26/11/11

Manual Nmap

O Nmap e um dos scanners de portas mais utilizado mundialmente, actualmente è suportado em vários sistemas operativos. O Nmap usa o protocolo IP para descobrir que hosts estão activos na rede interna ou externa, podemos também podemos identificar o sistema operativo, serviços, versão dos serviços, portas abertas, filtros da firewall, algumas vulnerabilidades, etc... Todos os scans realizados podem ser exportados em vários formatos de forma a permitir serem usados por outros programas para gerir a rede ou por programas de identificação de vulnerabilidades como o Nessus ou OpanVas...

Neste manual vou tentar dar exemplos de grande parte da sintaxe do nmap ou explicar alguns dos parâmetros mais utilizados...



Inicio Sintaxe

Nmap 5.35DC1 ( http://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:



Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file

HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers : Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags : Customize TCP scan flags
-sI : Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b : FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports : Scan most common ports
--port-ratio : Scan ports more common than

SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.

OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take



Exemplos:
Descobrir Sistema operativo remoto, portas abertas e versão dos serviços.
Comando: nmap -O -sV 192.168.198.15

//Resultado Nmap
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-04-09 17:06 WEST
Nmap scan report for 192.168.198.15
Host is up (0.00039s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:0C:29:EF:60:B3 (VMware)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1
Network Distance: 1 hop
Service Info: OS: Windows

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.26 seconds


Explicação:

-O procura pelo sistema operativo utilizado;
-sV procura pelos serviços que estão a correr em determinada porta e qual a versao;

Mais opções que podiam ser utilizadas para procurar mais detalhadamente a versão de cada serviço:
--version-intensity : Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)


Exemplo:
Procurar hosts activos em toda rede interna, rede classe C:

Comando: nmap 192.168.198.1/24

//Resultado
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-04-09 17:37 WEST
Nmap scan report for 192.168.198.1
Host is up (0.0092s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp closed telnet
80/tcp open http
443/tcp open https
8080/tcp closed http-proxy
MAC Address: 00:3F:33:BF:F2:1F (Netgear)

Nmap scan report for 192.168.198.11
Host is up (0.014s latency).
All 1000 scanned ports on 192.168.198.11 are closed
MAC Address: 01:24:9D:5E:BE:FE (Sony Computer Entertainment)

Nmap scan report for 192.168.198.12
Host is up (0.011s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3390/tcp open unknown
5357/tcp open unknown
10243/tcp open unknown
49157/tcp open unknown
MAC Address: 01:2F:2B:2B:ED:5F (Hon Hai Precision Ind.Co.)

Nmap scan report for 192.168.198.17
Host is up (0.000025s latency).
All 1000 scanned ports on 192.168.198.17 are closed

Nmap scan report for 192.168.198.18
Host is up (0.00097s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open upnp
MAC Address: 00:0C:29:EF:60:B3 (VMware)

Nmap done: 256 IP addresses (5 hosts up) scanned in 14.87 seconds


0 comentários: