-sY(SCTP INIT scan)利用流控制协议的四报文握手的INIT CHUNK报文, 进行端口扫描,和SYN有点类似 -sN;-sF;-sX(TCP NULL,FIN,and Xmas scans),利用subtle loophole在TCP RFC中,去区分开还是关的端口,引用,如果一个目的端口状态是关的,进入端口的片段不包含RST,将会引起一个RST回应 -sN 不运载任何内容的TCP包(TCP flag header is 0 ) -sF 使用TCP FIN包 sX Sets the FIN, PSH, and URG flags,lighting the packet up like a Christmas tree 上述三种类型,he port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received 上述三种类型的优点,比SYN更隐蔽 并不是所有系统都准守RFC793,大量的系统都会发送RST不管端口是开还是关,另一个缺点是不能区分开启和过滤状态 -sA(TCP ACK scan),有RST结果,表示unfiltered,没有回应或则有报文不可达 (type 3, code 0, 1, 2, 3, 9, 10, or 13),意味着被过滤 -sW(TCP windows scan),与sA相同但是可以确认出开放端口,进一步查看RST窗口值0就是关闭,非零开放 TCP(TCP Maimon scan)Uriel noticed that many BSD-derived systems simply drop the packet if the port is open –scanflags (custom TCP scan)specifying the desired flags -sZ流控制传输协议的cookie 回声扫描,遇到closed端口,会有个ABORT回应。不能区分open和filtered 端口 -sI idle scan ,利用僵尸主机对目标进行扫描,https://nmap.org/book/idlescan.html -s0 (IP protocol scan)确定远程主机支持那个IP协议(TCP,ICMP,IGMP,etc) -s0接受到任何回应表示协议打开 An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as closed while port unreachable (type 3, code 3) marks the protocol open. Other ICMP unreachable errors (type 3, code 0, 1, 9, 10, or 13) cause the protocol to be marked filtered (though they prove that ICMP is open at the same time). If no response is received after retransmissions, the protocol is marked open|filtered -b FTP relay host (FTP bounce scan)用户要求文件发送给第三方服务器。很容易滥用这一特性,因此大部分服务器不支持这一特性 利用这一特性促使FTP 服务器 端口扫描 其他主机。要求FTP服务器发送一个文件到目标主机端口。返回错误信息将描述端口是否开关
Archives
Select Month
December 2022 (1)
September 2021 (1)
August 2020 (3)
May 2020 (2)
