Introducción a Nmap



Thomas Bliesener
<bli@melix.mx>

2010-09-24

Plataformas

Historia

Historia

Nmap - una estrella de Cine

Matrix Reloaded: nmap -v -sS -O 10.2.1.3

http://nmap.org/movies.html

Fases de un scan con Nmap

Ping scanning (-sP)

Con esta opción Nmap manda:

Ping scanning (-sP)

root@bli:~# nmap -sP melix.mx

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-24 07:03 CDT
Host melix.com.mx (87.106.166.144) appears to be up.
Nmap done: 1 IP address (1 host up) scanned in 0.632 seconds

Ping scanning: de una lista

bli@bli:~$ cat iplist
192.168.8.1
192.168.8.6
192.168.8.9

Ping scan: de una lista

bli@bli:~$ nmap -sP -iL iplist

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 11:22 CDT
Host bli.melix.mx (192.168.8.1) appears to be up.
Host pepe (192.168.8.6) appears to be up.
Host carlos (192.168.8.9) appears to be up.
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.059 seconds

Ping scan: más opciones

bli@bli:~$ nmap -n --reason -sP -iL iplist

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 11:24 CDT
Host 192.168.8.1 appears to be up, received syn-ack.
Host 192.168.8.6 appears to be up, received conn-refused.
Host 192.168.8.9 appears to be up, received conn-refused.
Nmap done: 3 IP addresses (3 hosts up) scanned in 0.055 seconds

Ping scan: SYN Ping

root@bli:~# nmap -sP ebay.com

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 13:03 CDT
Warning: Hostname ebay.com resolves to 4 IPs. Using 66.135.205.14.
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.174 seconds

Ping scan: SYN Ping

root@bli:~# nmap -sP -PS80 ebay.com

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 13:04 CDT
Warning: Hostname ebay.com resolves to 4 IPs. Using 66.211.160.87.
Host pages.ebay.com (66.211.160.87) appears to be up.
Nmap done: 1 IP address (1 host up) scanned in 0.655 seconds

Timing (1/3)

Timing (2/3)

bli@bli:~$ nmap -sP 187.146.94.0/25
Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-22 18:50 CDT
Host dsl-187-146-94-1-dyn.prod-infinitum.com.mx (187.146.94.1) appears to be up.
Host dsl-187-146-94-4-dyn.prod-infinitum.com.mx (187.146.94.4) appears to be up.
[...]
Host dsl-187-146-94-125-dyn.prod-infinitum.com.mx (187.146.94.125) appears to be up.
Host dsl-187-146-94-127-dyn.prod-infinitum.com.mx (187.146.94.127) appears to be up.
Nmap done: 128 IP addresses (61 hosts up) scanned in 4.793 seconds

Timing (3/3)

bli@bli:~$ nmap -sP -T5 187.146.94.0/25

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-22 18:49 CDT
Host dsl-187-146-94-1-dyn.prod-infinitum.com.mx (187.146.94.1) appears to be up.
Host dsl-187-146-94-4-dyn.prod-infinitum.com.mx (187.146.94.4) appears to be up.
[...]
Host dsl-187-146-94-36-dyn.prod-infinitum.com.mx (187.146.94.36) appears to be up.
Host dsl-187-146-94-37-dyn.prod-infinitum.com.mx (187.146.94.37) appears to be up.
Nmap done: 128 IP addresses (17 hosts up) scanned in 2.672 seconds

Port Scanning

root@bli:~# nmap scanme.nmap.org

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 13:56 CDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 1708 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed auth
31337/tcp closed Elite

Nmap done: 1 IP address (1 host up) scanned in 44.162 seconds

Port Scanning

root@bli:~# nmap -p 80 scanme.nmap.org

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 14:27 CDT
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.378 seconds

Port Scanning: resultados

Port Scanning

root@bli:~# nmap -sU -p 53 melix.mx

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-24 07:55 CDT
Interesting ports on melix.com.mx (87.106.166.144):
PORT   STATE         SERVICE
53/udp open|filtered domain

Port Scanning: opciones

Otras: TCP Window, TCP FIN, TCP Xmas, TCP Null, TCP Maimon, TCP Idle, TCP Protocol

Reconocimiento de Sistemas Operativos

root@bli:~# nmap -T4 -F -O scanme.nmap.org

Starting Nmap 4.62 ( http://nmap.org ) at 2010-09-23 22:37 CDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 1269 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
[...]
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.18
Uptime: 3.309 days (since Mon Sep 20 15:13:58 2010)

Nmap Scripting Engine (NSE)

Con el lenguaje Lua se pueden automatizar tareas de Nmap.

Literatura

Gordon "Fyodor" Lyon: "Nmap Network Scanning", Publisher: Nmap Project, 2009 ISBN-13: 978-0979958717

http://nmap.org/book/