系统版本等的猜测,这篇文档主要对 nmap 的端口扫描进行简单归纳。

NMAP六种端口状态解读

传统上端口被划分为 open 或 close 状态,Nmap 更加细化,将端口划分为 open, closed, filtered, unfiltered, open|filtered, or closed|filtered 六种状态。下面针对 TCP 端口和 UDP 端口的探测分别进行说明。

TCP 端口下的六种状态实测

**Open **开放状态:

nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。

[root@zyq ~]# nmap  node01  -p 22

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:57 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00014s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 74:52:01:01:01:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

**Closed **关闭状态:

nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。

[root@zyq ~]# nmap  node01  -p 81

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:56 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00018s latency).
PORT   STATE  SERVICE
81/tcp closed hosts2-ns
MAC Address: 74:52:01:01:01:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

**Filtered **过滤状态:

这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答, 由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。

[root@node01 ~]# iptables -A INPUT -p tcp --dport 80 -j DROP

[root@zyq ~]# nmap  node01  -p 80

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:55 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00021s latency).
PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 74:52:01:01:01:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

**Unfiltered **未过滤状态:

nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。

[root@zyq ~]# nmap  node01 -sA -p 22

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:52 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00017s latency).
PORT   STATE      SERVICE
22/tcp unfiltered ssh
MAC Address: 74:52:01:01:01:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Open|filtered 开放或过滤状态:

这种状态主要是 nmap 无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于 UDP 端口,参考后续 UDP 中的解释。

Closed|filtered 关闭或者过滤状态:

参见 IP ID idle 扫描_zyqash的博客-CSDN博客

UDP 端口下的六种状态

由于 UDP 传输数据不像 TCP 那样,会对每个报文都进行确认,所以 UDP 端口的探测与 TCP 端口的探测有略微的不同。

Open

nmap 向目标端口发起两个 UDP 报文,服务端对报文进行应答,nmap 收到应答,将该端口标记为 open。

[root@zyq ~]# nmap 192.168.1.1 -sU -p 53

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:58 CST
Nmap scan report for 192.168.1.1
Host is up (0.0036s latency).
PORT   STATE SERVICE
53/udp open  domain
MAC Address: 7C:B5:9B:42:47:1D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Closed

nmap 会发送两个一模一样的 UDP 请求,服务端收到请求后会给 nmap 返回一个 type=3 code=3 的 ICMP 报文,意思是访问的端口不可达, nmap 标记此端口是关闭状态。

[root@zyq ~]# nmap  node01  -sU -p 80
Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 10:59 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00018s latency).
PORT   STATE  SERVICE
80/udp closed http
MAC Address: 74:52:01:01:01:01 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

[root@node01 ~]# tcpdump -i eth0  -p icmp -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:19:17.747414 IP (tos 0xc0, ttl 64, id 2440, offset 0, flags [none], proto ICMP (1), length 56)
    node01 > phy: ICMP node01 udp port snmptrap unreachable, length 36
    IP (tos 0x0, ttl 43, id 64371, offset 0, flags [none], proto UDP (17), length 28)
    phy.34193 > node01.snmptrap: [udp sum ok]  [nothing to parse]

Filtered

这个一般指 TCP 端口扫描,参见上面的描述。

Unfiltered

这个一般指 TCP 端口扫描,参见上面的描述。

Open|filtered

这种状态主要是 nmap 无法区别端口处于 open 状态还是 filtered 状态。这种状态是服务端对 nmap 的请求不做任何回应,导致 nmap 无法确认端口是那种状态。

目标主机上丢弃访问 UDP 161端口的报文
[root@node01 ~]# iptables -A INPUT -p udp --dport 161 -j DROP

客户端进行该端口的扫描
[root@zyq ~]# nmap -sU node01 -p 161

Starting Nmap 6.40 ( http://nmap.org ) at 2022-02-18 09:51 CST
Nmap scan report for node01 (192.168.2.11)
Host is up (0.00014s latency).
PORT    STATE         SERVICE
161/udp open|filtered snmp
MAC Address: 74:52:01:01:01:01 (Unknown)

本次测试目标主机上没有进程监听 UDP 161端口,目标主机该端口的真实状态是 Closed & filtered,如果有进程监听 UDP 161端口但是不做回应,并且防火墙没有进行限制,nmap也展示为这个结果。

端口六种状态官方原文解释

以下的每一段分别对应 open, closed, filtered, unfiltered, open|filtered, or closed|filtered 六种状态的描述。

An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that each open port is an avenuefor attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non-securityscans because they show services available for use on the network.

A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or pingscanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they wouldappear in the filtered state, discussed next.

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software.These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), butfilters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scandramatically.

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanningunfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filterdropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

标签: linux 安全 centos

本文转载自: https://blog.csdn.net/zyqash/article/details/122986256
版权归原作者 巭犇 所有, 如有侵权,请联系我们删除。

“NMAP 六种端口状态解读”的评论:

还没有评论