Diferença entre -sn e -sL no Nmap?

Navegue suas respostas
2

Aqui, como diz a página man, "-sn: Ping Scan - desabilitar verificação de porta" e "-sL: List Scan - simplesmente listar os destinos a serem verificados"

Eu tentei isso: 

    ➜  ~ sudo nmap -sn scanme.nmap.org 
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-24 17:35 CST
    Cannot find nmap-payloads. UDP payloads are disabled.
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Host is up (0.20s latency).
    Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

    ➜  ~ sudo nmap -sL scanme.nmap.org
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-24 17:36 CST
    Nmap scan report for scanme.nmap.org (45.33.32.156)
    Nmap done: 1 IP address (0 hosts up) scanned in 0.02 seconds

Pergunta: por que usar -sn pode encontrar um host ativo, mas usar -sL não pode?

    
por Albert Zhang 24.06.2018 / 11:39

2 respostas

3

Ao usar apenas -sL , nenhum pacote é enviado para o host de destino ( nmap , portanto, não pode dizer se o host está ativo ou não), ele apenas executa uma pesquisa de nome de host.

Do manual:

-sL (List Scan)

The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names. It is often surprising how much useful information simple hostnames give out. For example, fw.chi is the name of one company's Chicago firewall.

Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity check to ensure that you have proper IP addresses for your targets. If the hosts sport domain names you do not recognize, it is worth investigating further to prevent scanning the wrong company's network.

Since the idea is to simply print a list of target hosts, options for higher level functionality such as port scanning, OS detection, or ping scanning cannot be combined with this. If you wish to disable ping scanning while still performing such higher level functionality, read up on the -Pn (skip ping) option.

    
por 24.06.2018 / 11:49
0

Se você capturar todos os pacotes na rede (talvez com wireshark (instale a partir do seu repositório de distro)) e executar ambos nmap -sn e nmap -sL , você notará que o primeiro resolve cada número IP (em ordem) no intervalo dados usando resoluções ARP (nível 2) e o último realizará pesquisas de DNS.

Há também uma descrição mais longa também no manual (man nmap):

-sn (No port scan)
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a "ping scan", but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes.

-sL (List Scan)
The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts.

Não "enviar nenhum pacote para o destino" significa "na camada 3 (rede a.k.a)", mas na camada 2 (também conhecido como link de dados).

    
por 10.07.2018 / 23:48

Tags

O que significam esses números na saída “uname -r”? Como grep e-mails de um arquivo?