官术网_书友最值得收藏!

首頁 >

Nmap 6:Network exploration and security auditing Cookbook

Discovering hosts with TCP ACK ping scans

Similar to the TCP SYN ping scan, the TCP ACK ping scan is used to determine if a host is responding. It can be used to detect hosts that block SYN packets or ICMP echo requests, but it will most likely be blocked by modern firewalls that track connection states.

The following recipe shows how to perform a TCP ACK ping scan and its related options.

How to do it...

Open a terminal and enter the following command:

# nmap -sP -PA <target>

How it works...

A TCP ACK ping scan works in the following way:

  • Nmap sends an empty TCP packet with the ACK flag set to port 80
  • If the host is offline, it should not respond to this request
  • If the host is online, it returns an RST packet, since the connection does not exist

There's more...

It is important to understand that there will be cases when this technique will not work. Let's launch a TCP ACK ping scan against one of these hosts.

# nmap -sP -PA 0xdeadbeefcafe.com 


Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn 
Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds

The host is shown as offline, but let's try a TCP SYN ping scan with the same host.

# nmap -sP -PS 0xdeadbeefcafe.com 


Nmap scan report for 0xdeadbeefcafe.com (50.116.1.121) 
Host is up (0.090s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds

We discovered that the host was online, but blocking thos ACK packets.

Privileged versus unprivileged TCP ACK ping scan

TCP ACK ping scans need to run as a privileged user, otherwise a system call connect() is used to send an empty TCP SYN packet. Hence, TCP ACK ping scans will not use the TCP ACK technique, previously discussed, as an unprivileged user, and it will perform a TCP SYN ping scan instead.

Selecting ports in TCP ACK ping scans

Additionally, you can select the ports to be probed using this technique, by listing them after the flag -PA:

# nmap -sP -PA21,22,80 <target>
# nmap -sP -PA80-150 <target>
# nmap -sP -PA22,1000-65535 <target>

See also

  • The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
  • The Discovering hosts with TCP SYN ping scans recipe
  • The Discovering hosts with UDP ping scans recipe
  • The Discovering hosts with ICMP ping scans recipe
  • The Discovering hosts with IP protocol ping scans recipe
  • The Discovering hosts with ARP ping scans recipe
  • The Discovering hosts using broadcast pings recipe
  • The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information
主站蜘蛛池模板: 巩留县| 万载县| 吉木萨尔县| 北京市| 武汉市| 普洱| 呼和浩特市| 从化市| 九寨沟县| 沙湾县| 新密市| 扎鲁特旗| 阜南县| 栖霞市| 万源市| 璧山县| 恩施市| 永康市| 江安县| 香格里拉县| 洪洞县| 辛集市| 台中县| 麟游县| 营山县| 瑞丽市| 武鸣县| 上饶市| 黄大仙区| 罗江县| 金乡县| 年辖:市辖区| 桑日县| 马关县| 诸暨市| 扶绥县| 新和县| 余江县| 库车县| 德州市| 呈贡县|