书名：Metasploit Penetration Testing Cookbook（Third Edition）
作者名：Daniel Teixeira Abhinav Singh Monika Agarwal
本章字数：555字
更新时间：2021-06-24 19:19:42

How to do it...

Starting Nmap from Metasploit is easy:

Launch msfconsole and type in nmap to display the list of scan options that Nmap provides:

msf > nmap

The TCP connect [-sT] scan is the most basic and default scan type in Nmap. It follows the three-way handshake process to detect the open ports on the target machine. Let's perform this scan on one of our targets:

msf > nmap -sT 192.168.216.10
[*] exec: nmap -sT 192.168.216.10

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-19 08:53 EDT
Nmap scan report for 192.168.216.10
Host is up (0.49s latency).
Not shown: 976 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
....

49158/tcp open unknown
49159/tcp open unknown
MAC Address: 00:0C:29:38:B3:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds

As we can see, we have passed the -sT parameter, which denotes that we want to perform a TCP connect scan. A TCP connect scan is based on a three-way handshake process, hence, the returned results of this scan are considered accurate.

When using Nmap without specifying the port range, Nmap scans the most common 1,000 ports for each protocol.

The SYN scan [-sS] is considered a stealth scanning technique, as it never forms a complete connection between the target and the scanner. Hence, it is also called half-open scanning. Let's analyze a SYN scan on the target:

msf > nmap -sS 192.168.216.10 -p 22-5000
[*] exec: nmap -sS 192.168.216.10 -p 22-5000

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-19 09:00 EDT
Nmap scan report for 192.168.216.10
Host is up (0.00063s latency).
Not shown: 4967 closed ports
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc

...
3920/tcp open exasoftport1
4848/tcp open appserv-http
MAC Address: 00:0C:29:38:B3:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 685.27 seconds
msf >

The –sS parameter will instruct Nmap to perform a SYN scan on the target machine. The output of both TCP connect and the SYN scan are similar in most of the cases, but the only difference lies in the fact that SYN scans are difficult to detect by firewalls and Intrusion Detection Systems (IDS). However, modern firewalls are capable enough to catch SYN scans, as well. The –p parameter shows the range of port numbers that we want to scan. Using -p 0-65535, or -p - for short, will scan all the available ports.

The UDP scan [-sU] is the scanning technique to identify open UDP ports on the target. 0-byte UDP packets are sent to the target machine and the recipient of an ICMP port unreachable message shows that the port is closed; otherwise, it is considered open. It can be used in the following manner:

msf > nmap -sU 192.168.216.10
[*] exec: nmap -sU 192.168.216.10

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-19 09:09 EDT
Nmap scan report for 192.168.216.10
Host is up (0.00064s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: 00:0C:29:38:B3:A9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 319.56 seconds
msf >

The previous command will check whether the most common 1,000 ports for the UDP protocol on 192.168.56.102 are open or not.