Linux Administrator: Enterprise Port Scanning Policy

Enterprise Port Scanning Policy

1. Purpose of Port Scanning
For a computer system located in a network, a port is a potential The communication channel, which is an intrusion channel. Port scanning of the target computer yields a lot of useful information to discover security vulnerabilities in the system. It allows system users to understand what services the system currently provides to the outside world, thus providing a means of reference for system users to manage the network.

Technically, port scanning sends probe packets to the target host's TCP/UDP service port and records the response of the target host. By analyzing the response to determine whether the service port is open or closed, you can know the service or information provided by the port.

Port scanning can also monitor the operation of the local host by capturing the inbound and outbound IP packets of the local host or server. It can not only analyze the received data, but also help users discover some of the target hosts. The inherent weaknesses do not provide detailed steps into a system. In general, the purpose of port scanning is usually one or more of the following:

(1) Discover open ports: discover open TCP or UDP ports on the target system;

(2 Understand the host operating system information: port scanning can use the operating system's "fingerprint" to speculate the information of the scanned operating system or application version;

(3) understand the software or service version: software or The service version can be identified by "flag acquisition" or the fingerprint of the application;

(4) Discover vulnerable software versions: Identify software and service flaws to help launch attacks against vulnerabilities .

Port scanning mainly consists of a classic scanner (fully connected) and a so-called SYN (semi-joined) scanner. In addition, there are indirect scans and secret scans. The TCP scanning method establishes a standard TCP connection with the scanned host, so this method is the most accurate, rarely misses and false reports, but is easily detected and recorded by the target host. The SYN mode is to establish a semi-open connection with the target host, so that it is not easy to be recorded by the target host, but the scan result may be underreported, and the false negative report is serious in the case of poor network conditions.

2. Quickly install nmap for enterprise port scanning
nmap is a network detection and security scanning program that system administrators and individuals can use to scan large networks and get that host Information such as what to run and what services to provide. Nmap supports many scanning technologies such as UDP, TCP connect(), TCP SYN (half-open scan), ftp proxy (bounce attack), reverse flag, ICMP, FIN, ACK scan, Xmas Tree, SYN scan and Null scan.

nmap also provides some advanced features, such as: detecting operating system types through TCP/IP stack features, secret scanning, dynamic delay and retransmission calculations, parallel scanning, detection by parallel ping scan detection Host, bait scanning, avoid port filtering detection, direct RPC scanning (no port mapping required), fragment scanning, and flexible target and port settings.

In order to improve the performance of nmap in the non-root state, software designers have put a lot of effort into it. Unfortunately, some kernel interfaces (such as raw sockets) need to be used in the root state. So you should use nmap at root as much as possible.

nmap runs usually get a list of scanned host ports. Nmap always gives the service name (if possible), port number, status, and protocol of the well known port. The status of each port is: open, filtered, unfiltered.

The open state means that the target host can accept connections on this port using the accept() system call;

The filtered state indicates that firewalls, packet filtering, and other network security software mask this port, prohibiting Nmap detects if it is open.

unfiltered means that this port is down and there is no firewall/packet filtering software to isolate nmap's probe attempts. Normally, the status of a port is basically unfiltered. The port in the unfiltered state is displayed only when most of the scanned ports are in the filtered state.

Depending on the feature options used, nmap can also report the following characteristics of the remote host: operating system used, TCP sequence, user name, DNS name, host address running the application bound to each port Whether it is a fraudulent address, and some other things.

Before using, we need to download the source package of the software to install. After the download is complete, take the version downloaded by the author as an example: nmap-5.00.tgz, the user can execute the following installation command:

●(1)Unpack the package

#tar &ndash ;xzvf nmap-5.00.tgz

●(2)Switch to the installation directory

#cd nmap-5.00

●(3) Use the configure command to generate the make file
>

#./configure

●(4)Compile source code

#make

●(5) Install related modules

#make Install

3, four steps to use nmap to determine the enterprise network open port
(1) scan implementation step 1: discover active host

Use nmap to scan the entire network to find the target, It has been determined if the target is connected. Ping the ping by using the “-sP” command. By default, nmap sends an ICMP echo and a TCP ACK to each scanned host. The host responds to any one of them by nmap. The scanning speed is very fast and can be scanned in a very short time. network of. The command uses the following:

[root@localhost ~]# nmap -sP 10.1.4.0/24

Nmap finished: 256 IP addresses (125 hosts up) scanned in 7.852 seconds< Br>

Through this scan, you can find that 125 hosts in the company's network are active, that is to say, organically, the next step is to scan in more detail to scan what active ports these hosts have.

(2) Scan implementation step 2: Scan port scan

Normally, when the user of nmap determines that the host running on the network is connected, the next step is to proceed. Port scanning, port scanning uses the -sT parameter. As shown in the following results:

[root@localhost ~]# nmap -v -sT 10.1.4.0/24

Host 10.1.4.11 appears to be up ... good.

Interesting ports on 10.1.4.11:

Not shown: 1673 closed ports

PORT STATE SERVICE

80/tcp open htt

MAC Address: 00:1E:65:F0:78:CA (Unknown)

It can be clearly seen that port scanning uses a variety of methods to perform a full scan of the TCP active port of the host in the network due to scanning. There are too many hosts (125 units). The above only gives the TCP ports of the two hosts, that is, the hosts 10.1.4.1 and 10.1.4.11, and the ports opened by the host 10.1.4.1 are very numerous, and the network services are relatively It is quite rich, and from the perspective of the composition of the IP address, the host is most likely a gateway (the IP address of the general gateway is set to XXX1), and we then lock the host for subsequent scanning.