[译]nmap绕过防火墙

原文地址：http://resources.infosecinstitute.com/nmap-evade-firewall-scripting/
TCP ACK Scan (-sA)
发送ACK数据报比发送SYN数据包更好，因为如果远端主机存在主动防火墙，那么由于防火墙对于ACK数据报不产生log，因为防火墙把ACK数据包当成SYN数据包的应答。TCP ACK扫描要求攻击者有root权限，它对stateless类型的防火墙和IDS很有效果。ACK扫描与其他扫描技术不同，因为它本意不是用来发现open端口的，而是用来判断防火墙类型的。
Firewall Enabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:30 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.1.9 are filtered

Firewall Disabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:31 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.1.9 are unfiltered
所以它很容易用来发现目标是否有防火墙，而且ACK扫描被发现的风险较低但是发现是否存在防火墙的几率比较大。
TCP Window Scan (-sW)
类似于ACK扫描但是有一点不同，TCP Windows扫描用于发现open/closed端口而不是发现是否被过滤的状态。它也需要root权限。
Firewall Enabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:50 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.1.9 are filtered

Firewall Disabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:51 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.9 are closed
这种扫描不与目标之间创建session，所以受害者机器不会记录log。
Fragment Packets (-f)
改技术把请求分成小段发送，所以叫做分片技术，使用-ff如果你想进一步分片
Firewall Enabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:21 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00056s latency).
Not shown: 998 filtered ports

PORT STATE SERVICE

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)

Firewall enabled + all ports are closed
# nmap -ff 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:24 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00083s latency).
All 1000 scanned ports on 192.168.1.9 are filtered

MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)

Firewall Disabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:20 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00057s latency).
Not shown: 997 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)

Spoof MAC Address
有一种很简单的技术伪装你的MaC地址，nmap可以为每次扫描随机选择一个MAC地址，另一个选项是手动指定MAC地址(这样做攻击者可以伪装成同一网段内的一台电脑)，nmap含有一个nmap-mac-prefixe数据库，当给定一个生产厂商的名字时，它查找数据库来找一个合适的名字。
# nmap –spoof-mac Cisco 192.168.1.3
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 17:18 PKT
Spoofing MAC address 00:00:0C:6D:3F:26 (Cisco Systems)
Nmap scan report for 192.168.1.3
Host is up (0.00036s latency).

Not shown: 996 filtered ports

PORT STATE SERVICE

23/tcp closed telnet

80/tcp closed http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)

nmap脚本
1. smb-check-vulns
MS08-067 Windows vulnerability that can be exploited
Conficker malware on the target machine
Denial of service vulnerability of Windows 2000
MS06-025 Windows vulnerability
MS07-029 Windows vulnerability


2. Http-enum
如果想枚举web服务器来寻找web服务器的目录，这个脚本是最适合的。Http-enum同样可以发现开放端口以及每个端口的软件版本
root@bt:~# nmap -sV –script=http-enum 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000036s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.14 ((Ubuntu))

| http-enum:

| /login.php: Possible admin folder

| /login/: Login page

| /login.php: Login page

| /logs/: Logs


3. samba-vuln-cve-2012-1182
用于发现samba CVE-2012-1182栈溢出漏洞
nmap –script=samba-vuln-cve-2012-1182 -p 139 target

nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3

4. smtp-strangeport
用于发现smtp服务是否运行在标准端口
nmap -sV –script=smtp-strangeport target

5. http-php-version
用于获得http版本
nmap -sV –script=http-php-version target
另外还有
http-wordpress-plugins
http-wordpress-enum
http-wordpress-brute

6. dns-blacklist
用于发现黑名单IP，你所需要提供的是一个IP以及用于检查反垃圾邮件和代理黑名单的脚本
# nmap -sn 67.213.218.72 –script dns-blacklist
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-28 23:54 PKT
Nmap scan report for 67.213.218.72
Host is up (0.24s latency).
Host script results:

| dns-blacklist:

| PROXY

| dnsbl.tornevall.org – PROXY

| IP marked as “abusive host”

| Proxy is working

|_ Proxy has been scanned