El programa nmap es una herramienta multifunción que permite el examen de IPs, puertos asi como averiguar el S.O. de la máquina remota.
Algunas de las funcionalidades pueden requerir privilegios de Administrador.
casiano@beowulf:~$ nmap -O nereida.deioc.ull.es TCP/IP fingerprinting (for OS scan) requires root privileges. QUITTING!
Una de las funcionalidades mas sencillas es usarlo para ver si una máquina está activa:
nereida:~# nmap -sP somemachine Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 18:16 WEST Host somemachine (193.130.112.241) appears to be up. Nmap finished: 1 IP address (1 host up) scanned in 0.138 seconds
Para utilizarlo en el examen de puertos basta con dar la dirección de la máquina:
remotehost:~# nmap remotehost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 12:58 WEST Interesting ports on remotehost (123.130.109.241): Not shown: 1668 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 512/tcp open exec 513/tcp open login 514/tcp open shell 933/tcp open unknown 2049/tcp open nfs 2628/tcp open dict 8000/tcp open http-alt Nmap finished: 1 IP address (1 host up) scanned in 2.130 seconds
Es posible especificar rangos:
nmap 172.16.2.200-250,260
Se puede tambien usar el asterisco *
como comodín:
nereida:~# nmap '190.175.101.*' Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 17:37 WEST Interesting ports on router (190.175.101.1): Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 135/tcp filtered msrpc 9999/tcp open abyss MAC Address: 00:2B:1F:E6:A8:00 (Unknown) All 1680 scanned ports on 190.175.101.13 are filtered MAC Address: 00:1B:32:EF:59:9A (Unknown) ................................................
Se pueden especificar subredes en notación CIDR:
Nmap finished: 16 IP addresses (1 host up) scanned in 0.825 seconds mars:~# nmap 194.134.107.252/27 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-09 12:04 WEST Interesting ports on alg14.algebra.MIT.res.uk (194.134.107.230): Not shown: 1679 closed ports PORT STATE SERVICE 22/tcp open ssh MAC Address: FF:E0:7D:D4:0C:4F (Netronix) Interesting ports on 194.134.107.232: Not shown: 1673 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 280/tcp open http-mgmt 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect MAC Address: FF:FF:E6:78:43:29 (Hewlett-Packard Company) Interesting ports on alg1.algebra.MIT.res.uk (194.134.107.233): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 515/tcp open printer 756/tcp open unknown 7100/tcp open font-service MAC Address: FF:13:21:AE:3F:49 (Hewlett Packard) Interesting ports on mizar.gt.MIT.res.uk (194.134.107.239): Not shown: 1676 filtered ports PORT STATE SERVICE 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:FF:F2:EB:70:94 (Asustek Computer) Interesting ports on mars (194.134.107.252): Not shown: 1670 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 512/tcp open exec 513/tcp open login 514/tcp open shell 933/tcp open unknown 2049/tcp open nfs Nmap finished: 32 IP addresses (5 hosts up) scanned in 33.284 seconds mars:~#
Se conoce con el nombre de fingerprinting el proceso de detección del
sistema operativo de una máquina. Las opción -O
de nmap nos permite
hacer fingerprinting:
nereida:~# nmap -O -v 193.242.83.91 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 13:35 WEST DNS resolution of 1 IPs took 11.52s. Initiating SYN Stealth Scan against Lbateau-111-44-27-85.w193-252.willy.wonka.fr (193.242.83.91) [1680 ports] at 13:35 Discovered open port 22/tcp on 193.242.83.91 Discovered open port 53/tcp on 193.242.83.91 SYN Stealth Scan Timing: About 10.37% done; ETC: 13:40 (0:04:19 remaining) The SYN Stealth Scan took 107.36s to scan 1680 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port For OSScan assuming port 22 is open, 39879 is closed, and neither are firewalled For OSScan assuming port 22 is open, 40432 is closed, and neither are firewalled For OSScan assuming port 22 is open, 35452 is closed, and neither are firewalled Host Lbateau-111-44-27-85.w193-252.willy.wonka.fr (193.242.83.91) appears to be up ... good. Interesting ports on Lbateau-111-44-27-85.w193-252.willy.wonka.fr (193.252.5.85): Not shown: 1678 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain Device type: general purpose Running (JUST GUESSING) : Linux 2.6.X (97%), Microsoft Windows NT/2K/XP (88%) Aggressive OS guesses: Linux 2.6.3 or 2.6.8 (97%), Microsoft Windows 2000 Server SP4 (88%), Microsoft Windows XP Pro SP1 (88%) No exact OS matches for host (test conditions non-ideal). Uptime 3.166 days (since Mon May 5 09:38:32 2008) TCP Sequence Prediction: Class=random positive increments Difficulty=3877295 (Good luck!) IPID Sequence Generation: All zeros Nmap finished: 1 IP address (1 host up) scanned in 129.275 seconds Raw packets sent: 6685 (296.496KB) | Rcvd: 81 (4826B)
El módulo Nmap::Scanner provee una API para controlar rastreos con nmap .
nereida:~/src/perl/Nmap-scanner# cat -n event_ping.pl 1 #!/usr/bin/perl 2 use warnings; 3 use strict; 4 5 use Nmap::Scanner; 6 $|++; 7 8 use strict; 9 10 my $scanner = new Nmap::Scanner; 11 12 my $target_spec = "$ARGV[0]" || 13 die "Missing target spec\n$0 target_spec (e.g. 192.168.1.1)\n"; 14 $scanner->ping_scan(); 15 $scanner->ack_icmp_ping(); 16 $scanner->add_target($target_spec); 17 $scanner->register_scan_started_event(\&scan_started);
En modo orientado a eventos el usuario registra los eventos en los que está interesado pasando como argumento un callback. El scanner llamará al callback en la fase especificada del scan. El callback recibe argumentos que describen el objeto Nmap::Sacnner::Scanner , lo que ha pasado y los datos encontrados.
18 $scanner->scan(); 19 20 sub scan_started { 21 my $self = shift; 22 my $host = shift; 23 24 my $hostname = $host->hostname(); 25 my $ip = ($host->addresses)[0]->addr(); 26 my $status = $host->status; 27 28 print "$hostname ($ip) is $status\n"; 29 30 }Hay cinco tipos de eventos soportados:
scan_started
host closed
no ports open
port found
scan complete
La librería requiere que el usuario sea el root. Al ejecutar obtenemos:
nereida:~/src/perl/Nmap-scanner# event_ping.pl beowulf beowulf (193.145.102.240) is up