Electronic Books

The argument passed to the b option is the host
you want to use as a proxy, in standard URL notation.
The format is: username:password@server:port.
Everything but server is optional. To determine what
servers are vulnerable to this attack, you can see my
article in Phrack 51. An updated version is available at
the nmap site, http://www.insecure.org/nmap.
-P0 Do not try and ping hosts at all before scanning
them. This allows the scanning of networks that do not
allow ICMP echo requests (or responses) through their
firewalls. Microsoft.com is an example of such a
network, and thus you should always use -P0 or -PT80
when port scanning microsoft.com.
-PT Use TCP ping to determine what hosts are up.
Instead of sending ICMP echo request packets and
waiting for a response, we spew out TCP ACK
packets.
-PS This option uses SYN (connection request) packets
instead of ACK packets for root users. Hosts that are
up should respond with an RST (or, rarely, a SYN|ACK).
686
Practical Hacking Techniques and Countermeasures
Chapter Tool Syntax
Chapter 3
(continued)
Ping -PI This option uses a true ping (ICMP Echo Request)
packet. It finds hosts that are up and also looks for
subnet-directed broadcast addresses on your network.
These are IP addresses that are externally reachable
and translate to a broadcast of incoming IP packets to
a subnet of computers. These should be eliminated if
found as they allow for numerous denial-of-service
attacks (Smurf is the most common).


Pages:
221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245