本章知识点
本章节将介绍定时的内容,本章的技术仅供参考,请读者切勿将本章技术用于非法用途,请遵守相应的道德标准。通过对本章的学习可以优化扫描大型网络,甚至躲避防火墙/IDS(入侵检测系统)的防护。
本章选项
表5.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。
表5.1 本章所需选项
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism |
调整探测报文的并行度 |
--min-rtt-timeout |
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay |
调整探测报文的时间间隔 |
Nmap提供了很多的可配置的定时选项,根据这些选项我们可以加快或者减慢扫描速度,也可以延时、定时扫描,可以在扫描一个大型网络的时候加速扫描来尽快得到相应的结果。Nmap提供的定时选项更多是用于逃逸防火墙/IDS(入侵检测系统),后面的章节会专门介绍如何逃避防火墙/IDS,本章节不过多涉及。
表5.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——调整并行扫描组的大小。
表5.2 本节所需命令
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism |
调整探测报文的并行度 |
--min-rtt-timeout |
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay |
调整探测报文的时间间隔 |
调整并行扫描组的大小有两个选项,分别是--min-hostgroup与--max-hostgroup。Nmap默认情况下在进行扫描的时候,首先开始扫描较小的组,最小为5,这会让Nmap在最短的时间内产生一个您想要的结果,随后慢慢增长组的大小,最大为1024。为了保证效率,Nmap会针对UDP或少量端口的TCP扫描。
--max-hostgroup选项用于说明使用最大的组,Nmap不会超出这个大小。--min-hostgroup选项说明最小的组,Nmap会保持组大于这个值。
root@Wing:~# nmap --min-hostgroup 30 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 12:18 CST
Nmap scan report for 192.168.126.1
Host is up (0.00078s latency).
All 1000 scanned ports on 192.168.126.1 are filtered
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.126.2
Host is up (0.00036s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)
Nmap scan report for 192.168.126.131
Host is up (0.00042s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap scan report for 192.168.126.254
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:F6:8D:B2 (VMware)
Nmap scan report for 192.168.126.130
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.126.130 are closed
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.99 seconds
root@Wing:~#
root@Wing:~# nmap --max-hostgroup 10 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 12:20 CST
Nmap scan report for 192.168.126.1
Host is up (0.00016s latency).
All 1000 scanned ports on 192.168.126.1 are filtered
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.126.2
Host is up (0.00040s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)
Nmap scan report for 192.168.126.131
Host is up (0.00049s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap scan report for 192.168.126.254
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:F6:8D:B2 (VMware)
Nmap scan report for 192.168.126.130
Host is up (0.0000070s latency).
All 1000 scanned ports on 192.168.126.130 are closed
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.06 seconds
root@Wing:~#
表5.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——调整探测报文的并行度。
表5.3 本节所需命令
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism
|
调整探测报文的并行度 |
--min-rtt-timeout |
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay |
调整探测报文的时间间隔 |
调整探测报文的并行度有两个选项,分别是--min-parallelism与--max-parallelism。-min-parallelism大于1可以在网络或主机不好的情况下更好地扫描,但这会影响到结果的准确度。-max-parallelism应该设置为1,防止Nmap对同一主机同一时间发送多次报文。
root@Wing:~# nmap --min-parallelism 100 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 12:52 CST
Nmap scan report for 192.168.126.1
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.126.1 are filtered
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.126.2
Host is up (0.00028s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)
Nmap scan report for 192.168.126.131
Host is up (0.00025s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap scan report for 192.168.126.254
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:F6:8D:B2 (VMware)
Nmap scan report for 192.168.126.130
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.126.130 are closed
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.35 seconds
root@Wing:~#
root@Wing:~# nmap --max-parallelism 100 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:20 CST
Nmap scan report for 192.168.126.131
Host is up (0.00023s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
root@Wing:~#
表5.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——调整探测报文超时。
调整探测报文超时选项有--min-rtt-timeout、--max-rtt-timeout、--initial-rtt-timeout。这些选项以毫秒为单位,这些选项对于一些有严格过滤或者是不能Ping通的主机有着很好的突破效果,可以节省大部分的扫描时间,在使用该选项的时候需要注意不能将值设置得过于小,否则会增加扫描时间。
表5.4 本节所需命令
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism |
调整探测报文的并行度 |
--min-rtt-timeout
|
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay |
调整探测报文的时间间隔 |
使用--max-rtt-timeout选项时,规定为100毫秒是比较合适的。一般情况下,rtt值不得小于100毫秒,也最好不要超过1000毫秒。
root@Wing:~# nmap --initial-rtt-timeout 1000ms 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:30 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
root@Wing:~#
在使用选项的时候,我们要记得加上毫秒的单位ms,否则Nmap是不会运行成功的。
root@Wing:~# nmap --max-rtt-timeout 500ms 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:33 CST
Nmap scan report for 192.168.126.131
Host is up (0.00028s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
root@Wing:~#
root@Wing:~# nmap --min-rtt-timeout 500ms 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:35 CST
Nmap scan report for 192.168.126.131
Host is up (0.00026s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
root@Wing:~#
表5.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——放弃低速目标主机。
使用--host-timeout选项就可以放弃缓慢的目标主机。在我们扫描过多的主机时可能会遇到因为带宽、主机性能等各方面的原因导致扫描速度过慢。在这些主机并不重要的前提下,可以使用该选项忽略反应慢的主机,以便于加快扫描速度。
表5.5 本节所需命令
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism |
调整探测报文的并行度 |
--min-rtt-timeout |
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay |
调整探测报文的时间间隔 |
--host-timeout的单位是毫秒,一般我们设置为1800000毫秒,保证Nmap在对单个主机扫描的时间上不会超过半小时,当然并不是在这半个小时的时间中只扫描这一个主机,其他的主机也会同时被扫描。
root@Wing:~# nmap --host-timeout 100ms 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:42 CST
Nmap scan report for 192.168.126.1
Host is up (0.00089s latency).
Skipping host 192.168.126.1 due to host timeout
Nmap scan report for 192.168.126.2
Host is up (0.00041s latency).
Skipping host 192.168.126.2 due to host timeout
Nmap scan report for 192.168.126.130
Host is up (0.0000060s latency).
All 1000 scanned ports on 192.168.126.130 are closed
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.36 seconds
root@Wing:~#
在规定比较小的时间单位时,我们会发现Nmap还来不及扫描更多的主机就被迫停止了扫描,设置一个合理的时间至关重要。
root@Wing:~# nmap --host-timeout 1000ms 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:42 CST
Nmap scan report for 192.168.126.1
Host is up (0.00060s latency).
Skipping host 192.168.126.1 due to host timeout
Nmap scan report for 192.168.126.2
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)
Nmap scan report for 192.168.126.131
Host is up (0.00031s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap scan report for 192.168.126.130
Host is up (0.0000070s latency).
All 1000 scanned ports on 192.168.126.130 are closed
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.29 seconds
root@Wing:~#
![]()
对于规定的时间来说,并没有一个唯一的标准,而是由当前网络状态等多方面因素决定。
表5.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——调整探测报文的时间间隔。
表5.6 本节所需命令
选 项 |
解 释 |
---|---|
--min-hostgroup |
调整并行扫描组的大小 |
--min-parallelism |
调整探测报文的并行度 |
--min-rtt-timeout |
调整探测报文超时 |
--host-timeout |
放弃低速目标主机 |
--scan-delay
|
调整探测报文的时间间隔 |
使用--scan-delay与--max-scan-delay选项可以调整报文合适的时间间隔。该选项可以控制Nmap对一个或多个主机发送探测报文的等待时间,等待时间以毫秒为单位,很多时候Nmap会发送很多不必要的报文,这会让Nmap运行速度降低。当我们的带宽并不是很乐观的情况下可以使用该选项,但此选项并不能将Nmap应有的性能发挥出来,对于这个选项还是需要谨慎使用。
root@Wing:~# nmap --scan-delay 1s 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 13:48 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 122.17 seconds
root@Wing:~#
root@Wing:~# nmap --max-scan-delay 30s 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 14:00 CST
Nmap scan report for 192.168.126.131
Host is up (0.00022s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@Wing:~#