《Nmap渗透测试指南》—第2章2.5节TCP SYN Ping扫描

本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.5节TCP SYN Ping扫描，作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。

2.5　TCP SYN Ping扫描
表2.4所示为本章节所需Nmap命令表，表中加粗命令为本小节所需命令——TCP SYN Ping扫描。

TCP协议是TCP/IP协议族中的面向连接的、可靠的传输层协议，允许发送和接收字节流形式的数据。为了使服务器和客户端以不同的速度产生和消费数据，TCP提供了发送和接收两个缓冲区。TCP提供全双工服务，数据同时能双向流动。通信的每一方都有发送和接收两个缓冲区，可以双向发送数据。TCP在报文中加上一个递进的确认序列号来告诉发送者，接收者期望收到的下一个字节，如果在规定时间内，没有收到关于这个包的确认响应，则重新发送此包，这保证了TCP是一种可靠的传输层协议。

-PS选项发送一个设置了SYN标志位的空TCP报文。默认目的端口为80（可以通过改变nmap.h）文件中的DEFAULT-TCP-PROBE-PORT值进行配置，但不同的端口也可以作为选项指定，甚至可以指定一个以逗号分隔的端口列表（如-PS22，23，25，80，115，3306，3389），在这种情况下，每个端口会被并发地扫描。

通常情况下，Nmap默认Ping扫描是使用TCP ACK和ICMP Echo请求对目标进行是否存活的响应，当目标主机的防火墙阻止这些请求时，我们可以使用TCP SYN Ping扫描来进行对目标主机存活的判断。

root@Wing:~# nmap -PS -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:31 CST
Initiating Ping Scan at 11:31
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:31, 1.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:31
Completed Parallel DNS resolution of 1 host. at 11:31, 0.01s elapsed
Initiating SYN Stealth Scan at 11:31
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 258 out of 858 dropped probes since last increase.
Discovered open port 8000/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:32, 69.92s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.2s latency).
Not shown: 987 closed ports
PORT　　　STATE　　SERVICE
135/tcp　 open　　 msrpc
139/tcp　 open　　 netbios-ssn
445/tcp　 open　　 microsoft-ds
514/tcp　 filtered shell
843/tcp　 open　　 unknown
902/tcp　 open　　 iss-realsecure
912/tcp　 open　　 apex-mesh
7000/tcp　open　　 afs3-fileserver
8000/tcp　open　　 http-alt
49152/tcp open　　 unknown
49153/tcp open　　 unknown
49155/tcp open　　 unknown
49165/tcp open　　 unknown


Nmap done: 1 IP address (1 host up) scanned in 70.99 seconds
　　　　　 Raw packets sent: 1409 (61.996KB) | Rcvd: 1008 (40.605KB)
root@Wing:~#

从上面的返回结果可得知Nmap是通过SYN/ACK和RST响应来对目标主机是否存活进行判断，但在特定情况下防火墙会丢弃RST包，这种情况下扫描的结果会不准确，这时，我们需要指定一个端口或端口范围来避免这种情况。

root@Wing:~# nmap -PS80,100-200 -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:38 CST
Initiating Ping Scan at 11:38
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:38, 1.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:38
Completed Parallel DNS resolution of 1 host. at 11:38, 0.04s elapsed
Initiating SYN Stealth Scan at 11:38
Scanning 192.168.121.1 [102 ports]
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 135/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:38, 4.04s elapsed (102 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.0s latency).
Not shown: 100 closed ports
PORT　　STATE SERVICE
135/tcp open　msrpc
139/tcp open　netbios-ssn


Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
　　　　　 Raw packets sent: 103 (4.532KB) | Rcvd: 103 (4.128KB)
root@Wing:~#