官术网_书友最值得收藏!

Discovering hosts with TCP ACK ping scans

Similar to the TCP SYN ping scan, the TCP ACK ping scan is used to determine if a host is responding. It can be used to detect hosts that block SYN packets or ICMP echo requests, but it will most likely be blocked by modern firewalls that track connection states.

The following recipe shows how to perform a TCP ACK ping scan and its related options.

How to do it...

Open a terminal and enter the following command:

# nmap -sP -PA <target>

How it works...

A TCP ACK ping scan works in the following way:

  • Nmap sends an empty TCP packet with the ACK flag set to port 80
  • If the host is offline, it should not respond to this request
  • If the host is online, it returns an RST packet, since the connection does not exist

There's more...

It is important to understand that there will be cases when this technique will not work. Let's launch a TCP ACK ping scan against one of these hosts.

# nmap -sP -PA 0xdeadbeefcafe.com 


Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn 
Nmap done: 1 IP address (0 hosts up) scanned in 3.14 seconds 

The host is shown as offline, but let's try a TCP SYN ping scan with the same host.

# nmap -sP -PS 0xdeadbeefcafe.com 


Nmap scan report for 0xdeadbeefcafe.com (50.116.1.121) 
Host is up (0.090s latency). 
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds 

We discovered that the host was online, but blocking thos ACK packets.

Privileged versus unprivileged TCP ACK ping scan

TCP ACK ping scans need to run as a privileged user, otherwise a system call connect() is used to send an empty TCP SYN packet. Hence, TCP ACK ping scans will not use the TCP ACK technique, previously discussed, as an unprivileged user, and it will perform a TCP SYN ping scan instead.

Selecting ports in TCP ACK ping scans

Additionally, you can select the ports to be probed using this technique, by listing them after the flag -PA:

# nmap -sP -PA21,22,80 <target>
# nmap -sP -PA80-150 <target>
# nmap -sP -PA22,1000-65535 <target>

See also

  • The Finding live hosts in your network recipe in Chapter 1, Nmap Fundamentals
  • The Discovering hosts with TCP SYN ping scans recipe
  • The Discovering hosts with UDP ping scans recipe
  • The Discovering hosts with ICMP ping scans recipe
  • The Discovering hosts with IP protocol ping scans recipe
  • The Discovering hosts with ARP ping scans recipe
  • The Discovering hosts using broadcast pings recipe
  • The Discovering stateful firewalls by using a TCP ACK scan recipe in Chapter 3, Gathering Additional Host Information
主站蜘蛛池模板: 巴塘县| 西丰县| 三门县| 镇雄县| 博兴县| 镇雄县| 卢湾区| 马鞍山市| 油尖旺区| 抚顺市| 榕江县| 凤阳县| 眉山市| 双江| 当涂县| 巴南区| 湟中县| 通河县| 南昌县| 谷城县| 临夏县| 乌兰浩特市| 铜川市| 荣昌县| 瑞丽市| 广水市| 黎川县| 抚顺县| 银川市| 饶平县| 调兵山市| 鄯善县| 林芝县| 靖远县| 都江堰市| 沈阳市| 万山特区| 彰武县| 平江县| 霍林郭勒市| 额敏县|