Nmap

De WikiCat IT
Dreceres ràpides: navegació, cerca

Nmap, o Network Mapper, és un escanner de xarxes que serveix per explorar i auditar la seguretat de les xarxes.

Podem fer servir nmap per:

  • Saber quins ports estan oberts en un ordinador.
  • Saber si una màquina està utilitzant un firewall o no.
  • Conèixer la MAC d'una o múltiples màquines.
  • Conèixer el fabricant de la targeta de xarxa d'un ordinador.
  • Identificar màquines dins d'una xarxa.
  • Identificar el sistema operatiu d'una màquina de la xarxa.

Instal·lació

apt-get install nmap

Exemples d'ús

Podem fer un nmap al localhost amb:

root@isabel-desktop:~# sudo nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:08 CEST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 996 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

Escanneig del localhost

Podem obtenir més informació (com ara les versions de les aplicacions, els sistemes operatius...) amb la següent comanda:

root@isabel-desktop:~# sudo nmap -A localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:10 CEST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 996 closed ports
PORT    STATE SERVICE    VERSION
21/tcp  open  ftp        vsftpd 2.2.2
22/tcp  open  tcpwrapped
23/tcp  open  telnet     Linux telnetd
631/tcp open  ipp        CUPS 1.4
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=8/14%OT=21%CT=1%CU=30419%PV=N%DS=0%G=Y%TM=4C6687EA%P=i686-
OS:pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=8)SEQ(SP=CC%GCD=1%
OS:ISR=CF%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M400CST11NW5%O2=M400CST11NW5%O3=M400CN
OS:NT11NW5%O4=M400CST11NW5%O5=M400CST11NW5%O6=M400CST11)WIN(W1=8000%W2=8000
OS:%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W
OS:=8000%S=O%A=S+%F=AS%O=M400CST11NW5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)I
OS:E(R=Y%DFI=N%T=40%CD=S)

Network Distance: 0 hops
Service Info: OSs: Unix, Linux

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.53 seconds

Escanneig d'una altra màquina de la LAN

Si fem el mateix per a un servidor local (IP: 192.168.1.250 en aquest cas), obtenim:

root@isabel-desktop:~# sudo nmap -A 192.168.1.250

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:15 CEST
Interesting ports on 192.168.1.250:
Not shown: 986 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.2.2
22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0)
|  ssh-hostkey: 1024 18:4a:f0:89:20:15:da:e0:21:bc:91:f1:57:e0:b7:5a (DSA)
|_ 2048 b3:90:4a:a4:22:8d:70:d4:d5:18:66:25:4d:20:c0:5a (RSA)
23/tcp   open  telnet      Linux telnetd
53/tcp   open  domain      ISC BIND 9.7.0-P1
80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu))
|_ html-title: Index of /
110/tcp  open  pop3        Courier pop3d
|_ pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING LOGIN-DELAY(10) TOP
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: GRUPO_TRABAJO)
143/tcp  open  imap        Courier Imapd (released 2008)
|_ imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA THREAD=REFERENCES UIDPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: GRUPO_TRABAJO)
5900/tcp open  vnc         VNC (protocol 3.7)
6666/tcp open  irc         Unreal ircd
|_ irc-info: ERROR: Closing Link: 192.168.1.245 (No more connections allowed on that IP)
6667/tcp open  irc         Unreal ircd
|  irc-info: Server: IRC_ESI2B.LAN.server
|  Lservers/Lusers: 0/2
|  Source host: 192.168.1.245
|_ Source ident: NONE or BLOCKED
6668/tcp open  irc         Unreal ircd
|  irc-info: Server: IRC_ESI2B.LAN.server
|  Version: hybrid-7.2.2.dfsg.2-6(SVN). IRC_ESI2B.LAN.server 
|  Lservers/Lusers: 0/2
|  Uptime: 0 days, 0:38:17
|  Source host: 192.168.1.245
|_ Source ident: NONE or BLOCKED
6669/tcp open  irc         Unreal ircd
|  irc-info: Server: IRC_ESI2B.LAN.server
|  Lservers/Lusers: 0/1
|  Source host: 192.168.1.245
|_ Source ident: NONE or BLOCKED
MAC Address: 08:00:27:2C:12:25 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.28
Network Distance: 1 hop
Service Info: Host: IRC_ESI2B.LAN.server; OSs: Unix, Linux

Host script results:
|_ nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|  smb-os-discovery: Unix
|  LAN Manager: Samba 3.4.7
|  Name: Unknown\Unknown
|_ System time: 2010-08-14 14:16:02 UTC+2

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.54 seconds

Escanneig d'una màquina WAN

També ho podem fer amb una màquina més coneguda, com la se google:

root@isabel-desktop:~# sudo nmap -A google.es

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:19 CEST
Interesting ports on 66.249.92.104:
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
80/tcp  open   http     Google httpd 2.0 (GFE)
|  html-title: Google
|_ Requested resource was http://www.google.es/
113/tcp closed auth
443/tcp open   ssl/http Google httpd 2.0 (GFE)
|  robots.txt: has 203 disallowed entries (15 shown)
|  /search /groups /images /catalogs /catalogues /news 
|  /nwshp /setnewsprefs? /index.html? /? /addurl/image? /pagead/ 
|_ /relpage/ /relcontent /imgres
|  html-title: Google
|_ Requested resource was http://www.google.com/
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Service Info: OS: Linux

TRACEROUTE (using port 113/tcp)
HOP RTT   ADDRESS
1   1.79  192.168.1.1
2   58.13 192.168.153.1
3   69.06 49.Red-81-46-34.staticIP.rima-tde.net (81.46.34.49)
4   36.77 So4-0-0-0-grtbcntb1.red.telefonica-wholesale.net (213.140.50.77)
5   69.46 Xe1-0-0-0-grtpartv2.red.telefonica-wholesale.net (84.16.13.134)
6   82.64 Xe9-3-0-0-grtpartv1.red.telefonica-wholesale.net (213.140.49.153)
7   67.99 66.249.92.104

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.71 seconds

Escanneig d'una màquina amb protecció

Hi ha màquines que es resisteixen a ser escannejades, com per exemple la-moncloa. Veiem què passa si intentem escannejar-la:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:25 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.56 second

L'nmap té paràmetres que poden evitar aquestes proteccions. Veiem la diferència:

root@isabel-desktop:~# sudo nmap -P0 la-moncloa.es

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:26 CEST
Interesting ports on 217.140.16.48:
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.54 seconds

Escanneig de subxarxes o subrangs

Amb nmap també podem escannejar subxarxes o subrangs. En el següent exemple es veu com s'secanneja tota la xarxa 192.168.1.0

root@isabel-desktop:~# nmap 192.168.1.1/24

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:30 CEST
Interesting ports on 192.168.1.1:
Not shown: 996 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http
MAC Address: 64:68:0C:A1:12:E7 (Unknown)

Interesting ports on 192.168.1.35:
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
139/tcp  open   netbios-ssn
4662/tcp open   edonkey
MAC Address: 00:22:F7:02:47:0C (Conceptronic)

Interesting ports on 192.168.1.245:
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet

Interesting ports on 192.168.1.250:
Not shown: 986 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
5900/tcp open  vnc
6666/tcp open  irc
6667/tcp open  irc
6668/tcp open  irc
6669/tcp open  irc
MAC Address: 08:00:27:2C:12:25 (Cadmus Computer Systems)

Nmap done: 256 IP addresses (4 hosts up) scanned in 7.55 seconds

Si la xarxa és molt gran, ens pot ser útil guardar el resultat de l'nmap en un fitxer:

nmap 192.168.1.1/24 > xarxa.txt

El fitxer és guardarà directament al home de l'usuari.

Exemples específics

Detecció de sistemes operatius

Es pot aconseguir amb l'opció -O:

root@isabel-desktop:~# nmap -O -v bernatelferrer.cat

Per exemeple, la màquina bernatelferrer.cat té, amb un 89% de probabilitats, un Apple MAC OS

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:44 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 14:44
Scanning 212.36.75.239 [4 ports]
Completed Ping Scan at 14:44, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:44
Completed Parallel DNS resolution of 1 host. at 14:44, 0.06s elapsed
Initiating SYN Stealth Scan at 14:44
Scanning hc23.srv.cat (212.36.75.239) [1000 ports]
Discovered open port 3306/tcp on 212.36.75.239
Discovered open port 25/tcp on 212.36.75.239
Discovered open port 21/tcp on 212.36.75.239
Discovered open port 80/tcp on 212.36.75.239
Discovered open port 443/tcp on 212.36.75.239
Completed SYN Stealth Scan at 14:44, 6.99s elapsed (1000 total ports)
Initiating OS detection (try #1) against hc23.srv.cat (212.36.75.239)
Retrying OS detection (try #2) against hc23.srv.cat (212.36.75.239)
Host hc23.srv.cat (212.36.75.239) is up (0.071s latency).
Interesting ports on hc23.srv.cat (212.36.75.239):
Not shown: 994 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
25/tcp   open   smtp
80/tcp   open   http
443/tcp  open   https
3306/tcp open   mysql
Device type: general purpose|broadband router|router
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (89%), Scientific Atlanta embedded (88%), FreeBSD 6.X|5.X|7.X (88%), OpenBSD 4.X (88%), Juniper JUNOS 9.X (85%)
Aggressive OS guesses: Apple Mac OS X 10.5.5 - 10.5.6 (Leopard) (Darwin 9.5.0 - 9.6.0) (89%), Scientific Atlanta WebSTAR DPC2100 cable modem (88%), FreeBSD 6.3-RELEASE (88%), OpenBSD 4.3 (88%), FreeBSD 5.4-RELEASE (87%), OpenBSD 4.0 (x86) (87%), FreeBSD 7.0-STABLE (86%), Apple Mac OS X 10.5 - 10.5.6 (Leopard) (Darwin 9.0.0 - 9.6.0) (86%), Apple Mac OS X 10.5 - 10.5.6 (Leopard) (Darwin 9.0.0b5 - 9.6.0) (86%), Apple Mac OS X 10.5.3 - 10.5.4 (Leopard) (Darwin 9.3.0 - 9.4.0) (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 18.815 days (since Mon Jul 26 19:11:45 2010)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Randomized

Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.55 seconds
           Raw packets sent: 2058 (93.948KB) | Rcvd: 35 (2196B)

Escanneig de ports UDP

root@isabel-desktop:~# sudo nmap -sU bernatelferrer.cat -p 53
Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:49 CEST
Interesting ports on hc23.srv.cat (212.36.75.239):
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

Escanneig de tots els ports

nmap -p- bernatelferrer.cat
root@isabel-desktop:~# sudo nmap -p- bernatelferrer.cat

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-14 14:58 CEST
Interesting ports on hc23.srv.cat (212.36.75.239):
Not shown: 65528 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   closed ssh
25/tcp   open   smtp
80/tcp   open   http
443/tcp  open   https
3306/tcp open   mysql
4949/tcp open   unknown

Nmap done: 1 IP address (1 host up) scanned in 462.97 seconds
Eines de l'usuari
Espais de noms

Variants
Navegació
Eines