Nmap 发现主机

IP发现

为了标识传输层的协议类型,IP报文包含了Protocol字段,用于保存传输层协议的编号.通过Protocol,用户可以设置当前包采用哪些传输层协议,一旦目标相应这类数据包,就证明主机存在.Nmap的-PO选项可以用于实现IP发现

• -PO :用IP数据包探测目标主机是否开启,可以指定多个IP编号,如果没有指定协议,默认为-PO1,2,4

# 用-PO探测一个未开启的主机
$ nmap 192.168.1.10 -PO --packet-trace
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 18:57 CST
# 发送ICMP请求报文
SENT (0.1175s) ICMP [192.168.43.245 > 192.168.1.10 Echo request (type=8/code=0) id=28135 seq=0] IP [ttl=41 id=58457 iplen=28 ] 
# 发送IGMP报文
SENT (0.1176s) igmp (2) 192.168.43.245 > 192.168.1.10: ttl=38 id=32594 iplen=28
# 发送IPv4报文
SENT (0.1176s) ipv4 (4) 192.168.43.245 > 192.168.1.10: ttl=45 id=30712 iplen=20
# 再发一次
SENT (2.1204s) ipv4 (4) 192.168.43.245 > 192.168.1.10: ttl=47 id=13714 iplen=20
SENT (2.1205s) igmp (2) 192.168.43.245 > 192.168.1.10: ttl=54 id=33614 iplen=28
SENT (2.1205s) ICMP [192.168.43.245 > 192.168.1.10 Echo request (type=8/code=0) id=34496 seq=0] IP [ttl=55 id=20151 iplen=28 ]
# 主机不在线
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.20 seconds

1. Nmap先向主机依次发送ICMP,IGMP,IPv4报文
2. 由于三个报文都没有相应,Nmap重新发送了一边
3. 由于仍然没有相应,判断主机不在线

# 用-PO探测一个开启的主机
$ nmap www.diaoan.xyz -PO --packet-trace
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 19:10 CST
# 发送ICMP请求报文
SENT (0.1793s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=9721 seq=0] IP [ttl=41 id=46185 iplen=28 ]
# 发送IGMP报文
SENT (0.1793s) igmp (2) 192.168.43.245 > 121.199.61.226: ttl=41 id=13772 iplen=28
# 发送IPv4报文
SENT (0.1793s) ipv4 (4) 192.168.43.245 > 121.199.61.226: ttl=59 id=34155 iplen=20
# 接收到ICMP相应报文:类型0/消息代码0 Echo reply回显应答(Ping应答)
RCVD (0.2102s) ICMP [121.199.61.226 > 192.168.43.245 Echo reply (type=0/code=0) id=9721 seq=0] IP [ttl=116 id=5912 iplen=28 ]
# 扫描端口 可以使用-sn选项关闭端口扫描
SENT (2.5298s) TCP 192.168.43.245:60586 > 121.199.61.226:2605 S ttl=54 id=57784 iplen=44  seq=2410478526 win=1024 <mss 1460>
SENT (2.5298s) TCP 192.168.43.245:60586 > 121.199.61.226:12174 S ttl=56 id=9567 iplen=44  seq=2410478526 win=1024 <mss 1460>
SENT (2.5773s) TCP 192.168.43.245:60584 > 121.199.61.226:3301 S ttl=52 id=48876 iplen=44  seq=2410609596 win=1024 <mss 1460>
RCVD (0.4336s) TCP 121.199.61.226:3389 > 192.168.43.245:60584 SA ttl=116 id=5914 iplen=44  seq=2690545946 win=64000 <mss 1400>
RCVD (1.6054s) TCP 121.199.61.226:21 > 192.168.43.245:60584 SA ttl=116 id=5916 iplen=44  seq=4064203353 win=8192 <mss 1400>
RCVD (1.6085s) TCP 121.199.61.226:25 > 192.168.43.245:60584 RA ttl=116 id=5915 iplen=40  seq=0 win=0
......
Nmap scan report for www.diaoan.xyz (121.199.61.226)
# 目标已开启
Host is up (0.032s latency). 
# 未开启的端口
Not shown: 988 filtered tcp ports (no-response) 
# 开启的端口
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https
...
Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds

# 使用TCP实施IP发现来探测目标主机
$ nmap 192.168.1.1 -PO6 --packet-trace -sn --disable-arp-ping
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 19:39 CST
# 发送TCP ACK报文
SENT (0.1079s) TCP 192.168.43.245:46612 > 192.168.1.1:80 A ttl=53 id=16893 iplen=40  seq=1838337423 win=1024
# 接收TCP RST报文
RCVD (0.1107s) TCP 192.168.1.1:80 > 192.168.43.245:46612 R ttl=63 id=25587 iplen=40  seq=119684187 win=0
Nmap scan report for TianYi.Home (192.168.1.1)
Host is up (0.0028s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

• -sn: 只进行主机发现,不进行端口扫描,s是Scan的首字母,n是not的首字母
• –disable-arp-ping: 不使用ARP发现和ICMPv6邻居发现

ICMP发现

ICMP的工作原理

1. 当主机A通过Ping测试是否可以正常通信时,向主机B发送一个ICMP报文
2. 主机B接收到报文后,如果符合要求,就接收报文,并响应一个报文给主机A,说明主机可达

ICMP请求

ICMP请求就是向目标主机发送Ping请求,等待目标主机的相应,Nmap提供了两个选项实施ICMP请求

• -sn: 只进行主机发现,不进行端口扫描,s是Scan的首字母,n是not的首字母
• -PE: 实施ICMP Echo探测请求发现,如果目标主机相应ICMP Reply报文,说明目标主机在线,P是ping的首字母,E是ICMP Echo的首字母

# 实施Ping扫描,探测主机是否在线
$ nmap --packet -sn www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 20:16 CST
# 发送ICMP请求报文
SENT (0.1214s) ICMP [192.168.43.245 > 14.215.177.39 Echo request (type=8/code=0) id=24296 seq=0] IP [ttl=42 id=38619 iplen=28 ]
# 发送TCP SYN到443
SENT (0.1215s) TCP 192.168.43.245:53375 > 14.215.177.39:443 S ttl=37 id=32706 iplen=44  seq=2151011921 win=1024 <mss 1460>
# 发送TCP ACK到80
SENT (0.1215s) TCP 192.168.43.245:53375 > 14.215.177.39:80 A ttl=47 id=42349 iplen=40  seq=0 win=1024
# 发送ICMP时间戳
SENT (0.1219s) ICMP [192.168.43.245 > 14.215.177.39 Timestamp request (type=13/code=0) id=23269 seq=0 orig=0 recv=0 trans=0] IP [ttl=59 id=9749 iplen=40 ]
# 接收ICMP相应报文
RCVD (0.1360s) TCP 14.215.177.39:443 > 192.168.43.245:53375 SA ttl=55 id=32706 iplen=44  seq=1272976592 win=8192 <mss 1400>
Nmap scan report for www.baidu.com (14.215.177.39)
# 目标主机在线
Host is up (0.015s latency). 
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

# 使用ICMP Echo探测请求发现主机
$ nmap --packet-trace -PE www.baidu.com -sn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 20:23 CST
# 发送ICMP报文
SENT (0.1063s) ICMP [192.168.43.245 > 14.215.177.39 Echo request (type=8/code=0) id=60069 seq=0] IP [ttl=37 id=37985 iplen=28 ]
# 接收到ICMP相应报文:类型0/消息代码0 Echo reply回显应答(Ping应答)
RCVD (0.1191s) ICMP [14.215.177.39 > 192.168.43.245 Echo reply (type=0/code=0) id=60069 seq=0] IP [ttl=55 id=37985 iplen=28 ]
Nmap scan report for www.baidu.com (14.215.177.39)
Host is up (0.013s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

ICMP时间戳

如果目标主机封锁了ICMP响应,用户就无法使用ICMP发现主机了,如果主机仅封锁了ICMP响应,没有封锁ICMP查询,就可以通过ICMP时间戳请求探测主机,Nmap提供了-PP选项实施ICMP时间戳ping扫描,P是ping的首字母,P是timestamp尾字母大写

# 使用ICMP时间戳实施主机发现
$ nmap --packet-trace -PP -sn --send-ip 192.168.1.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 20:36 CST
# 发送ICMP时间戳报文
SENT (0.1146s) ICMP [192.168.43.245 > 192.168.1.2 Timestamp request (type=13/code=0) id=40093 seq=0 orig=0 recv=0 trans=0] IP [ttl=55 id=47649 iplen=40 ]
# 没有接收到响应,再发一次
SENT (1.1160s) ICMP [192.168.43.245 > 192.168.1.2 Timestamp request (type=13/code=0) id=16391 seq=0 orig=0 recv=0 trans=0] IP [ttl=50 id=46703 iplen=40 ]
# 仍然没有收到响应,主机未开启
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.19 seconds

ICMP地址掩码请求

当使用ICMP时间戳方式无法探测目标主机时,可以尝试使用ICMP地址掩码请求方式

• -PM,P是Ping的缩写,M是Address Mask的缩写

# 使用ICMP地址掩码请求探测主机
$ nmap --packet-trace -PM -sn 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 20:56 CST
# 发送ICMP地址掩码请求
SENT (0.0908s) ICMP [192.168.43.245 > 192.168.1.1 Address mask request (type=17/code=0) id=57273 seq=0 mask=0.0.0.0] IP [ttl=38 id=15540 iplen=32 ]
# 没有响应,再发一次
SENT (1.0920s) ICMP [192.168.43.245 > 192.168.1.1 Address mask request (type=17/code=0) id=24294 seq=0 mask=0.0.0.0] IP [ttl=53 id=40350 iplen=32 ]
# 仍然没有收到响应,主机未开启
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.17 seconds

TCP发现

TCP工作原理

TCP通过三次握手建立连接:

1. 客户端发送SYN(SEQ=x)报文给服务器端,进入SYN_SEND状态
2. 客户端收到SYN报文后,回应一个SYN(SEQ=y) ACK(ACK=x+1)报文,进入SYN_RECV转钛
3. 客户端收到服务端的SYN报文后,回应一个ACK(ACK=y+1)报文,进入Established状态,至此TCP三次握手完成

TCP SYN发现

TCP SYN发现会发送一个带SYN标志位的空TCP报文到目标主机,如果目标主机是活动的,将会响应一个SYN+ACK报文或者RST报文,Nmap中使用-PS选项进行TCP SYN发现

• -PS : 默认发送SYN报文到目标的80端口,也可以指定其他端口,格式为-PS21,22,23,每个端口会并发扫描.P是Ping的首字母,S是SYN的首字母

# 使用TCP SYN发现扫描一台开启的主机
$ nmap --packet-trace -sn -PS www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:18 CST
# 尝试连接
CONN (0.0364s) TCP localhost > 121.199.61.226:80 => Operation now in progress
# 连接成功
CONN (0.0696s) TCP localhost > 121.199.61.226:80 => Connected
Nmap scan report for www.diaoan.xyz (121.199.61.226)
# 目标已开启
Host is up (0.035s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

# 使用TCP SYN发现扫描一台关闭的主机
$ nmap --packet-trace -sn -PS 192.168.1.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:26 CST
# 尝试连接
CONN (0.0262s) TCP localhost > 192.168.1.10:80 => Operation now in progress
# 首次连接失败,再连接一次
CONN (1.0276s) TCP localhost > 192.168.1.10:80 => Operation now in progress
# 目标未开启
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.03 seconds

TCP ACK发现

TCP ACK和TCP SYN类似,发送的是ACK标志位报文,表示确认一个建立连接的尝试,但该连接尚未完全建立,此时目标主机将响应一个RST报文.通常情况下,发送SYN报文会被防火墙封锁,导致无扫描结果,这时可以利用ACK.

-PA : 对指定端口实施TCP ACK扫描,默认向目标主机的80端口发送报文,也可以自定义端口,P是Ping的首字母,A是ACK的首字母

# 使用SYN ACK方式发现主机
$ nmap --packet-trace -PA -sn www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:54 CST
# 尝试连接
CONN (8.0849s) TCP localhost > 121.199.61.226:80 => Operation now in progress
# 连接成功
CONN (8.1162s) TCP localhost > 121.199.61.226:80 => Connected
Nmap scan report for www.diaoan.xyz (121.199.61.226)
# 主机开启
Host is up (0.031s latency).
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds

# 使用SYN ACK方式探测一台关闭的主机
$ nmap --packet-trace -PA -sn 192.168.1.5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 15:55 CST
# 尝试连接
CONN (0.0162s) TCP localhost > 192.168.1.5:80 => Operation now in progress
# 首次连接失败,再连接一次
CONN (1.0175s) TCP localhost > 192.168.1.5:80 => Operation now in progress
# 主机关闭
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.02 seconds

UDP发现

UDP发现的优点

UDP是一个无连接的协议,在发送数据包前不需要建立连接,可以减少发送数据前链接的时间.UDP没有拥塞控制,所以传输速度快,使用UDP发现主机可以穿越仅过滤TCP的防火墙和过滤器.

实施UDP发现

UDP发现就是向目标主机指定端口发送一个空的UDP报文,默认40125端口.如果要发送带数据的UDP报文,可以使用–data-length选项追加数据,如果目标主机在线,会响应一个ICMP端口无法到达的报文,

• -PU : 进行UDP Ping扫描,默认向目标主机的40125发送报文,也可以指定其他端口,P是Ping的缩写,U是UDP的缩写

# 使用UDP发现探测一台开启的主机
$ nmap --packet-trace -PU -sn 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 17:03 CST
# 发送UDP报文
SENT (0.0907s) UDP 192.168.43.245:44083 > 192.168.1.1:40125 ttl=38 id=64710 iplen=68
# ICMP端口不可达 消息类型3/代码3,端口不可达
RCVD (0.0944s) ICMP [192.168.1.1 > 192.168.43.245 Port 40125 unreachable (type=3/code=3) ] IP [ttl=63 id=57337 iplen=96 ]
Nmap scan report for TianYi.Home (192.168.1.1)
# 主机在线
Host is up (0.0037s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

ARP发现

ARP的工作原理

1. 当主机A与主机B进行通信时,首先检查自己的ARP列表中是否存在该主机IP地址对应的MAC地址,如果有,就直接将数据包发送到这个MAC地址上,如果没有,就向局域网中所有主机发送一个ARP请求的广播包,查询此目标主机对应的MAC地址.
2. ARP请求数据包中包括源主机A的IP地址、MAC地址及目标主机B的IP地址.网络中的所有主机收到这个ARP请求后,检查数据包中的目的IP地址是否和自己的IP地址一致,如果不相同,则丢弃该数据包;如果相同,该主机首先将发送端的MAC地址和IP地址添加到自己的ARP列表中.如果ARP列表中己经存在该IP的信息,则将其授盖.然后给源主机A发送一个 ARP响应数据包,告诉对方自己是它查找的 MAC 地址.
3. 主机A收到这个ARP响应数据包后,将得到的目标主机B的IP地址和MAC地址添加到自己的ARP列表中,并利用此信息开始数据的传输.如果源主机A一直没有收到ARP响应数据包,表示ARP查询失败。

实施ARP发现

ARP发现就是广播发送ARP请求报文,等待对应目标的ARP应答报文来探测主机的活动状态

• -PR:实施ARP Ping发现,P是ping的首字母,R是ARP中的R
• –disable-arp-ping:不适用ARP发现和ICMPv6邻居发现,当扫描局域网中的主机时,默认使用ARP发现探测主机状态
• -sP:Ping扫描,发送ARP报文,常用于判断目标主机是否开启

# 使用ARP发现扫描主机
$ nmap --packet-trace -PR -sn 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 18:12 China Standard Time
# ARP请求
# 报文的意思就是谁是192.168.1.1,告诉192.168.1.4
SENT (0.5200s) ARP who-has 192.168.1.1 tell 192.168.1.4
# ARP应答
# 告诉Nmap192.168.1.1的MAC是28:93:7D:1D:A7:90
RCVD (0.5220s) ARP reply 192.168.1.1 is-at 28:93:7D:1D:A7:90
Nmap scan report for TianYi.Home (192.168.1.1)
# 主机开启
Host is up (0.0020s latency).
MAC Address: 28:93:7D:1D:A7:90 (Sichuan Tianyi Comheart Telecom)
Nmap done: 1 IP address (1 host up) scanned in 6.12 seconds

# 使用ARP发现探测一个不在线的主机
$ nmap --packet-trace -PR -sn 192.168.1.5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 18:15 China Standard Time
# ARP请求
SENT (0.4910s) ARP who-has 192.168.1.5 tell 192.168.1.4
# 没有收到应答,再发一次
SENT (1.7120s) ARP who-has 192.168.1.5 tell 192.168.1.4
# 主机未开启
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.97 seconds

SCTP发现

SCTP工作原理

1. 客户端发送一个INIT消息给服务器.服务器收到这个INIT消息后,准备好建立本次连接所需要的相关信息,并将这些信息放在一个叫State Cookie的数据块中.
2. 服务器给客户端发送一个INIT_ACK的消息,INIT_ACK中包含这个State Cookie数据块，同时服务器会把和本次连接相关的所有资源释放掉,不维护任何资源和状态.
3. 客户端收到INIT_ACK报文后会把里面的Staie Cookie信息取出来重新封裝一个COOKIE_ECHO发给服务器.
4. 服务器收到COOKIE_ ECHO消息,再次取出其中的State Cookie,然后根据State Cookie存储的信息建立本次连接,井向客户端发送COOKIE_ACK消息.

实施SCTP发现

SCTP发现通过向目标主机发送一个最小的SCTP INIT数据包来判断目标主机的状态.

• -PY : 实施SCTP INIT Ping扫描,默认向80端口发送一个SCTP INIT数据包来实施主机发现

# 使用SCTP探测目标主机是否在线
$ nmap --packet-trace -PY -sn www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 19:11 CST
# 发送SCTP包
SENT (0.3681s) SCTP 192.168.43.245:60433 > 121.199.61.226:80 ttl=40 id=44898 iplen=52
# 没有响应,再发一次
SENT (1.3693s) SCTP 192.168.43.245:60435 > 121.199.61.226:80 ttl=45 id=63150 iplen=52
# 主机未开启
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.45 seconds

域名解析和反向解析

域名解析就是将域名解析为IP地址,反向解析是将IP地址解析为域名.

• -R: 对IP地址进行反向域名解析,默认选项
• -n: 禁止域名解析

# 扫描域名www.diaoan.xyz对应的IP
$ nmap --packet-trace -sn -PS -n www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 20:45 CST
SENT (0.2284s) TCP 192.168.43.245:38201 > 121.199.61.226:80 S ttl=54 id=19946 iplen=44  seq=1979205142 win=1024 <mss 1460>
RCVD (0.2613s) TCP 121.199.61.226:80 > 192.168.43.245:38201 SA ttl=116 id=399 iplen=44  seq=3369574292 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.033s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

路由跟踪

跟踪路由是指通过向目标主机发送不同生存时间值的ICMP应答数据包,来判断程序到目的主机所经过的路由,数据包每经过一个路由,TTL减1.

• –traceroute: 实施路由跟踪

# 对目标主机www.diaoan.xyz进行路由追踪并反向分析
$ nmap --packet-trace -sn -PS -R --traceroute www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 20:50 CST
SENT (0.1909s) TCP 192.168.43.245:33235 > 121.199.61.226:80 S ttl=45 id=45901 iplen=44  seq=1218553367 win=1024 <mss 1460>
RCVD (0.2240s) TCP 121.199.61.226:80 > 192.168.43.245:33235 SA ttl=116 id=1167 iplen=44  seq=3079631607 win=8192 <mss 1400>
SENT (0.3814s) TCP 192.168.43.245:36968 > 121.199.61.226:80 S ttl=10 id=45523 iplen=44  seq=3185375790 win=43212 <mss 1460>
SENT (0.3815s) TCP 192.168.43.245:36969 > 121.199.61.226:80 S ttl=9 id=31781 iplen=44  seq=2407042503 win=24590 <mss 1460>
SENT (0.3815s) TCP 192.168.43.245:36970 > 121.199.61.226:80 S ttl=8 id=50526 iplen=44  seq=2167780263 win=20125 <mss 1460>
SENT (0.3816s) TCP 192.168.43.245:36971 > 121.199.61.226:80 S ttl=7 id=45631 iplen=44  seq=486263963 win=28028 <mss 1460>
SENT (0.3816s) TCP 192.168.43.245:36972 > 121.199.61.226:80 S ttl=6 id=28030 iplen=44  seq=1506814108 win=41759 <mss 1460>
SENT (0.3817s) TCP 192.168.43.245:36973 > 121.199.61.226:80 S ttl=5 id=44856 iplen=44  seq=2744161118 win=65248 <mss 1460>
SENT (0.3817s) TCP 192.168.43.245:36974 > 121.199.61.226:80 S ttl=4 id=11656 iplen=44  seq=650162866 win=40705 <mss 1460>
SENT (0.3817s) TCP 192.168.43.245:36975 > 121.199.61.226:80 S ttl=3 id=56059 iplen=44  seq=644040787 win=14787 <mss 1460>
SENT (0.3817s) TCP 192.168.43.245:36960 > 121.199.61.226:80 S ttl=2 id=52876 iplen=44  seq=422641921 win=20043 <mss 1460>
SENT (0.3817s) TCP 192.168.43.245:36961 > 121.199.61.226:80 S ttl=1 id=53956 iplen=44  seq=2321457656 win=10238 <mss 1460>
RCVD (0.3820s) ICMP [192.168.32.1 > 192.168.43.245 TTL=0 during transit (type=11/code=0) ] IP [ttl=64 id=0 iplen=72 ]
RCVD (0.3869s) ICMP [192.168.1.1 > 192.168.43.245 TTL=0 during transit (type=11/code=0) ] IP [ttl=63 id=44090 iplen=72 ]
SENT (0.3920s) TCP 192.168.43.245:36962 > 121.199.61.226:80 S ttl=11 id=29178 iplen=44  seq=521622099 win=23897 <mss 1460>
SENT (0.3920s) TCP 192.168.43.245:36963 > 121.199.61.226:80 S ttl=12 id=28275 iplen=44  seq=3744876770 win=24343 <mss 1460>
SENT (1.3919s) TCP 192.168.43.245:36975 > 121.199.61.226:80 S ttl=3 id=53594 iplen=44  seq=2898075093 win=59343 <mss 1460>
SENT (1.3920s) TCP 192.168.43.245:36974 > 121.199.61.226:80 S ttl=4 id=27904 iplen=44  seq=1505420095 win=30026 <mss 1460>
SENT (1.3920s) TCP 192.168.43.245:36973 > 121.199.61.226:80 S ttl=5 id=51953 iplen=44  seq=86616698 win=20526 <mss 1460>
SENT (1.3920s) TCP 192.168.43.245:36972 > 121.199.61.226:80 S ttl=6 id=60704 iplen=44  seq=668724196 win=37580 <mss 1460>
SENT (1.3920s) TCP 192.168.43.245:36971 > 121.199.61.226:80 S ttl=7 id=36675 iplen=44  seq=3547798000 win=36086 <mss 1460>
SENT (1.3920s) TCP 192.168.43.245:36970 > 121.199.61.226:80 S ttl=8 id=54809 iplen=44  seq=1804226636 win=32550 <mss 1460>
SENT (1.3921s) TCP 192.168.43.245:36969 > 121.199.61.226:80 S ttl=9 id=8614 iplen=44  seq=1524594925 win=52162 <mss 1460>
SENT (1.3921s) TCP 192.168.43.245:36968 > 121.199.61.226:80 S ttl=10 id=33934 iplen=44  seq=1626967471 win=57854 <mss 1460>
SENT (1.4029s) TCP 192.168.43.245:36963 > 121.199.61.226:80 S ttl=12 id=10057 iplen=44  seq=1486341433 win=55627 <mss 1460>
SENT (1.4030s) TCP 192.168.43.245:36962 > 121.199.61.226:80 S ttl=11 id=39712 iplen=44  seq=952695547 win=34755 <mss 1460>
SENT (2.4022s) TCP 192.168.43.245:36968 > 121.199.61.226:80 S ttl=10 id=36199 iplen=44  seq=1664326775 win=16683 <mss 1460>
SENT (2.4023s) TCP 192.168.43.245:36969 > 121.199.61.226:80 S ttl=9 id=38000 iplen=44  seq=3934527502 win=7944 <mss 1460>
SENT (2.4023s) TCP 192.168.43.245:36970 > 121.199.61.226:80 S ttl=8 id=36777 iplen=44  seq=1765018069 win=60545 <mss 1460>
SENT (2.4023s) TCP 192.168.43.245:36971 > 121.199.61.226:80 S ttl=7 id=49008 iplen=44  seq=3889004093 win=41478 <mss 1460>
SENT (2.4024s) TCP 192.168.43.245:36972 > 121.199.61.226:80 S ttl=6 id=19879 iplen=44  seq=2380950869 win=4181 <mss 1460>
SENT (2.4024s) TCP 192.168.43.245:36973 > 121.199.61.226:80 S ttl=5 id=12082 iplen=44  seq=3588669308 win=36125 <mss 1460>
SENT (2.4024s) TCP 192.168.43.245:36974 > 121.199.61.226:80 S ttl=4 id=62747 iplen=44  seq=3287699441 win=28350 <mss 1460>
SENT (2.4024s) TCP 192.168.43.245:36975 > 121.199.61.226:80 S ttl=3 id=1956 iplen=44  seq=1358640367 win=18974 <mss 1460>
SENT (2.4126s) TCP 192.168.43.245:36962 > 121.199.61.226:80 S ttl=11 id=63722 iplen=44  seq=1850056978 win=13178 <mss 1460>
SENT (2.4127s) TCP 192.168.43.245:36963 > 121.199.61.226:80 S ttl=12 id=39346 iplen=44  seq=850201853 win=16631 <mss 1460>
SENT (3.4128s) TCP 192.168.43.245:36964 > 121.199.61.226:80 S ttl=13 id=64888 iplen=44  seq=2169021136 win=36694 <mss 1460>
SENT (3.4129s) TCP 192.168.43.245:36965 > 121.199.61.226:80 S ttl=14 id=23457 iplen=44  seq=1579234833 win=3615 <mss 1460>
SENT (3.4129s) TCP 192.168.43.245:36966 > 121.199.61.226:80 S ttl=15 id=35635 iplen=44  seq=2567726766 win=63006 <mss 1460>
SENT (3.4130s) TCP 192.168.43.245:36967 > 121.199.61.226:80 S ttl=16 id=32174 iplen=44  seq=3239502888 win=58744 <mss 1460>
SENT (3.4130s) TCP 192.168.43.245:36984 > 121.199.61.226:80 S ttl=17 id=10142 iplen=44  seq=1023412669 win=24186 <mss 1460>
SENT (3.4131s) TCP 192.168.43.245:36985 > 121.199.61.226:80 S ttl=18 id=53176 iplen=44  seq=1002514773 win=45158 <mss 1460>
SENT (3.4131s) TCP 192.168.43.245:36986 > 121.199.61.226:80 S ttl=19 id=30560 iplen=44  seq=1060264654 win=36752 <mss 1460>
SENT (3.4131s) TCP 192.168.43.245:36987 > 121.199.61.226:80 S ttl=20 id=38483 iplen=44  seq=3024023676 win=23404 <mss 1460>
SENT (3.4237s) TCP 192.168.43.245:36988 > 121.199.61.226:80 S ttl=21 id=32396 iplen=44  seq=770022349 win=32670 <mss 1460>
SENT (3.4238s) TCP 192.168.43.245:36989 > 121.199.61.226:80 S ttl=22 id=57596 iplen=44  seq=3409485228 win=38153 <mss 1460>
RCVD (3.4416s) TCP 121.199.61.226:80 > 192.168.43.245:36964 SA ttl=116 id=1168 iplen=44  seq=4209584110 win=8192 <mss 1400>
RCVD (3.4424s) TCP 121.199.61.226:80 > 192.168.43.245:36966 SA ttl=116 id=1169 iplen=44  seq=318779088 win=8192 <mss 1400>
RCVD (3.4424s) TCP 121.199.61.226:80 > 192.168.43.245:36967 SA ttl=116 id=1171 iplen=44  seq=3526794468 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.033s latency).

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   0.25 ms  DIAOAN (192.168.32.1)
2   5.20 ms  TianYi.Home (192.168.1.1)
3   ... 12
13  28.92 ms www.diaoan.xyz (121.199.61.226)

跳过主机发现

跳过主机发现就是不进行主机发现,直接进行高强度扫描.如果目标主机禁止Ping发现,可以跳过主机发现,直接进行扫描,这种方法可以规避防火墙和过滤器.

• -P0: 跳过主机发现
• -Pn: 跳过主机发现

# 跳过主机发现,直接对目标www.diaoan.xyz进行高强度扫描
$ nmap --packet-trace -P0 www.diaoan.xyz
 seq=1552475743 win=1024 <mss 1460>
SENT (8.6640s) TCP 192.168.1.4:43876 > 121.199.61.226:1217 S ttl=46 id=29607 iplen=44  seq=1552475743 win=1024 <mss 1460>
......
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.032s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https

可以发现没有发送任何主机报文,如ARP,ICMP,TCP等,而是直接通过TCP报文进行端口检测