nmap Índice

Comentarios

Transcripción

nmap Índice
nmap
1ª parte
nmap
1ª parte
Índice
1 Intro............................................................................................................................................................. 2
1.1 ¿Qué es nmap?...................................................................................................................................2
1.2 Un pequeño truco..............................................................................................................................2
1.3 Estado de los puertos........................................................................................................................2
2 Las diferentes opciones.............................................................................................................................3
2.1 [­sS] Escaneo SYN..............................................................................................................................3
2.2 [­v] Modo detallado...........................................................................................................................4
2.3 Escanear un rango de hosts..............................................................................................................5
2.4 [­iL fichero] Leer lista de hosts desde fichero de texto..................................................................7
2.5 [­A] Detección de SO y versiones de software...............................................................................8
2.6 [­sA] Comprobar si un host está protegido por cortafuegos........................................................9
2.7 [­sP] Comprobar qué host están activos........................................................................................10
2.8 [­F] Escaneo rápido..........................................................................................................................11
2.9 [­­reason] Averiguar por qué un puerto está en tal estado.........................................................12
2.10 [­­iflist] Mostrar interfaces y rutas del host local.......................................................................12
2.11 [­p] Escaneo de puertos específicos.............................................................................................13
3 Fuentes......................................................................................................................................................15
1/15
nmap
1ª parte
1 Intro
1.1
¿Qué es nmap?
nmap : Network Mapper
Es una herramienta open source para explorar la red, escanear la seguridad de los hosts.
Con ella podremos averiguar:
•
qué hosts están activos en tu red local
•
cuál es el SO de un host remoto
•
qué puertos tiene abiertos un host
Lo que nos permitirá:
•
averiguar si una máquina está infectada con malware
•
buscar servidores no autorizados en tu red
•
encontrar hosts que no cumplen los niveles mínimos de seguridad de tu organización
1.2
Un pequeño truco
Cuando nmap está trabajando, no se muestra nada. Si pulsas Intro (tantas veces como se quiera), mostrará el porcentaje de trabajo que lleva realizado y el tiempo estimado que le llevará terminar.
...
SYN Stealth Scan Timing: About 19.20% done; ETC: 22:39 (0:00:25
remaining)
...
1.3
•
•
Estado de los puertos
Punto de vista de máquina remota:
◦ Alcanzable
▪ No existe ninguna causa (filtros intermedios, …) que evite el contacto entre los extremos.
▪ Sabremos si está abierto o cerrado.
◦ No alcanzable
▪ Cualquier otro caso.
▪ Los puertos UDP abiertos dan la impresión de ser inalcanzables.
Punto de vista nmap:
◦ Abierto ▪ Aplicación está a la escucha.
◦ Cerrado
▪ Alcanzable, pero no hay aplicación a la escucha.
◦ Filtrado
▪ No hay respuestas. Suele deberse a filtro intermedio (cortafuegos, …) bloqueando el
puerto.
2/15
nmap
1ª parte
◦ No filtrado
▪ Alcanzable, pero no se sabe si abierto o cerrado.
◦ Abierto | Filtrado
▪ No se sabe por falta de respuestas.
◦ Cerrado | Filtrado
▪ No se sabe por falta de respuestas.
2 Las diferentes opciones
2.1
[-sS] Escaneo SYN
­sS : SYN Scan
También conocida como SYN Stealth scan.
La más popular y la predeterminada (si se ejecuta el comando sin opciones)
Relativamente sigilosa y rápida.
Escáner envía un SYN:
•
Si recibe SYN/ACK → Puerto abierto
•
Si recibe RST → Puerto cerrado
•
Si no recibe nada → Puerto filtrado
[email protected]:/# nmap 90.71.232.228
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 22:38 CET
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 19.20% done; ETC: 22:39 (0:00:25
remaining)
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 27.75% done; ETC: 22:39 (0:00:31
remaining)
Nmap scan report for 228.pool90-71-232.dynamic.orange.es
(90.71.232.228)
Host is up (0.0013s latency).
Not shown: 990 closed ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
22/tcp
open
ssh
23/tcp
filtered telnet
53/tcp
open
domain
80/tcp
open
http
443/tcp open
https
631/tcp open
ipp
8000/tcp open
http-alt
3/15
nmap
1ª parte
8080/tcp open
http-proxy
8081/tcp filtered blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 90.19 seconds
2.2
[-v] Modo detallado
­v : verbose
Recomendado por los expertos.
[email protected]:/# nmap -v 90.71.232.228
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 22:47 CET
Initiating Ping Scan at 22:47
Scanning 90.71.232.228 [4 ports]
Completed Ping Scan at 22:47, 1.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:47
Completed Parallel DNS resolution of 1 host. at 22:47, 0.00s elapsed
Initiating SYN Stealth Scan at 22:47
Scanning 228.pool90-71-232.dynamic.orange.es (90.71.232.228) [1000
ports]
Discovered open port 8080/tcp on 90.71.232.228
Discovered open port 80/tcp on 90.71.232.228
Discovered open port 53/tcp on 90.71.232.228
Discovered open port 443/tcp on 90.71.232.228
Discovered open port 22/tcp on 90.71.232.228
Increasing send delay for 90.71.232.228 from 0 to 5 due to 50 out of
166 dropped probes since last increase.
Discovered open port 631/tcp on 90.71.232.228
Increasing send delay for 90.71.232.228 from 5 to 10 due to 11 out of
24 dropped probes since last increase.
Increasing send delay for 90.71.232.228 from 10 to 20 due to 11 out
of 24 dropped probes since last increase.
Increasing send delay for 90.71.232.228 from 20 to 40 due to 11 out
of 24 dropped probes since last increase.
Increasing send delay for 90.71.232.228 from 40 to 80 due to 11 out
of 30 dropped probes since last increase.
SYN Stealth Scan Timing: About 43.20% done; ETC: 22:49 (0:00:41
remaining)
Discovered open port 8000/tcp on 90.71.232.228
Completed SYN Stealth Scan at 22:48, 61.87s elapsed (1000 total
ports)
Nmap scan report for 228.pool90-71-232.dynamic.orange.es
(90.71.232.228)
Host is up (0.040s latency).
Not shown: 990 closed ports
PORT
STATE
SERVICE
4/15
nmap
1ª parte
21/tcp
22/tcp
23/tcp
53/tcp
80/tcp
443/tcp
631/tcp
8000/tcp
8080/tcp
8081/tcp
filtered
open
filtered
open
open
open
open
open
open
filtered
ftp
ssh
telnet
domain
http
https
ipp
http-alt
http-proxy
blackice-icecap
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 63.18 seconds
Raw packets sent: 1252 (55.064KB) | Rcvd: 1234 (49.400KB)
2.3
Escanear un rango de hosts
Se puede usar los siguientes formatos:
•
CIDR
192.168.1.0/24
•
Rango
192.168.1.101­200
•
Comodín
192.168.1.*
•
Lista
192.168.1.101 192.168.1.102 192.168.1.103
192.168.1.101,102,103
Para cada equipo encontrado nos muestra, además, MAC y fabricante del hardware.
[email protected]:/# nmap 192.168.1.1/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 22:50 CET
Stats: 0:00:26 elapsed; 251 hosts completed (4 up), 4 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 18.77% done; ETC: 22:52 (0:01:40
remaining)
Stats: 0:02:36 elapsed; 251 hosts completed (4 up), 4 undergoing SYN
Stealth Scan
SYN Stealth Scan Timing: About 87.21% done; ETC: 22:53 (0:00:22
remaining)
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 993 closed ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
23/tcp
filtered telnet
53/tcp
open
domain
80/tcp
open
http
443/tcp open
https
5/15
nmap
1ª parte
631/tcp open
ipp
8081/tcp filtered blackice-icecap
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap scan report for guara (192.168.1.21)
Host is up (0.0016s latency).
Not shown: 992 closed ports
PORT
STATE SERVICE
21/tcp
open ftp
22/tcp
open ssh
80/tcp
open http
4000/tcp open remoteanything
4001/tcp open newoak
6881/tcp open bittorrent-tracker
8000/tcp open http-alt
8080/tcp open http-proxy
MAC Address: B8:27:EB:85:BA:5E (Raspberry Pi Foundation)
Nmap scan report for 192.168.1.101
Host is up (0.013s latency).
All 1000 scanned ports on 192.168.1.101 are closed
MAC Address: B4:52:7E:E8:89:7E (Sony Mobile Communications AB)
Nmap scan report for 192.168.1.102
Host is up (0.011s latency).
Not shown: 995 closed ports
PORT
STATE SERVICE
1070/tcp open gmrupdateserv
1900/tcp open upnp
3000/tcp open ppp
3001/tcp open nessus
9998/tcp open distinct32
MAC Address: C8:02:10:48:38:AA (LG Innotek)
Nmap scan report for 192.168.1.105
Host is up (0.0000070s latency).
Not shown: 997 closed ports
PORT
STATE SERVICE
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 256 IP addresses (5 hosts up) scanned in 205.80 seconds
6/15
nmap
2.4
1ª parte
[-iL fichero] Leer lista de hosts desde fichero de texto
­iL : inputList
[email protected]:/# cat /tmp/test.txt
192.168.1.1
guara
localhost
[email protected]:/# nmap -iL /tmp/test.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:00 CET
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 993 closed ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
23/tcp
filtered telnet
53/tcp
open
domain
80/tcp
open
http
443/tcp open
https
631/tcp open
ipp
8081/tcp filtered blackice-icecap
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap scan report for guara (192.168.1.21)
Host is up (0.0017s latency).
Not shown: 992 closed ports
PORT
STATE SERVICE
21/tcp
open ftp
22/tcp
open ssh
80/tcp
open http
4000/tcp open remoteanything
4001/tcp open newoak
6881/tcp open bittorrent-tracker
8000/tcp open http-alt
8080/tcp open http-proxy
MAC Address: B8:27:EB:85:BA:5E (Raspberry Pi Foundation)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 995 closed ports
PORT
STATE SERVICE
7/15
nmap
1ª parte
25/tcp
111/tcp
139/tcp
445/tcp
631/tcp
open
open
open
open
open
smtp
rpcbind
netbios-ssn
microsoft-ds
ipp
Nmap done: 3 IP addresses (3 hosts up) scanned in 101.27 seconds
2.5
[-A] Detección de SO y versiones de software
­A : Aggresive?
Análisis agresivo que combina:
•
­sO
detección de SO
•
­sV
detección de versiones
•
­sC
ejecución de scripts
•
­­traceroute traza de ruta
Envía muchas sondas a cada puerto a analizar, por lo que el tiempo de ejecución del análisis puede
aumentar considerablemente en redes lentas o congestionadas, o si existen elementos que filtren el tráfico.
[email protected]:/# nmap -A 192.168.1.21
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-11 20:00 CET
Nmap scan report for guara (192.168.1.21)
Host is up (0.0023s latency).
Not shown: 995 closed ports
PORT
STATE SERVICE VERSION
21/tcp
open ftp
vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-1 0
0
0 Nov 04 2013 vacio.txt
22/tcp
open ssh
OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|
1024 e4:a8:8b:f4:6a:46:a4:6d:32:e9:2d:2d:40:68:91:12 (DSA)
|
2048 de:b4:75:4c:1f:3a:0f:db:8c:1a:77:90:e6:bc:51:80 (RSA)
|_ 256 52:84:24:21:b2:43:60:ba:81:f8:92:05:69:c5:a9:14 (ECDSA)
80/tcp
open http
Apache httpd 2.2.22 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status
code 200)
|_http-title: Dumela Rra - Intermittent server
8000/tcp open http
Icecast streaming media server
|_http-title: Icecast Streaming Media Server
8080/tcp open http
qBittorrent Web UI
| http-auth:
| HTTP/1.1 401 Unauthorized
8/15
nmap
1ª parte
|_ Digest nonce=238dc176d02942a516a4178899ff8753 realm=Web UI Access
opaque=238dc176d02942a516a4178899ff8753 stale=false qop=auth
algorithm=MD5
|_http-methods: No Allow or Public header in OPTIONS response (status
code 401)
|_http-title: Site doesn't have a title.
MAC Address: B8:27:EB:85:BA:5E (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT
ADDRESS
1
2.27 ms guara (192.168.1.21)
OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.27 seconds
2.6
[-sA] Comprobar si un host está protegido por cortafuegos
­sA : scan ACK
Envía paquete con el flag ACK activado. La respuesta desde el puerto puede ser:
•
RST no filtrado
•
ICMP inalcanzable: filtrado
•
ninguna respuesta: filtrado
[email protected]:/# nmap -sA 90.71.232.228
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:18 CET
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing ACK
Scan
ACK Scan Timing: About 92.10% done; ETC: 23:20 (0:00:06 remaining)
Nmap scan report for 228.pool90-71-232.dynamic.orange.es
(90.71.232.228)
Host is up (0.0014s latency).
Not shown: 997 unfiltered ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
23/tcp
filtered telnet
8081/tcp filtered blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 90.56 seconds
9/15
nmap
1ª parte
[email protected]:/# nmap -sA 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:21 CET
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 997 unfiltered ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
23/tcp
filtered telnet
8081/tcp filtered blackice-icecap
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 91.93 seconds
2.7
[-sP] Comprobar qué host están activos
sP : scan Ping
No escanea puertos. Normalmente usado para comprobar qué máquinas están activas en una red.
•
Si se ejecuta con permisos de root:
◦ Envía una petición de ping (ICMP Echo Request)
▪ Si recibe una respuesta de ping (ICMP Echo Reply) → Host activo
◦ Si no hay respuesta, intenta un TCP Ping para averiguar si ICMP está bloqueado o el host está off­line.
•
Si se ejecuta sin permisos de root:
◦ Utiliza el método connect() para intentar conectarse al host y tirar la conexión en cuanto sea establecida.
(Similar al método SYN/ACK para root, pero éste establece una conexión completamente).
TCP Ping
El ping TCP envía un paquete SYN o ACK a un puerto cualquiera (el 80, por defecto).
•
Si recibe un RST o un SYN/ACK, el host está on-line.
•
Si el host no responde, o está off-line, o el puerto está filtrado.
[email protected]:/# nmap -sP 192.168.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:29 CET
Nmap scan report for 192.168.1.1
Host is up (0.0047s latency).
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap scan report for guara (192.168.1.21)
Host is up (0.0080s latency).
MAC Address: B8:27:EB:85:BA:5E (Raspberry Pi Foundation)
10/15
nmap
1ª parte
Nmap scan report for 192.168.1.101
Host is up (0.071s latency).
MAC Address: B4:52:7E:E8:89:7E (Sony Mobile Communications AB)
Nmap scan report for 192.168.1.102
Host is up (0.074s latency).
MAC Address: C8:02:10:48:38:AA (LG Innotek)
Nmap scan report for 192.168.1.105
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.35 seconds
2.8
[-F] Escaneo rápido
­F : Fast
Escanea sólo los puertos listados en el fichero /usr/share/nmap/nmap­services, en lugar de escanear los 65535 puertos. Así y todo, tiene una lista de unos 20000.
[email protected]:/# nmap -F 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:33 CET
Nmap scan report for 192.168.1.1
Host is up (0.0013s latency).
Not shown: 93 closed ports
PORT
STATE
SERVICE
21/tcp
filtered ftp
23/tcp
filtered telnet
53/tcp
open
domain
80/tcp
open
http
443/tcp open
https
631/tcp open
ipp
8081/tcp filtered blackice-icecap
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
11/15
nmap
2.9
1ª parte
[--reason] Averiguar por qué un puerto está en tal estado
[email protected]:/# nmap -F --reason 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:34 CET
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.0013s latency).
Not shown: 93 closed ports
Reason: 93 resets
PORT
STATE
SERVICE
REASON
21/tcp
filtered ftp
no-response
23/tcp
filtered telnet
no-response
53/tcp
open
domain
syn-ack
80/tcp
open
http
syn-ack
443/tcp open
https
syn-ack
631/tcp open
ipp
syn-ack
8081/tcp filtered blackice-icecap no-response
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
2.10
[--iflist] Mostrar interfaces y rutas del host local
[email protected]:/# nmap --iflist
Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-11 23:40 CET
************************INTERFACES************************
DEV
(SHORT) IP/MASK
TYPE
MTU
MAC
eth0 (eth0) (none)/0
ethernet
1500 80:FA:5B:08:74:AD
wlan0 (wlan0) 192.168.1.105/24
ethernet
1500 A0:A8:CD:ED:BB:06
wlan0 (wlan0) fe80::a2a8:cdff:feed:bb06/64
ethernet
1500 A0:A8:CD:ED:BB:06
wlan0 (wlan0) fd68:a0f6:db3d:df00:a2a8:cdff:feed:bb06/64 ethernet
1500 A0:A8:CD:ED:BB:06
lo
(lo)
127.0.0.1/8
loopback
65536
lo
(lo)
::1/128
loopback
65536
**************************ROUTES**************************
DST/MASK
DEV
METRIC GATEWAY
12/15
UP
up
up
up
up
up
up
nmap
1ª parte
192.168.1.0/24
169.254.0.0/16
0.0.0.0/0
::1/128
fd68:a0f6:db3d:df00:a2a8:cdff:feed:bb06/128
fe80::a2a8:cdff:feed:bb06/128
ff02::1/128
::1/128
fd68:a0f6:db3d:df00::/64
fe80::/64
ff00::/8
2.11
wlan0
wlan0
wlan0
lo
lo
lo
wlan0
lo
wlan0
wlan0
wlan0
0
1000
1024
0
0
0
0
256
10
256
256
192.168.1.1
[-p] Escaneo de puertos específicos
Escanear el puerto 80
[email protected]:/# nmap -p 80 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-11 23:54 CET
Nmap scan report for 192.168.1.1
Host is up (0.0043s latency).
PORT
STATE SERVICE
80/tcp open http
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
Escanear el puerto TCP 53
[email protected]:/# nmap -p T:53 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-12 00:00 CET
Nmap scan report for 192.168.1.1
Host is up (0.0041s latency).
PORT
STATE SERVICE
53/tcp open domain
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
13/15
nmap
1ª parte
Escanear una lista de puertos
[email protected]:/# nmap -p 67,53,80 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-12 00:06 CET
Nmap scan report for 192.168.1.1
Host is up (0.0048s latency).
PORT
STATE SERVICE
53/tcp open
domain
67/tcp closed dhcps
80/tcp open
http
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
Escanear un rango de puertos
[email protected]:/# nmap -p 1-100 192.168.1.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-12 00:08 CET
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 96 closed ports
PORT
STATE
SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
53/tcp open
domain
80/tcp open
http
MAC Address: 68:A0:F6:DB:3D:DF (Huawei Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds
14/15
nmap
1ª parte
3 Fuentes
http://www.cyberciti.biz/networking/nmap­command­examples­tutorials/ http://www.nmap­tutorial.com GUÍA DE SEGURIDAD DE LAS TIC ­ (CCN­STIC­954) ­ GUÍA AVANZADA DE NMAP Aula 30x
[email protected]
@aula30x
diciembre 2015
15/15

Documentos relacionados