Por definición oficial de Nmap, este es un "Mapeador de red" o mas conocido pupularmente como un "Scanner de redes o hosts". Con el puedes determinar los host que estan disponibles en la red, servicios, Sistemas Operativos, nombres y versiones de estos ultimos entre otros. Es de codigo abierto y puedes encontrar mas información en la Página de referencia en español.
En este post mostraré como utilizar Nmap para poder realizar algunos esquemas de escaneo de puertos en cualquier host o red.
Los primeros pasos que necesitamos realizar obviamente es instalar nmap en nuestro Linux.
En Centos:
| [root@arquitectoti ~]# yum -y install nmap Complementos cargados:fastestmirror, security Configurando el proceso de instalación Loading mirror speeds from cached hostfile * base: mirror.globo.com * extras: centos.brnet.net.br * updates: mirror.ufscar.br Resolviendo dependencias --> Ejecutando prueba de transacción ---> Package nmap.x86_64 2:5.51-6.el6 will be instalado --> Resolución de dependencias finalizada Dependencias resueltas ================================================================================ Paquete Arquitectura Versión Repositorio Tamaño ================================================================================ Instalando: nmap x86_64 2:5.51-6.el6 base 2.8 M Resumen de la transacción ================================================================================ Instalar 1 Paquete(s) Tamaño total de la descarga: 2.8 M Tamaño instalado: 9.7 M Descargando paquetes: nmap-5.51-6.el6.x86_64.rpm | 2.8 MB 00:07 Ejecutando el rpm_check_debug Ejecutando prueba de transacción La prueba de transacción ha sido exitosa Ejecutando transacción Instalando : 2:nmap-5.51-6.el6.x86_64 1/1 Verifying : 2:nmap-5.51-6.el6.x86_64 1/1 Instalado: nmap.x86_64 2:5.51-6.el6 ¡Listo! [root@arquitectoti ~]# |
Ahora que ya tenemos instalado Nmap podemos comenzar a utilizarlo. Para entender un poco mas sobre las opciones de Nmap podemos solicitar la ayuda.
| [root@arquitectoti ~]# nmap -h Nmap 5.51 ( http://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -PR: ARP ping - does not need HW address -> IP translation -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info -sR: Check what service uses opened ports using RPC scan --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-trace: Show all data sent and received --script-updatedb: Update the script database. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES |
Al final de la ayuda será posible ver algunos ejemplos, los cuales puedes ejecutar para comenzar a jugar con Nmap. Entonces ejecutaremos un escaneo de puertos a scanme.nmap.org.
utilizaremos -v [en minuscula] para aumentar el nivel de verbosidad (detalle) y -A para habilitar la deteción del Sistema Operativo, versión, script scanning y traceroute.
| [root@arquitectoti ~]# nmap -v -A scanme.nmap.org |
El resultado en este ejemplo es el siguiente:
| Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-30 15:09 CLST NSE: Loaded 57 scripts for scanning. Initiating Ping Scan at 15:09 Scanning scanme.nmap.org (45.33.32.156) [4 ports] Completed Ping Scan at 15:09, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:09 Completed Parallel DNS resolution of 1 host. at 15:09, 5.33s elapsed Initiating SYN Stealth Scan at 15:09 Scanning scanme.nmap.org (45.33.32.156) [1000 ports] Discovered open port 80/tcp on 45.33.32.156 Discovered open port 443/tcp on 45.33.32.156 Discovered open port 22/tcp on 45.33.32.156 Discovered open port 5190/tcp on 45.33.32.156 Discovered open port 1863/tcp on 45.33.32.156 Discovered open port 9929/tcp on 45.33.32.156 Discovered open port 8010/tcp on 45.33.32.156 Discovered open port 5050/tcp on 45.33.32.156 Discovered open port 8008/tcp on 45.33.32.156 Completed SYN Stealth Scan at 15:09, 12.72s elapsed (1000 total ports) Initiating Service scan at 15:09 Scanning 9 services on scanme.nmap.org (45.33.32.156) Completed Service scan at 15:12, 139.87s elapsed (9 services on 1 host) Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156) Retrying OS detection (try #2) against scanme.nmap.org (45.33.32.156) Initiating Traceroute at 15:12 Completed Traceroute at 15:12, 0.04s elapsed Initiating Parallel DNS resolution of 4 hosts. at 15:12 Completed Parallel DNS resolution of 4 hosts. at 15:12, 5.90s elapsed NSE: Script scanning 45.33.32.156. Initiating NSE at 15:12 Completed NSE at 15:12, 30.15s elapsed Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.044s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) | ssh-hostkey: 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) |_2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-methods: GET HEAD POST OPTIONS |_http-title: Go ahead and ScanMe! |_http-favicon: Unknown favicon MD5: 156515DA3C0F7DC6B2493BD5CE43F795 443/tcp open tcpwrapped 1863/tcp open tcpwrapped 5050/tcp open tcpwrapped 5190/tcp open tcpwrapped 8008/tcp open http? |_http-methods: No Allow or Public header in OPTIONS response (status code 302) |_http-title: Did not follow redirect to https://scanme.nmap.org:8010/ and no page was returned. 8010/tcp open ssl/xmpp? |_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers 9929/tcp open nping-echo Nping echo 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port22-TCP:V=5.51%I=7%D=11/30%Time=5A204971%P=x86_64-redhat-linux-gnu%r SF:(NULL,2B,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\.8\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8008-TCP:V=5.51%I=7%D=11/30%Time=5A204971%P=x86_64-redhat-linux-gnu SF:%r(GetRequest,43,"HTTP/1\.1\x20302\x20Found\r\nLocation:\x20https://:80 SF:10/\r\nConnection:\x20close\r\n\r\n")%r(FourOhFourRequest,66,"HTTP/1\.1 SF:\x20302\x20Found\r\nLocation:\x20https://:8010/nice%20ports%2C/Tri%6Eit SF:y\.txt%2ebak\r\nConnection:\x20close\r\n\r\n")%r(GenericLines,42,"HTTP/ SF:1\.1\x20302\x20Found\r\nLocation:\x20https://:8010\r\nConnection:\x20cl SF:ose\r\n\r\n")%r(HTTPOptions,42,"HTTP/1\.1\x20302\x20Found\r\nLocation:\ SF:x20https://:8010\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,42,"HT SF:TP/1\.1\x20302\x20Found\r\nLocation:\x20https://:8010\r\nConnection:\x2 SF:0close\r\n\r\n")%r(SIPOptions,42,"HTTP/1\.1\x20302\x20Found\r\nLocation SF::\x20https://:8010\r\nConnection:\x20close\r\n\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8010-TCP:V=5.51%T=SSL%I=7%D=11/30%Time=5A204989%P=x86_64-redhat-lin SF:ux-gnu%r(GenericLines,9D5,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x2 SF:02392\r\nConnection:\x20close\r\nCache-Control:\x20no-cache\r\nContent- SF:Type:\x20text/html;\x20charset=utf-8\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC SF:\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\">\n<html>\n<hea SF:d>\n<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20cha SF:rset=UTF-8\">\n\x20\x20\x20\x20<title>Web\x20Filter\x20Block\x20Overrid SF:e</title>\n\x20\x20\x20\x20<style\x20type=\"text/css\">\n\x20\x20\x20\x SF:20\x20\x20\x20\x20html,\x20body\x20{\x20margin:\x200;\x20padding:\x200; SF:\x20font-family:\x20Verdana,\x20Arial,\x20sans-serif;\x20font-size:\x20 SF:10pt;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1,\x20h2\x20{\x20height:\x SF:2082px;\x20text-indent:\x20-999em;\x20margin:\x200;\x20padding:\x200;\x SF:20margin:\x200;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\x20{\x20margi SF:n:\x200;\x20padding:\x200;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\.h SF:eader\x20{\x20background:\x20url\(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFG SF:HCDPFGGOGFGEH\)\x200\x200\x20repeat-x;\x20height:\x2082px;\x20}\n\x20\x SF:20\x20\x20\x20\x20\x20\x20div\.header\x20h1\x20{\x20background:\x20url\ SF:(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFGHCDPFGGHGFHBGCHEGPFHHGG\)\x200\x2 SF:00\x20no-repeat;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\.header\x20h SF:2\x20{\x20background:\x20url\(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFGHCDP SF:FGGOGF")%r(GetRequest,9D5,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x2 SF:02392\r\nConnection:\x20close\r\nCache-Control:\x20no-cache\r\nContent- SF:Type:\x20text/html;\x20charset=utf-8\r\n\r\n<!DOCTYPE\x20html\x20PUBLIC SF:\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\">\n<html>\n<hea SF:d>\n<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20cha SF:rset=UTF-8\">\n\x20\x20\x20\x20<title>Web\x20Filter\x20Block\x20Overrid SF:e</title>\n\x20\x20\x20\x20<style\x20type=\"text/css\">\n\x20\x20\x20\x SF:20\x20\x20\x20\x20html,\x20body\x20{\x20margin:\x200;\x20padding:\x200; SF:\x20font-family:\x20Verdana,\x20Arial,\x20sans-serif;\x20font-size:\x20 SF:10pt;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1,\x20h2\x20{\x20height:\x SF:2082px;\x20text-indent:\x20-999em;\x20margin:\x200;\x20padding:\x200;\x SF:20margin:\x200;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\x20{\x20margi SF:n:\x200;\x20padding:\x200;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\.h SF:eader\x20{\x20background:\x20url\(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFG SF:HCDPFGGOGFGEH\)\x200\x200\x20repeat-x;\x20height:\x2082px;\x20}\n\x20\x SF:20\x20\x20\x20\x20\x20\x20div\.header\x20h1\x20{\x20background:\x20url\ SF:(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFGHCDPFGGHGFHBGCHEGPFHHGG\)\x200\x2 SF:00\x20no-repeat;\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20div\.header\x20h SF:2\x20{\x20background:\x20url\(https://:8010/XX/YY/ZZ/CI/MGPGHGPGPFGHCDP SF:FGGOGF"); Device type: general purpose|terminal|storage-misc Running (JUST GUESSING): Linux 2.6.X (88%), IGEL Linux 2.6.X (86%), Axcient embedded (85%) Aggressive OS guesses: Linux 2.6.18 (88%), Linux 2.6.15 - 2.6.26 (88%), Linux 2.6.32 (87%), IGEL UD3 thin client (Linux 2.6) (86%), Linux 2.6.31 (85%), Axceint Uptiva backup appliance (85%), Linux 2.6.16 - 2.6.28 (85%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 1.824 days (since Tue Nov 28 19:26:55 2017) Network Distance: 4 hops TCP Sequence Prediction: Difficulty=264 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE (using port 113/tcp) HOP RTT ADDRESS 1 10.87 ms 10.10.30.1 2 1.80 ms 10.14.2.2 3 2.56 ms 10.212.4.18 4 3.33 ms scanme.nmap.org (45.33.32.156) Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 200.12 seconds Raw packets sent: 1123 (51.344KB) | Rcvd: 1081 (44.800KB) |
El resultado del escaneo como se puede apreciar, es bastante detallado. Sin embargo indica el porcentaje de certeza de los posibles Sistemas Operativos, ya que las condiciones de prueba no son las ideales. [No exact OS matches for host (test conditions non-ideal)]
| Aggressive OS guesses: Linux 2.6.18 (88%), Linux 2.6.15 - 2.6.26 (88%), Linux 2.6.32 (87%), IGEL UD3 thin client (Linux 2.6) (86%), Linux 2.6.31 (85%), Axceint Uptiva backup appliance (85%), Linux 2.6.16 - 2.6.28 (85%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 1.824 days (since Tue Nov 28 19:26:55 2017) |
Sin embargo podriamos tener una mayor certeza del sistema operativo con el resultado asociado al puerto 80 ya que indica que este se encuentra abierto, el servidor es Apache 2.4.7 para Ubuntu.
| PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) | ssh-hostkey: 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) |_2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-methods: GET HEAD POST OPTIONS |_http-title: Go ahead and ScanMe! |_http-favicon: Unknown favicon MD5: |
También podemos ejecutar el escaneo de forma sencilla sin añadir ningún parametro. Probemos ejecutando nuevamente un scan hacia scanme.nmap.org.
| [root@arquitectoti ~]# nmap scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-30 17:05 CLST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.18s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 1863/tcp open msnp 5050/tcp open mmcc 5190/tcp open aol 8008/tcp open http 8010/tcp open xmpp 9929/tcp open nping-echo Nmap done: 1 IP address (1 host up) scanned in 17.76 seconds [root@arquitectoti ~]# |
Como se puede apreciar el resultado es bastante sencillo en comparación al anterior, sin embargo nos muestra información bastante relevante, ya que lo que buscamos principalmente es determinar los puertos en escucha abiertos. Podemos determinar la latencia, puertos cerrados, puerto TCP, estado, servicio estandar asociado, la cantidad de host analizados y el tiempo de duración del escaneo.
En el siguiente ejemplo utilizaremos el parametro -sV para sondear y determinar el servicio e información de la versión.
| [root@arquitectoti ~]# nmap -sV scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-30 17:20 CLST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.18s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |
Las muestras que tomamos para el ejemplo, evidencian que no solo vemos el servicio asociado al puerto ya que además solicitamos la versión del servicio en escucha.
En el siguiente ejemplo con el parametro -O solo habilitamos la deteción del Sistema Operativo.
| [root@arquitectoti ~]# nmap -O scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-30 18:03 CLST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.18s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 1863/tcp open msnp 5050/tcp open mmcc 5190/tcp open aol 8008/tcp open http 8010/tcp open xmpp 9929/tcp open nping-echo Device type: general purpose|terminal|storage-misc Running (JUST GUESSING): Linux 2.6.X (88%), IGEL Linux 2.6.X (86%), Axcient embedded (85%) Aggressive OS guesses: Linux 2.6.18 (88%), Linux 2.6.15 - 2.6.26 (88%), Linux 2.6.32 (87%), IGEL UD3 thin client (Linux 2.6) (86%), Axceint Uptiva backup appliance (85%), Linux 2.6.16 - 2.6.28 (85%), Linux 2.6.31 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 22 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.27 seconds |
En el siguiente ejemplo realizamos un scan solo a los puertos 22, 80 y 443 (-p), sondearemos el servició y versión que se está ejecutando (-sV) y habilitaremos la la deteción del Sistema Operativo (-O).
| [root@arquitectoti ~]# nmap -p22,80,443 -sV -O scanme.nmap.org Starting Nmap 5.51 ( http://nmap.org ) at 2017-11-30 18:28 CLST Nmap scan report for scanme.nmap.org (45.33.32.156) Host is up (0.18s latency). PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 443/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port22-TCP:V=5.51%I=7%D=11/30%Time=5A207807%P=x86_64-redhat-linux-gnu%r SF:(NULL,2B,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\.8\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|WAP|terminal Running (JUST GUESSING): Linux 2.6.X|2.4.X (87%), Netgear embedded (86%), IGEL Linux 2.6.X (85%) Aggressive OS guesses: Linux 2.6.18 (87%), Linux 2.6.15 - 2.6.26 (87%), Tomato 1.27 (Linux 2.4.20) (86%), Linux 2.6.31 - 2.6.32 (86%), Linux 2.6.32 (86%), Netgear DG834G WAP (86%), IGEL UD3 thin client (Linux 2.6) (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 22 hops OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.78 seconds |
Con el parametro -F puedes realizar el scan en modo rapido, el cual escanea menos puertos que el escaneo por defecto.
| [root@arquitectoti ~]# nmap -F scanme.nmap.org |
Añadiendo -p1-2000, el escaneo revisará los puertos desde 1 hasta el 2000.
| [root@arquitectoti ~]# nmap -p1-2000 scanme.nmap.org |
Vamos a escanear el rango de puertos desde el 21 al 25 y el rango de puertos entre el 80 y 123 de todos los hosts de la red 192.168.0.*
| [root@arquitectoti ~]# nmap -p21-25,80-123 192.168.0.* |
Cómo escanear la subred 192.168.1.0/24.
| [root@arquitectoti ~]# nmap 192.168.1.0/24 |
Cómo escanear el rango de IP desde la 192.168.2.1 hasta la 192.168.2.50
| [root@arquitectoti ~]# nmap 192.168.2.1-192.168.2.50 |
Para escanear las direcciones 3 o mas direcciones IP del mismo segmento. por ejemplo 192.168.1.10, 192.168.1.12 y 192.168.1.20.
| [root@arquitectoti ~]# nmap 192.168.1.10,12,20 |
Para escanear multiples hosts.
| [root@arquitectoti ~]# nmap 192.168.2.1 scanme.nmap.org 8.8.8.8 |
Para guardar el resultado de un scaneo en un archivo txt.
| [root@arquitectoti ~]# nmap scanme.nmap.org > nmap_db.txt |
Para escanear desde una lista de host, rangos, redes o dirección DNS. La lista debe contener información como:
192.168.2.*
8.8.8.8
scanme.nmap.org
172.16.0.0/16
| [root@arquitectoti ~]# nmap -iL /root/scans/lista.txt |
Como se puede apreciar, Nmap es una herramienta muy poderosa, la cual nos puede ayudar mucho para comenzar a realizar reconocimiento en un análisis de vulnerabilidades (Pentesting). Las opciones vistas pueden ser combinables, todo dependerá de su gran imaginación. Espero les sea de ayuda este pequeño tutorial.
Portense bién y Hasta la próxima!
Nacho.
Maldito Informático
https://www.twitter.com/malditoinformat | https://www.facebook.com/malditoinformatico https://www.instagram.com/malditoinformatico
#Malditoinformatico
No hay comentarios.:
Publicar un comentario