異なる動作:「Sudonmap」と「nmap」だけ?
Nmapを使用して簡単なポートスキャンを実行しようとしています。
$ nmap 192.168.56.101
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Nmap scan report for 192.168.56.101
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
5555/tcp open freeciv
24800/tcp open unknown
Nmap done: 1 IP address (1 Host up) scanned in 0.10 seconds
しかし、Sudoで同じことを試みると、ホストがダウンしていると主張できません。
$ Sudo nmap 192.168.56.101
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.48 seconds
注意:
私はOSXYosemiteを使用しています。
GNU bash、バージョン3.2.57(1)-リリース(x86_64-Apple-darwin14)
ありがとうございました。
デフォルトでは、非特権スキャンは-sT(TCP Connect)を使用し、特権(root)は-sS(TCP SYNステルス)を使用します。
TCP Connect(-sT) Connect scanは、他のほとんどの方法のように生のパケットに依存するのではなく、同じ名前のシステムコールを使用してマシンをスキャンします。これらの場合、SYNスキャンは機能しないため、通常、特権のないUnixユーザーおよび1Pv6ターゲットに対して使用されます。
TCP SYNステルス(-sS)これは、最も人気のあるプロトコル(TCP)のポートをスキャンする最速の方法であるため、最も人気のあるスキャンタイプです。接続スキャンよりもステルスであり、すべての機能TCPスタックに対して機能します(FINスキャンなどの一部の特殊用途のスキャンとは異なります)。
1)マシンで何が起こっているかを理解するには、追加の冗長モード(-vv)または-packet-traceを使用して何が起こるかを確認することをお勧めします。
$ Sudo nmap --packet-trace -vv 192.168.56.101
2)別のアプローチは、次のコマンドを使用して特権ユーザーとして非特権スキャンを強制し、結果を確認することです。
$ Sudo nmap -sT -vv 192.168.56.101
$ Sudo nmap --unprivileged -vv 192.168.56.101
3)最後に、nmapがスキャンを停止する理由は、IMCPタイプ8(echo a.k.a ping)がICMPタイプ0(echo reply)を返さないためです。このコマンドはpingを無視し、スキャンを続行します。
$ Sudo nmap -PN 192.168.56.101
それらのコマンドを試して、出力を投稿してください。
Macでも同じ動作に気づきました。本当に不思議です。
Sudo権限を持つNMApは、ARPキャッシュからいくつかの情報を取得しているようです。したがって、ネットワークから切断されているがARPキャッシュに残っているデバイスをスキャンすると(私のコンピューターでは2〜3分後にキャッシュが更新されます)、NMAPではオンラインとして表示されます。
NMAPのマニュアルページから:
ホスト検出オプションが指定されていない場合、NmapはICMPエコー要求を送信し、a TCP SYNパケットをポート443に、a TCP ACKパケットをポート80、およびICMPタイムスタンプ要求。(IPv6の場合、ICMPタイムスタンプ要求はICMPv6の一部ではないため省略されます。)これらのデフォルトは、-PE -PS443 -PA80-PPオプションと同等です。これは、ローカルイーサネットネットワーク上のすべてのターゲットに使用されるARP(IPv4の場合)およびNeighbor Discovery(IPv6の場合)スキャンです。特権のないUnix Shellユーザーの場合、デフォルトのプローブはポート80およびへのSYNパケットです。 443接続システム呼び出しを使用 ..ローカルネットワークをスキャンする場合、このホスト検出で十分なことがよくありますが、セキュリティ監査には、より包括的な検出プローブのセットをお勧めします。
基本的に、デフォルト:
- privilegedユーザーが-sS(TCP SYNスキャン)を実行します。
このタイプのスキャンにはrawソケット/ rawパケット特権が必要です。 - unprivilegedユーザーが-sT(TCP接続スキャン)を実行します。
このタイプのスキャンrawソケット/ rawパケット特権は必要ありません。
Nmapの公式ドキュメントから採用:
PORT SCANNING TECHNIQUES
Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an
administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root
privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared Shell accounts. Now, the world is different. Computers are cheaper, far
more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to
run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared Shell accounts. This is fortunate, as the privileged options make Nmap far more
powerful and flexible.
--privileged (Assume that the user is fully privileged).
Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix
systems. By default, Nmap quits if such operations are requested but geteuid is not zero.--privileged is useful with Linux kernel capabilities and similar systems that may
be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges(SYN scan,
OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.
-sS (TCP SYN Scan).
TCP SYN Scan is the defaultscan option for privileged users.It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any
restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than
depending on the idiosyncrasies of specific platforms (as Nmap's other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.
This technique is often referred to as a Half-Open Scan, because it doesn't open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection
and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is
immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build
these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an
ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet(without the ACK flag) is received in response.
This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection.(https://nmap.org/misc/split-handshake.pdf)--unprivileged (Assume that the user lacks raw socket privileges).
This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or
the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to —unprivileged.
-sT (TCP Connect Scan).
TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system
is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong
advantage to this technique is that it doesn't require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn't involve writing raw
packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use
to establish a connection.
When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient.
Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it
requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however,
have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the
connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logsfrom a single system should know that she has been TCP Connect Scanned.