不同的行为:“sudo nmap”与仅仅“nmap”?

不同的行为:“sudo nmap”与仅仅“nmap”?

我正在尝试使用 nmap 进行简单的端口扫描:

$ nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Nmap scan report for 192.168.56.101
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
5555/tcp  open  freeciv
24800/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

但是当我尝试使用相同方法时sudo,它失败并声称主机已关闭:

$ sudo nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.48 seconds



注意:
我在 OS X Yosemite 上。GNU
bash,版本 3.2.57(1)-release (x86_64-apple-darwin14)

谢谢。

答案1

默认情况下,非特权扫描使用 -sT (TCP Connect),而特权(root)扫描使用 -sS (TCP SYN Stealth)。

TCP 连接(-sT) 连接扫描使用同名的系统调用来扫描机器,而不是像大多数其他方法那样依赖原始数据包。它通常由非特权 Unix 用户使用,并针对 1Pv6 目标,因为 SYN 扫描在这些情况下不起作用。

TCP SYN 隐身 (-sS) 这是目前最流行的扫描类型,因为它是扫描最流行协议 (TCP) 端口的最快方法。它比连接扫描更隐蔽,并且可针对所有功能性 TCP 堆栈进行扫描(不同于某些特殊用途扫描,如 FIN 扫描)。

1)要了解你的机器发生了什么,我建议使用额外详细模式(-vv) 或者--数据包跟踪看看会发生什么。

$ sudo nmap --packet-trace -vv 192.168.56.101

2)另一种方法是使用以下命令以特权用户身份强制进行非特权扫描并查看结果。

$ sudo nmap -sT -vv 192.168.56.101
$ sudo nmap --unprivileged -vv 192.168.56.101

3) 最后,nmap 停止扫描的原因是 IMCP 类型 8(echo 又名 ping)没有返回 ICMP 类型 0(echo reply)。此命令忽略 ping 并继续扫描:

$ sudo nmap -PN 192.168.56.101

您能尝试这些命令并发布输出吗?

答案2

基本上,默认情况下:

  • A特权用户执行-sS(TCP SYN 扫描)。
    此类扫描需要原始套接字/原始数据包权限。
  • 一个无特权用户执行-sT(TCP 连接扫描)。
    这种类型的扫描不需要原始套接字/原始数据包权限。

改编自Nmap的官方文档:


PORT SCANNING TECHNIQUES
Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible.



--privileged (Assume that the user is fully privileged).
Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix systems. By default, Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.

-sS (TCP SYN Scan).
TCP SYN Scan is the default scan option for privileged users. It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than depending on the idiosyncrasies of specific platforms (as Nmap's other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.
This technique is often referred to as a Half-Open Scan, because it doesn't open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection. (https://nmap.org/misc/split-handshake.pdf)



--unprivileged (Assume that the user lacks raw socket privileges).
This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to —unprivileged.

-sT (TCP Connect Scan).
TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong advantage to this technique is that it doesn't require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn't involve writing raw packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.
When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient. Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however, have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been TCP Connect Scanned.

答案3

我注意到我的 Mac 上也有同样的情况。这真的很奇怪。

看起来具有 sudo 权限的 NMAp 会从 ARP 缓存中获取一些信息。因此,如果您扫描与网络断开连接但仍在 ARP 缓存中的设备(我的计算机上的缓存在 2 或 3 分钟后更新),那么它将在 NMAP 中显示为在线。

来自 NMAP 手册页:

如果没有给出主机发现选项,Nmap 发送一个 ICMP 回显请求、一个 TCP SYN 数据包到端口 443、一个 TCP ACK 数据包到端口 80,以及一个 ICMP 时间戳请求. (对于 IPv6,ICMP 时间戳请求被省略,因为它不是 ICMPv6 的一部分。)这些默认值相当于 -PE -PS443 -PA80 -PP 选项。例外是 ARP(用于 IPv4)和邻居发现。(用于 IPv6)扫描,用于本地以太网上的任何目标。对于非特权 Unix shell 用户,默认探测是使用 connect 系统调用向端口 80 和 443 发送 SYN 数据包.. 在扫描本地网络时,此主机发现通常就足够了,但对于安全审计,建议使用更全面的发现探测。

相关内容