本文讨论使用Netflow检测分析网络端口扫描行为。

1.网络端口扫描实验

使用两台本地虚拟机实验:

  • metasploitable(meta)作为靶机
  • kali扫描靶机的网络端口

1.1 实验设置

首先为两台虚拟机创建隔离的网络。

在VMware中,新建Vmware Virtual Switch Vmnet7,并设置为Host-only,即建立一个private network。然后把两台虚拟机的Network Adapater都设置为Vmnet7。这样就为两台虚拟机建立了一个隔离的网络:两台虚拟机之间可以互相通信,但是不能和外网连接。如下图:

Fig.1 vmnet7 config
Fig.1 vmnet7 config

Kali的网络设置:

Fig.2 Kali network config
Fig.2 Kali network config

meta的网络设置:

Fig.3 metasploitable network config
Fig.3 metasploitable network config

确认两台虚拟机之间可以互相通信:

Fig.4 confirm private network
Fig.4 confirm private network

1.2 扫描靶机网络端口

Kali使用Nmap扫描靶机网络端口,一些常用的选项:

-sS (TCP SYN scan)

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered.

-sV (Version detection)

Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.

-p port ranges (Only scan specified ports)

So you can specify -p- to scan ports from 1 through 65535.

使用命令nmap -p1-1024 -sS 192.168.229.129(TCP SYN scan)扫描靶机1到1024端口,并同时使用wireshark记录两机之间的网络数据包。

得到扫描结果:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-10 21:20 EDT
Nmap scan report for 192.168.229.129
Host is up (0.0046s latency).
Not shown: 1012 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
MAC Address: 00:0C:29:D0:0D:DE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.31 seconds

同时,Kali到meta之间的通信数据包也被wireshark记录下来,其中98%以上都是TCP包,如下图:

Fig.5 wireshark capture
Fig.5 wireshark capture