我很好奇为什么nmap -sP在通过 Cisco 站点到站点 IPSec 隧道链接的远程子网上运行(ping 扫描)会为范围内的每个 IP 返回“主机启动”状态。
[root@xt ~]# nmap -sP 192.168.108.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-11-22 14:08 CST
Host 192.168.108.0 appears to be up.
Host 192.168.108.1 appears to be up.
Host 192.168.108.2 appears to be up.
Host 192.168.108.3 appears to be up.
Host 192.168.108.4 appears to be up.
Host 192.168.108.5 appears to be up.
.
.
.
Host 192.168.108.252 appears to be up.
Host 192.168.108.253 appears to be up.
Host 192.168.108.254 appears to be up.
Host 192.168.108.255 appears to be up.
Nmap finished: 256 IP addresses (256 hosts up) scanned in 14.830 seconds
但是,对已知关闭的 IP 进行 ping 操作会超时或不返回任何内容...
[root@xt ~]# ping 192.168.108.201
PING 192.168.108.201 (192.168.108.201) 56(84) bytes of data.
--- 192.168.108.201 ping statistics ---
144 packets transmitted, 0 received, 100% packet loss, time 143001ms
有没有更有效的方法来扫描以这种方式连接的实时设备?
答案1
可能是 TCP RST。nmap 手册 (v 5.00) 摘录如下:
-sP 选项默认发送 ICMP 回显请求、TCP SYN 到端口 443、TCP ACK 到端口 80 以及 ICMP 时间戳请求。当由非特权用户执行时,仅 SYN 数据包会(使用 connect 调用)发送到目标的端口 80 和 443。当特权用户尝试扫描本地以太网上的目标时,除非指定了 --send-ip,否则将使用 ARP 请求。-sP 选项可以与任何发现探测类型(-P* 选项,不包括 -PN)结合使用,以获得更大的灵活性。如果使用任何这些探测类型和端口号选项,则会覆盖默认探测。当运行 Nmap 的源主机和目标网络之间存在严格的防火墙时,建议使用这些高级技术。否则,当防火墙丢弃探测或其响应时,可能会错过主机。
如图所示:
# nmap -sP 10.99.10.19
Host 10.99.10.19 is up (0.0015s latency).
21:31:13.338418 IP (tos 0x0, ttl 51, id 28548, offset 0, flags [none], proto ICMP (1), length 28)
10.0.0.20 > 10.99.10.19: ICMP echo request, id 57832, seq 0, length 8
21:31:13.338625 IP (tos 0x0, ttl 50, id 7277, offset 0, flags [none], proto TCP (6), length 44)
10.0.0.20.63105 > 10.99.10.19.443: Flags [S], cksum 0xe71d (correct), seq 4106918263, win 3072, options [mss 1460], length 0
21:31:13.338780 IP (tos 0x0, ttl 52, id 11356, offset 0, flags [none], proto TCP (6), length 40)
10.0.0.20.63105 > 10.99.10.19.80: Flags [.], cksum 0x3276 (correct), seq 4106918263, ack 774547350, win 1024, length 0
21:31:13.339771 IP (tos 0x0, ttl 55, id 35529, offset 0, flags [none], proto ICMP (1), length 40)
10.0.0.20 > 10.99.10.19: ICMP time stamp query id 23697 seq 0, length 20
21:31:13.340590 IP (tos 0x0, ttl 255, id 63189, offset 0, flags [none], proto TCP (6), length 40)
10.99.10.19.80 > 10.0.0.20.63105: Flags [R.], cksum 0x3272 (correct), seq 1, ack 0, win 1024, length 0
在我的例子中,我在本地有一对 Cisco ASA,并在远程端运行 Linux 和 strongswan。很可能是远程端的问题,因为隧道上的 rtt 平均大约为 7-9ms。我看到另一端发出了 arp who-has,但这是我在没有解密远程 ipsec 对等数据包的情况下得到的结果。