La scansione di nmap mtu invia davvero dimensioni in formato mtu?

0

Poiché nmap è un noto strumenti di sicurezza , immagino che questa sia la sezione giusta.

Ho letto circa tecniche nmap qui come parte del mio programma di sicurezza della rete. ..

Ho eseguito 2 scansioni ... una porta 1337 che viene chiusa mentre l'altra porta 4444 è aperta.

Quando provo nmap mtu scan e acquisisco il pacchetto con Wireshark, non vedo la dimensione mtu (32) che ho impostato in nmap.

user@linux:~$ sudo nmap --mtu 32 192.168.10.12 -p 1337

Nmap scan report for 192.168.10.12
Host is up (0.0023s latency).
PORT     STATE  SERVICE
1337/tcp closed waste
MAC Address: AA:AA:AA:AA:AA:12 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.13 seconds
user@linux:~$ 

L'unico valore che vedo è Total Length: 44

  1. Qualche idea sul perché non ho visto mtu size 32 in Wireshark?

  2. È questo il posto giusto per controllare la dimensione di mtu in Wireshark (IPv4 > Lunghezza totale)?

    
posta Sabrina 10.04.2018 - 08:57
fonte

1 risposta

1

Se la tua idea è quella di frammentare i pacchetti penso che sia necessario utilizzare il parametro -f in base al loro aiuto

       -f (fragment packets); --mtu (using the specified MTU) .
       The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to
       make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have
       trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option
       once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of
       the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of
       fragments)..  Or you can specify your own offset size with the --mtu option. Don't also specify -f if you use --mtu. The offset must be a multiple of eight. While
       fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some
       networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their
       networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables.  connection tracking module is one such example. Do a scan while
       a sniffer such as Wireshark.  is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the --send-eth.  option to bypass
       the IP layer and send raw ethernet frames.

       Fragmentation is only supported for Nmap's raw packet features, which includes TCP and UDP port scans (except connect scan and FTP bounce scan) and OS detection.
       Features such as version detection and the Nmap Scripting Engine generally don't support fragmentation because they rely on your host's TCP stack to communicate
       with target services.

D'altro canto, è molto utile caricare il file pcap, notare che si inserisce un filtro che potrebbe nascondere i pacchetti frammentati

    
risposta data 10.04.2018 - 09:28
fonte

Leggi altre domande sui tag