《Nmap渗透测试指南》—第2章2.6节TCP ACK Ping扫描

本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.6节TCP ACK Ping扫描，作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。

2.6　TCP ACK Ping扫描
表2.5所示为本章节所需Nmap命令表，表中加粗命令为本小节所需命令——TCP ACK Ping扫描。

很多防火墙会封锁SYN报文，所以Nmap提供了TCP SYN Ping扫描与TCP ACK Ping扫描两种探测方式，这两种方式可以极大地提高通过防火墙的概率，我们还可以同时使用-PS与-SA来既发送SYN又发送ACK。在使用TCP ACK Ping扫描时，Nmap会发送一个ACK标志的TCP包给目标主机，如果目标主机不是存活状态则不响应该请求，如果目标主机在线则会返回一个RST包。

root@Wing:~# nmap -PA -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:43 CST
Initiating Ping Scan at 11:43
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.01s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 126 out of 418 dropped probes since last increase.
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:45, 139.14s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.0s latency).
Not shown: 987 closed ports
PORT　　　STATE　　SERVICE
135/tcp　 open　　 msrpc
139/tcp　 open　　 netbios-ssn
445/tcp　 open　　 microsoft-ds
514/tcp　 filtered shell
843/tcp　 open　　 unknown
902/tcp　 open　　 iss-realsecure
912/tcp　 open　　 apex-mesh
7000/tcp　open　　 afs3-fileserver
8000/tcp　open　　 http-alt
49152/tcp open　　 unknown
49153/tcp open　　 unknown
49155/tcp open　　 unknown
49165/tcp open　　 unknown


Nmap done: 1 IP address (1 host up) scanned in 139.22 seconds
　　　　　 Raw packets sent: 1723 (75.808KB) | Rcvd: 1014 (40.845KB)
root@Wing:~#

同时使用-PS与-PA选项，代码如下。

root@Wing:~# nmap -PA -PS 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-09 20:39 CST
Nmap scan report for 192.168.126.131
Host is up (0.00037s latency).
Not shown: 977 closed ports
PORT　　 STATE SERVICE
21/tcp　 open　ftp
22/tcp　 open　ssh
23/tcp　 open　telnet
25/tcp　 open　smtp
53/tcp　 open　domain
80/tcp　 open　http
111/tcp　open　rpcbind
139/tcp　open　netbios-ssn
445/tcp　open　microsoft-ds
512/tcp　open　exec
513/tcp　open　login
514/tcp　open　shell
1099/tcp open　rmiregistry
1524/tcp open　ingreslock
2049/tcp open　nfs
2121/tcp open　ccproxy-ftp
3306/tcp open　mysql
5432/tcp open　postgresql
5900/tcp open　vnc
6000/tcp open　X11
6667/tcp open　irc
8009/tcp open　ajp13
8180/tcp open　unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
root@Wing:~#

接下来我们看一个被防火墙阻止的案例，首先使用TCP ACK Ping方式对目标主机进行扫描。

root@Wing:~# nmap -PA -v 192.168.22.22

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:46 CST
Initiating Ping Scan at 11:46
Scanning 192.168.22.22 [1 port]
Completed Ping Scan at 11:46, 2.01s elapsed (1 total hosts)
Nmap scan report for 192.168.22.22 [host down]

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.04 seconds
　　　　　 Raw packets sent: 2 (80B) | Rcvd: 0 (0B)
root@Wing:~#

从输出的结果中发现目标主机是没有存活的状态，尝试使用TCP SYN Ping进行扫描，对目标主机的存活状态进行判断。

root@Wing:~# nmap -PS -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:50 CST
Initiating Ping Scan at 11:50
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:50, 1.00s elapsed (1 total hosts)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 109.97 seconds
　　　　　 Raw packets sent: 1760 (77.440KB) | Rcvd: 1020 (40.848KB)
root@Wing:~#

从输出的结果得知目标主机是存活状态，由此可以说明TCP ACK包被目标主机防火墙阻止了。