ACK scanning (-sA)
The ACK scanning is an advanced method in Nmap, usually used to map out firewall rulesets. It helps to determine whether a firewall is stateful or not. ACK scanning sends an ACK packet to the specified ports. If an RST comes back, the specified ports are classified as ‘unfiltered’. If nothing comes back, the ports are determined as ‘filtered’. The scan never showing ports indicates they’re in the ‘open’ state.
Below is the example in our laboratory.
#nmap –sA –v 10.50.1.254
Starting Nmap V. 2.54BETA30
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good.
Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254)
The ACK Scan took 1 second to scan 1549 ports.
All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254) are: UNfiltered
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
List scanning (-sL)
List scanning generates and prints a list of IPs/Names without actually pinging or port scanning them. The outputs are shown below.
#nmap –sL –v 10.50.1.254
Starting Nmap V. 2.54BETA30
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned
Nmap run completed -- 1 IP address (0 hosts up) scanned in 0 seconds
P0 option (-P0)
An option that is useful with scans is "-P0". Also called ‘Don’t ping host.’ Do not try and ping host at all before scanning them. This option allows the scanning of networks that don’t allow ICMP echo requests (for example, Microsoft.com) through their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default.
#nmap –p0 –v 10.50.1.254
Starting Nmap V. 2.54BETA30
Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254):
(The 1543 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
24/tcp open priv-mail
80/tcp open http
139/tcp open netbios-ssn
515/tcp open printer
1723/tcp open pptp
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
No comments:
Post a Comment