本节书摘来自异步社区《Nmap渗透测试指南》一书中的第6章6.2节报文分段,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。
6.2 报文分段
表6.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——报文分段。
报文分段的选项是-f。在Nmap使用-f选项时会将TCP头分段在几个包中,使得包过滤器、IDS以及其他工具的检测更加困难。Nmap在IP头后会将包分为8个字节或更小。在使用-f选项的时候需要小心,处置不当时会出现某些错误,这是我们不愿意看到的。
一些主机会禁止相应ICMP请求,对于这种情况就可以使用报文分段的方法来逃避目标防火墙的规则。首先使用Ping扫描目标主机。
root@Wing:~# nmap -sX -v -F 192.168.121.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 14:29 CST
Initiating Ping Scan at 14:29
Scanning 192.168.121.1 [4 ports]
Completed Ping Scan at 14:29, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:29
Completed Parallel DNS resolution of 1 host. at 14:29, 0.01s elapsed
Initiating XMAS Scan at 14:29
Scanning 192.168.121.1 [100 ports]
Completed XMAS Scan at 14:29, 3.04s elapsed (100 total ports)
Nmap scan report for 192.168.121.1
Host is up (0.0018s latency).
All 100 scanned ports on 192.168.121.1 are open|filtered
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
Raw packets sent: 204 (8.152KB) | Rcvd: 2 (68B)
root@Wing:~#
在输出的结果中无法获知目标主机的端口是否开放。此时尝试使用报文分段进行扫描。
root@Wing:~# nmap -f -v 192.168.121.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 15:09 CST
Initiating Ping Scan at 15:09
Scanning 192.168.121.1 [4 ports]
Completed Ping Scan at 15:09, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:09
Completed Parallel DNS resolution of 1 host. at 15:09, 0.01s elapsed
Initiating SYN Stealth Scan at 15:09
Scanning 192.168.121.1 [1000 ports]
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 95 out of 315 dropped probes since last increase.
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Completed SYN Stealth Scan at 15:11, 120.30s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.2s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
843/tcp open unknown
902/tcp open iss-realsecure
912/tcp open apex-mesh
7000/tcp open afs3-fileserver
8000/tcp open http-alt
49152/tcp open unknown
49153/tcp open unknown
49155/tcp open unknown
49165/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 120.37 seconds
Raw packets sent: 1853 (81.508KB) | Rcvd: 1054 (42.404KB)
root@Wing:~#
尝试使用报文分段后获得了更多的数据。这说明报文分段能够有效地应对目标主机防火墙的防护规则。