miércoles, 18 de julio de 2012

Nmap in Fedora 17

Use nmap for audits, vulnerability scanning, security test or others. :-)
The first step easy and simple: install. Go into the console, login as root and proceed to write yum install nmap.

[soporte@BMNG001 ~]$ su -
[root@BMNG001~]# yum install nmap

  nmap.x86_64 2:6.00-1.fc17                                                                                                     
[root@BMNG001 ~]#

Now let's see the different modes of operation within our network, let's define some important commands remembering that some must be run as root.

Type (s) scanning

-sT system call connect () is used to connect to all ports. If the port is listening, connect () will succeed.

-sS not open a full TCP connection. It sends a SYN packet, if there comes a SYN | ACK is sent to close the connection RTS.

-sP If you only need to know which nodes are active. In root mode techniques used ICMP, SYN ACK and parallel to detect that node is active.

-sU Used to know that UDP ports are open. In UNIX nodes UDP scanning is limited in frequency.

-sF -sX -sN Stealth Mode FIN, Xmas Tree, or Null scan. The idea is that closed ports respond to RST packets, while open ports must ignore the packets in question. Because this type of scan nodes will not work on Windows, is a good idea to distinguish between platforms.

General Options 
-PT <#port> Use TCP ping to determine which servers are active.

Resolves DNS-R all nodes. 

- dns-servers <server1[,server2],...> Alternatively, you can specify which DNS servers search for names 
-O Report Operating System 
-p port scan 25,80,1000-4000 only 25.80 and 1000 to 4000 
-sV check the versions of software that listens on ports 
-v enable extended information mode (supports more than one v)

Objects specification

nmap -sS -P0 -sV -O performs a deep scan of the node.

nmap -sT -n -p --P0 discussing with TCP scan all 65535 ports, without sending ping consent (which may be blocked by the table) and without reverse DNS lookup, this makes the scan is very fast.

nmap -T5 -F -O -iL input.txt done very fast scanning of the nodes listed (one per line) in input.txt used primarily to detect the OS

nmap -sV -n -P0 -p 22 detect that service runs on port 22 node and its version.

nmap -sL looking through DNS host in the range with name and registered in the DNS. Usually the nodes that are not in the DNS appear in this scan as not connected.

nmap -sP -PR live looking hosts through ARP pings (-PR) in the range, arp pings is chosen because it might ICMP pings are blocked by a firewall.

nmap - iflist prints the list of interface and default route for each interface.

host -l servertest.com | cut -d " " -f  4 | ./nmap -v -iL - makes a DNS zone transfer to find servidor.com servers and then move IP addresses to nmap.

These commands can see, writing on the console $nmap.

[soporte@BMNG001 ~]$ nmap                                                                                                       
Nmap 6.00 ( http://nmap.org )                                                                                                   
Usage: nmap [Scan Type(s)] [Options] {target specification}                                                                     

TARGET SPECIFICATION:                                                                                                           
  Can pass hostnames, IP addresses, networks, etc.                                                                              
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254                                                          
  -iL <inputfilename>: Input from list of hosts/networks                                                                        
  -iR <num hosts>: Choose random targets                                                                                        
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks                                                                 
  --excludefile <exclude_file>: Exclude list from file                                                                          

HOST DISCOVERY:                                                                                                                 
  -sL: List Scan - simply list targets to scan                                                                                  
  -sn: Ping Scan - disable port scan                                                                                            
  -Pn: Treat all hosts as online -- skip host discovery                                                                         
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports                                                     
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes                                                         
  -PO[protocol list]: IP Protocol Ping                                                                                          
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]                                                            
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers                                                                 
  --system-dns: Use OS's DNS resolver                                                                                           
  --traceroute: Trace hop path to each host                                                                                     

SCAN TECHNIQUES:                                                                                                                
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans                                                                    
  -sU: UDP Scan                                                                                                                 
  -sN/sF/sX: TCP Null, FIN, and Xmas scans                                                                                      
  --scanflags <flags>: Customize TCP scan flags                                                                                 
  -sI <zombie host[:probeport]>: Idle scan                                                                                      
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans                                                                                           
  -sO: IP protocol scan                                                                                                         
  -b <FTP relay host>: FTP bounce scan                                                                                          

PORT SPECIFICATION AND SCAN ORDER:                                                                                              
  -p <port ranges>: Only scan specified ports                                                                                   
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9                                                                
  -F: Fast mode - Scan fewer ports than the default scan                                                                        
  -r: Scan ports consecutively - don't randomize                                                                                
  --top-ports <number>: Scan <number> most common ports                                                                         
  --port-ratio <ratio>: Scan ports more common than <ratio>                                                                     

SERVICE/VERSION DETECTION:                                                                                                      
  -sV: Probe open ports to determine service/version info                                                                       
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)                                                         
  --version-light: Limit to most likely probes (intensity 2)                                                                    
  --version-all: Try every single probe (intensity 9)                                                                           
  --version-trace: Show detailed version scan activity (for debugging)                                                          

SCRIPT SCAN:                                                                                                                    
  -sC: equivalent to --script=default                                                                                           
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of                                                            
           directories, script-files or script-categories                                                                       
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts                                                               
  --script-args-file=filename: provide NSE script args in a file                                                                
  --script-trace: Show all data sent and received                                                                               
  --script-updatedb: Update the script database.                                                                                
  --script-help=<Lua scripts>: Show help about scripts.                                                                         
           <Lua scripts> is a comma separted list of script-files or                                                            

OS DETECTION:                                                                                                                   
  -O: Enable OS detection                                                                                                       
  --osscan-limit: Limit OS detection to promising targets                                                                       
  --osscan-guess: Guess OS more aggressively                                                                                    

TIMING AND PERFORMANCE:                                                                                                         
  Options which take <time> are in seconds, or append 'ms' (milliseconds),                                                      
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).                                                         
  -T<0-5>: Set timing template (higher is faster)                                                                               
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes                                                          
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization                                                          
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies                                                       
      probe round trip time.                                                                                                    
  --max-retries <tries>: Caps number of port scan probe retransmissions.                                                        
  --host-timeout <time>: Give up on target after this long                                                                      
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes                                                             
  --min-rate <number>: Send packets no slower than <number> per second                                                          
  --max-rate <number>: Send packets no faster than <number> per second                                                           

FIREWALL/IDS EVASION AND SPOOFING:                                                                                              
  -f; --mtu <val>: fragment packets (optionally w/given MTU)                                                                    
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys                                                                         
  -S <IP_Address>: Spoof source address                                                                                         
  -e <iface>: Use specified interface                                                                                           
  -g/--source-port <portnum>: Use given port number                                                                             
  --data-length <num>: Append random data to sent packets                                                                       
  --ip-options <options>: Send packets with specified ip options                                                                
  --ttl <val>: Set IP time-to-live field                                                                                        
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address                                                          
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum                                                                     

  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,                                                           
     and Grepable format, respectively, to the given filename.                                                                  
  -oA <basename>: Output in the three major formats at once                                                                     
  -v: Increase verbosity level (use -vv or more for greater effect)                                                             
  -d: Increase debugging level (use -dd or more for greater effect)                                                             
  --reason: Display the reason a port is in a particular state                                                                  
  --open: Only show open (or possibly open) ports                                                                               
  --packet-trace: Show all packets sent and received                                                                            
  --iflist: Print host interfaces and routes (for debugging)                                                                    
  --log-errors: Log errors/warnings to the normal-format output file                                                            
  --append-output: Append to rather than clobber specified output files                                                         
  --resume <filename>: Resume an aborted scan                                                                                   
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML                                                       
  --webxml: Reference stylesheet from Nmap.Org for more portable XML                                                            
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output                                                           

  -6: Enable IPv6 scanning                                                                                                      
  -A: Enable OS detection, version detection, script scanning, and traceroute                                                   
  --datadir <dirname>: Specify custom Nmap data file location                                                                   
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets                                                            
  --privileged: Assume that the user is fully privileged                                                                        
  --unprivileged: Assume the user lacks raw socket privileges                                                                   
  -V: Print version number                                                                                                      
  -h: Print this help summary page.                                                                                             

  nmap -v -A scanme.nmap.org                                                                                                    
  nmap -v -sn                                                                                         
  nmap -v -iR 10000 -Pn -p 80

And this is advanced example and simple, some things like this X as mac address for "security" reasons.

[root@BMNG001 soporte]# nmap -sS -P0 -sV -O                                                                       
Starting Nmap 6.00 ( http://nmap.org ) at 2012-07-18 16:05   EST                                                                   
Nmap scan report for                                                                                                
Host is up (0.00045s latency).                                                                                                  
Not shown: 997 filtered ports                                                                                                   
PORT    STATE  SERVICE      VERSION                                                                                             
264/tcp open   fw1-topology Checkpoint FW1 Topology                                                                             
443/tcp open   ssl/http     Check Point SVN foundation httpd                                                                    
500/tcp closed isakmp                                                                                                           
MAC Address: X:X:X:X:X:X (Lanner Electronics)                                                                             
Device type: firewall|specialized|general purpose|broadband router|WAP                                                          
Running (JUST GUESSING): Check Point Linux 2.6.X|2.4.X (97%), Cisco embedded (91%), Linux 2.6.X|2.4.X (89%), ZyXEL ZyNOS 2.X (88%
), Juniper IVE OS 7.X (88%), Endian Linux 2.6.X (87%), IPCop Linux 2.4.X (87%)                                                  
OS CPE: cpe:/o:checkpoint:linux:2.6 cpe:/o:checkpoint:linux:2.4 cpe:/o:linux:kernel:2.6.30 cpe:/o:zyxel:zynos:2 cpe:/o:linux:kern
el:2.4 cpe:/o:juniper:ive_os:7 cpe:/o:endian:linux:2.6 cpe:/o:ipcop:linux:2.4                                                   
Aggressive OS guesses: Check Point VPN-1 firewall (Linux 2.6.18) (97%), Check Point firewall (Linux 2.4.21) (93%), Cisco NME-NAM-
80S network analysis module (91%), Linux 2.6.30 (89%), Linux 2.6.24 (Gentoo) (89%), ZyXEL ZyWALL USG 50 firewall (ZyNOS 2.21) (88
%), Linux 2.6.24 (88%), OpenWrt Kamikaze 8.09.1 (Linux (88%), OpenWrt (Linux 2.4.32) (88%), Juniper SA4000 SSL VPN gate
way (IVE OS 7.0) (88%)                                                                                                          
No exact OS matches for host (test conditions non-ideal).                                                                       
Network Distance: 1 hop                                                                                                         
Service Info: Device: firewall                                                                                                  
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .                            
Nmap done: 1 IP address (1 host up) scanned in 21.13 seconds

I hope this material serve in their daily work.

No hay comentarios:

Publicar un comentario