martes, 29 de abril de 2008

El comando NMAP

Descripción

Nmap (Network Mapper) es una herramienta de código abierto para exploración de red y auditoría de seguridad. Se diseñó para analizar rápidamente grandes redes, aunque funciona muy bien contra equipos individuales. Nmap utiliza paquetes IP "crudos" (raw) en formas originales para determinar qué equipos se encuentran disponibles en una red, qué servicios (nombre y versión de la aplicación) ofrecen, qué sistemas operativos (y sus versiones) ejecutan, qué tipo de filtros de paquetes o cortafuegos se están utilizando así como docenas de otras características.

Instalación desde consola

Para la utilización de dicho programa, desde consola teclearemos el siguiente comando:

sudo apt-get install nmap knmap

Nota: El paquete "knmap" es una interfaz gráfica, para no usar la consola.

Usos de NMAP

Puertos abiertos de una dirección IP

Para averiguar los puertos abiertos de algún equipo (por ejemplo la dirección 172.26.103.2), haremos lo siguiente por consola:

sudo nmap 172.26.103.20


Averiguando el sistema operativo


Si además queremos averiguar el sistema operativo instalado en una máquina usaremos el comando nmap con la opción "-O" quedando de la siguiente manera:

sudo nmap -O 172.26.103.20



Aunque, habría que añadir, que dependiendo del sistema operativo nmap sería o no capaz de saber de cual se trata. Si realmente es necesario conocer que sistema operativo se esta corriendo en el host remoto, es mejor utilizar otra herramienta, junto con nmap, como por ejemplo: QueSO. Es un detector de sistema operativo remoto (realiza una mejor verificación de Sistema Operativo que nmap) Aunque ahora no se hablará de su uso.

Escanear toda una red de ordenadores

Para escanear todos los ordenadores de una red, como el caso de nuestra aula, especificamos la dirección de red (172.26.103.0/24), y recordando que la máscara tiene que ser escrita sin clase. En nuestro caso, el comando quedaría de la siguiente forma:

sudo nmap 172.26.103.0/24

Averiguar si un ordenador tiene un puerto determinado abierto

Podemos averiguar si un ordenador determinado de nuestra red, está jugando a los Worms escaneando los puertos que está usando.

sudo nmap -sU -p 1-20000 172.26.103.20

La opción "-sU" es para escanear los puertos UDP del equipo en cuestión, y -"p 1-20000" es para especificar que escaneará desde el puerto nº1, al nº 20000, y por último, la dirección. Desde la consola quedaría así:


alumno@1asi-pc05:~$ sudo nmap -sU -p 1-20000 172.26.103.20

Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-29 10:09 CEST
Interesting ports on 172.26.103.20:
Not shown: 19990 closed ports
PORT STATE SERVICE
123/udp openfiltered ntp
137/udp openfiltered netbios-ns
138/udp openfiltered netbios-dgm
445/udp openfiltered microsoft-ds
500/udp openfiltered isakmp
1031/udp openfiltered iad2
1900/udp openfiltered UPnP
4500/udp openfiltered sae-urn
17010/udp openfiltered unknown
17012/udp openfiltered unknown
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

Nmap done: 1 IP address (1 host up) scanned in 4.164 seconds



Y si nos fijamos, aparece los puertos 17010 y 17012 son los que utiliza el juego Worm, aunque no nos lo especifique claramente en los resultados.

Averiguar los puertos abiertos de los ordenadores encendidos de una red

Ahora, averiguaremos los puertos abiertos, de los equipos de nuestra red, para ello, teclearemos lo siguiente:

sudo nmap -sUT 172.26.103.0/24

Y por consola, aparece cada uno de los equipos encendidos de la red 172.26.103.0 y la información de los puertos abiertos.


alumno@1asi-pc05:~$ sudo nmap -sUT -O 172.26.103.0/24

Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-30 08:58 CEST
All 3202 scanned ports on 172.26.103.2 are closed (3175) or open|filtered (27)
MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 172.26.103.5:
Not shown: 3197 closed ports
PORT STATE SERVICE
3128/tcp open squid-http
68/udp open|filtered dhcpc
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
32768/udp open|filtered omad
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22, Linux 2.6.22 - 2.6.23
Uptime: 0.030 days (since Wed Apr 30 08:40:33 2008)
Network Distance: 1 hop

Interesting ports on 172.26.103.7:
Not shown: 3195 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
68/udp open|filtered dhcpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.20
Uptime: 0.036 days (since Wed Apr 30 08:32:04 2008)
Network Distance: 1 hop

Interesting ports on 172.26.103.8:
Not shown: 3200 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 172.26.103.9:
Not shown: 3199 closed ports
PORT STATE SERVICE
10000/tcp open snet-sensor-mgmt
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.20
Uptime: 0.033 days (since Wed Apr 30 08:36:11 2008)
Network Distance: 1 hop

Interesting ports on 172.26.103.12:
Not shown: 3201 closed ports
PORT STATE SERVICE
5353/udp open|filtered zeroconf
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

All 3202 scanned ports on 172.26.103.13 are filtered (1714) or open|filtered (1488)
MAC Address: 00:16:17:4F:AF:D5 (MSI)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 172.26.103.17:
Not shown: 3200 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 172.26.103.20:
Not shown: 3191 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2
Network Distance: 1 hop

Interesting ports on 172.26.103.26:
Not shown: 3184 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3128/tcp open squid-http
8080/tcp open http-proxy
111/udp open|filtered rpcbind
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
642/udp open|filtered unknown
2049/udp open|filtered nfs
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
32768/udp open|filtered omad
32773/udp open|filtered sometimes-rpc10
32774/udp open|filtered sometimes-rpc12
32775/udp open|filtered sometimes-rpc14
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 - 2.6.23
Uptime: 1.037 days (since Tue Apr 29 08:30:35 2008)
Network Distance: 1 hop

Interesting ports on 172.26.103.28:
Not shown: 3201 closed ports
PORT STATE SERVICE
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:75:70:94 (Gigabyte Technology Co.)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 172.26.103.33:
Not shown: 3197 closed ports
PORT STATE SERVICE
80/tcp open http
3128/tcp open squid-http
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
32768/udp open|filtered omad
MAC Address: 00:1A:92:55:DC:EF (Asustek Computer)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 - 2.6.23
Uptime: 0.037 days (since Wed Apr 30 08:30:22 2008)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 256 IP addresses (12 hosts up) scanned in 1518.958 seconds




Por último, veremos la forma de saber si hay algún equipo que tenga un servidor FTP, un HTTP, o un DNS, para ello, debemos averiguar antes los puertos utilizados para estos servicios.

Puerto para el servidor FTP: 21
Puerto para el servidor DHCP: 53
Puerto para el servidor HTTP: 80

Teniendo esta información a mano, ya podemos escribir el comando para realizar dicha búsqueda, y es el siguiente:

sudo nmap -sU -sT -p21,80,53 172.26.103.0/24

La opción -p como vimos anteriormente, es para especificarle el rango de puertos, o los puertos exactos separados por comas como se ve arriba.

Y su salida por consola es la siguiente:


alumno@1asi-pc05:~$ sudo nmap -sU -sT -p21,80,53 172.26.103.0/24
[sudo] password for alumno:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-30 09:40 CEST
Interesting ports on 172.26.103.2:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)

Interesting ports on 172.26.103.4:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http

Interesting ports on 172.26.103.5:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.7:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.8:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.9:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.12:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)

Interesting ports on 172.26.103.13:
PORT STATE SERVICE
21/tcp filtered ftp
53/tcp filtered domain
80/tcp filtered http
21/udp open|filtered ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:16:17:4F:AF:D5 (MSI)

Interesting ports on 172.26.103.17:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)

Interesting ports on 172.26.103.20:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp open http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

Interesting ports on 172.26.103.26:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp open http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)

Interesting ports on 172.26.103.28:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp closed http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:4D:75:70:94 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.33:
PORT STATE SERVICE
21/tcp closed ftp
53/tcp closed domain
80/tcp open http
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:1A:92:55:DC:EF (Asustek Computer)

Nmap done: 256 IP addresses (13 hosts up) scanned in 7.082 seconds



Bibliografía
http://www.estrellateyarde.es/so/nmap-en-linux