Petrov - Nmap

Da Wiki-itsos.

Situazione Iniziale

Macchina virtuale di livello 1 con ubuntu server 14.04

Introduzione

Nmap (Network Mapper) è uno strumento che serve per analizzare gli elementi di una rete. Con questo strumento si possono effettuare diversi tipi di scansioni, sia di un'intera rete che di un singolo host all'interno di quella rete.

Obiettivi

utilizzare nmap:

  • per scoprire gli indirizzi IP di una rete
  • per scoprire i MAC address di una rete
  • per scoprire i sistemi operativi di una rete
  • per scoprire i servizi attivi di un singolo host

Azioni Svolte e Risultati Ottenuti

Parte Preliminare

  • download e installazione di nmap
root@Petrov-dns:/home/tech# apt-get install nmap
... 
...
...
Configurazione di nmap (6.40-0.2ubuntu1)...
Elaborazione dei trigger per libc-bin (2.19-0ubuntu6)...
root@Petrov-dns:/home/tech#
  • dando il comando nmap -h si possono visualizzare tutte le operazioni effettuabili con nmap
root@Petrov-dns:/home/tech# nmap -h
Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
[...]
[...]
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
root@Petrov-dns:/home/tech# 

Parte Principale

Individuare indirizzi MAC e IP

  • Per scannerizzare tutti i MAC address e gli indirizzi IP di una rete LAN dare il comando nmap -sn <IP/subnet mask della LAN>
root@Petrov-dns:/home/tech# nmap -sn 10.200.7.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2016-14-01 09:07 CET
Nmap scan report for 10.200.7.1
Host is up (0.11s latency).
MAC Address: 00:15:C5:F1:59:C4 (Dell ESG Pcba Test)
Nmap scan report for 10.200.7.3
Host is up (0.00042s latency).
MAC Address: 08:00:27:5A:F8:1A (Cadmus Computer Systems)
Nmap scan report for 10.200.7.5
Host is up (0.00028s latency).
MAC Address: 08:00:27:7B:C8:1A (Cadmus Computer Systems)
Nmap scan report for 10.200.7.6
Host is up (0.00039s latency).
MAC Address: 08:00:27:5A:F8:1A (Cadmus Computer Systems)
Nmap scan report for 10.200.7.7
Host is up (0.00032s latency).
MAC Address: 08:00:27:74:0A:20 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.9
Host is up (0.00067s latency).
MAC Address: 08:00:27:B0:F9:A2 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.10
Host is up (0.00060s latency).
MAC Address: 08:00:27:B0:0E:9C (Cadmus Computer Systems)
Nmap scan report for 10.200.7.11
Host is up (0.00047s latency).
MAC Address: 08:00:27:E6:1B:A3 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.13
Host is up (-0.10s latency).
MAC Address: 08:00:27:80:B1:98 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.16
Host is up (-0.10s latency).
MAC Address: 08:00:27:32:8D:25 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.17
Host is up (-0.10s latency).
MAC Address: 08:00:27:5A:F8:1A (Cadmus Computer Systems)
Nmap scan report for 10.200.7.18
Host is up (-0.10s latency).
MAC Address: 08:00:27:F6:A4:DE (Cadmus Computer Systems)
Nmap scan report for 10.200.7.19
Host is up (-0.10s latency).
MAC Address: 08:00:27:70:6F:1E (Cadmus Computer Systems)
Nmap scan report for 10.200.7.21
Host is up (-0.10s latency).
MAC Address: 08:00:27:1B:1F:2F (Cadmus Computer Systems)
Nmap scan report for 10.200.7.22
Host is up (-0.10s latency).
MAC Address: 08:00:27:5A:F8:1A (Cadmus Computer Systems)
Nmap scan report for 10.200.7.25
Host is up (0.00033s latency).
MAC Address: 08:00:27:84:D9:56 (Cadmus Computer Systems)
Nmap scan report for 10.200.7.45
Host is up (-0.13s latency).
MAC Address: 00:1E:67:6A:71:A5 (Intel Corporate)
Nmap scan report for 10.200.7.101
Host is up (-0.13s latency).
MAC Address: C8:9C:DC:D2:2F:14 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.112
Host is up (0.00022s latency).
MAC Address: C8:9C:DC:D2:81:96 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.113
Host is up (0.00024s latency).
MAC Address: C8:9C:DC:D2:49:E8 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.118
Host is up (0.00025s latency).
MAC Address: C8:9C:DC:D2:7E:3C (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.143
Host is up (0.00025s latency).
MAC Address: C8:9C:DC:D2:4B:BC (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.185
Host is up (0.00033s latency).
MAC Address: C8:9C:DC:D2:46:3E (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.189
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:7E:43 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.190
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:81:F4 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.192
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:81:F3 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.202
Host is up (0.00022s latency).
MAC Address: C8:9C:DC:D2:83:55 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.204
Host is up (0.00026s latency).
MAC Address: C8:9C:DC:D2:82:31 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.208
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:83:62 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.215
Host is up (-0.10s latency).
MAC Address: 08:00:27:7E:75:ED (Cadmus Computer Systems)
Nmap scan report for 10.200.7.216
Host is up (0.00034s latency).
MAC Address: C8:9C:DC:D2:82:45 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.219
Host is up (0.00016s latency).
MAC Address: C8:9C:DC:D2:81:2F (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.222
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:45:62 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.234
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:7E:33 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.239
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:7E:E7 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.240
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:7E:55 (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.251
Host is up (-0.10s latency).
MAC Address: C8:9C:DC:D2:49:BA (Elitegroup Computer System CO.)
Nmap scan report for 10.200.7.27
Host is up.
Nmap done: 256 IP addresses (38 hosts up) scanned in 6.66 seconds

Individuare i SO di più host

  • Per analizzare i sistemi operativi utilizzati dagli host di una LAN uso il comando nmap -O <IP/subnet mask della LAN>
root@Petrov-dns:/home/tech# nmap -O 10.200.7.0/24
Nmap scan report for 10.200.7.192
Host is up (0.00034s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:81:F3 (Elitegroup Computer System CO.)
Aggressive OS guesses: Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 - 3.9 (95%), Linux 2.6.32 (93%), Linux 3.8 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6) (92%), Linux 2.6.32 - 3.2 (91%), Linux 2.6.22 (91%), Linux 2.4.26 (Slackware 10.0.0) (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.202
Host is up (0.00036s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:83:55 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 3.2 (93%), Linux 3.0 - 3.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.204
Host is up (0.00034s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:82:31 (Elitegroup Computer System CO.)
Aggressive OS guesses: Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 - 3.9 (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.26 - 2.6.35 (93%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 3.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.208
Host is up (0.00037s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:83:62 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.26 - 2.6.35 (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 3.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.216
Host is up (0.00038s latency).
Not shown: 95 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:82:45 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.26 - 2.6.35 (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 3.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.219
Host is up (0.00018s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:81:2F (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.26 - 2.6.35 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.222
Host is up (0.00027s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:45:62 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.26 - 2.6.35 (93%), Linux 2.6.32 - 2.6.35 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.234
Host is up (0.00034s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:7E:33 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.26 - 2.6.35 (93%), Linux 2.6.32 - 2.6.35 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.239
Host is up (0.00040s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:7E:E7 (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 3.0 - 3.9 (93%), Linux 2.6.26 - 2.6.35 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.251
Host is up (0.00039s latency).
Not shown: 96 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: C8:9C:DC:D2:49:BA (Elitegroup Computer System CO.)
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (95%), Linux 2.6.32 (95%), Linux 3.8 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.26 - 2.6.35 (94%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.32 - 2.6.35 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 10.200.7.253
Host is up (0.00059s latency).
All 100 scanned ports on 10.200.7.253 are closed
MAC Address: 08:00:27:81:CF:83 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (36 hosts up) scanned in 240.50 seconds

Individuare SO di un solo host

  • Per verificare il sistema operativo utilizzato da un host uso il comando nmap -O <indirizzo IP host>
root@Petrov-dns:/home/tech# nmap -O 10.200.7.27

Starting Nmap 6.40 ( http://nmap.org ) at 2016-14-01 09:12 CET
Nmap scan report for 10.200.7.27
Host is up (0.000026s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=11/10%OT=22%CT=1%CU=41953%PV=Y%DS=0%DC=L%G=Y%TM=5641C8
OS:27%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=8)SEQ(SP=
OS:105%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW
OS:7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=A
OS:AAA%W2=AAAA%W3=AAAA%W4=AAAA%W5=AAAA%W6=AAAA)ECN(R=Y%DF=Y%T=40%W=AAAA%O=M
OS:FFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 104.64 seconds

Individurare tutte le porte di rete attive di un host

  • Per analizzare tutte le porte di rete di un host dare il comando nmap -v <indirizzo IP host>
root@Petrov-dns:/home/tech# nmap -v 10.200.7.27

Starting Nmap 6.40 ( http://nmap.org ) at 2016-14-01 09:28 CET
Initiating Parallel DNS resolution of 1 host. at 08:28
Completed Parallel DNS resolution of 1 host. at 08:28, 0.00s elapsed
Initiating SYN Stealth Scan at 08:28
Scanning 10.200.7.27 [1000 ports]
Discovered open port 53/tcp on 10.200.7.27
Discovered open port 22/tcp on 10.200.7.27
Increasing send delay for 10.200.7.27 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Increasing send delay for 10.200.7.27 from 5 to 10 due to 39 out of 128 dropped probes since last increase.
Increasing send delay for 10.200.7.27 from 10 to 20 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 10.200.7.27 from 20 to 40 due to 11 out of 24 dropped probes since last increase.
Increasing send delay for 10.200.7.27 from 40 to 80 due to 11 out of 30 dropped probes since last increase.
SYN Stealth Scan Timing: About 45.83% done; ETC: 08:29 (0:00:37 remaining)
Completed SYN Stealth Scan at 08:30, 89.64s elapsed (1000 total ports)
Nmap scan report for 10.200.7.27
Host is up (0.000025s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 89.69 seconds
           Raw packets sent: 1291 (56.804KB) | Rcvd: 2585 (108.576KB)