Nmap je poprilično moćan program otvorenog koda koji ima ulogu da skenira mrežu u potrazi za hostovima, operativnim sistemima i servisima koji se nalaze na otvorenim portovima i raznim drugim mrežnim scan aktivnostima ali i ranjivostima korišćenjem skriptinga – odnosno ukratko, služi ispitivanju mreže i proveri bezbednosti. Nmap je inače skraćenica od Network Mapper i ima ga u verziji za skoro sve operativne sisteme.

Odlično uputstvo za rad sa nmap-om na našem jeziku (da ne bude zabune, naš=srpski, hrvatski, bosanski) imate na zvaničnoj adresi nmapa: https://nmap.org/man/hr/

Ovo su neki od primera, nisam hteo da stavljam realne javne adrese (označio sam sa XXX) da se ne bi neko naložio da ih skenira ni krive ni dužne. Umesto jedne IP adrese moze se malo „i cinculirati“ sa opsezima, npr:

  • nmap 192.168.1.50 192.168.55.100 (dve IP adrese za skeniranje)
  • nmap 192.168.1.0/24 (ceo subnet tj 192.168.1.0-192.168.1.254)
  • nmap 192.168.1.* (subnet korišćenjem wildcard karaktera)
  • nmap 192.168.1.111,116,220 (skeniranje samo 3 IP adrese iz opsega razdvojene zarezom, tj u ovom slučaju 192.168.1.111, 192.168.1.116 i 192.168.1.220)
  • nmap 192.168.1.50-115 (skeniranje opsega 192.168.1.50-192.168.1.115)
  • nmap 192.168.1.0/24 –exclude 192.168.1.200 (skeniraj sve sem jedne IP adrese)

Kako maliciozni korisnik može da iskoristi nmap? Primer opštepoznate scene iz Matrixa – skenira mrežu, nađe recimo server koji koristi bušni SSH V1 protokol pa se kroz njega putem exploita uloguje na sam server. Ceo taj hack sa tehničke strane možete videti na ovom linku.

Ovo su neki scanovi koje obično puštam.

# Skeniranje operativnog sistema na IP adresi
nmap -O XXX.XXX.XXX.XXX

# -O = Detekcija operativnog sistema

####### Rezultat skeniranja ###########
# Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 09:56 CET
# Nmap scan report for XXX.XXX.XXX.XXX
# Host is up (0.044s latency).
# Not shown: 996 filtered ports
# PORT      STATE  SERVICE
# 80/tcp    open   http
# 443/tcp   open   https
# 12000/tcp closed cce4x
# 50000/tcp open   ibm-db2
# Device type: general purpose|WAP|media device|specialized|webcam
# Running (JUST GUESSING): Linux 2.6.X|3.X (97%), Netgear embedded (93%), Western Digital embedded (93%), Crestron 2-Series (92%), AXIS Linux 2.6.X (88%)
# OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/h:netgear:dg834g cpe:/o:westerndigital:wd_tv cpe:/o:crestron:2_series cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/o:axis:linux_kernel:2.6
# Aggressive OS guesses: Linux 2.6.32 - 3.6 (97%), Linux 2.6.32 - 3.9 (97%), Linux 2.6.32 (95%), Linux 2.6.32 - 3.2 (94%), Netgear DG834G WAP or Western Digital WD TV media player (93%), Linux 3.0 - 3.9 (93%), Linux 3.3 (93%), Crestron XPanel control system (92%), Linux 2.6.38 - 3.0 (92%), Linux 3.0 - 3.1 (91%)
# No exact OS matches for host (test conditions non-ideal).
# 
# OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds
# Skeniranje verzije alata koji osluskuje na otvorenim portovima na IP adresi
nmap -sV XXX.XXX.XXX.XXX

# -sV = Detekcija verzije softvera koji osluskuje na datom portu

########### Rezultat skeniranja ##############################
# Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 09:53 CET
# Nmap scan report for XXX.XXX.XXX.XXX
# Host is up (0.044s latency).
# Not shown: 996 filtered ports
# PORT      STATE  SERVICE VERSION
# 80/tcp    open   http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.6.28)
# 443/tcp   open   http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.6.28)
# 12000/tcp closed cce4x
# 50000/tcp open   ftp     vsftpd 3.0.2
# Service Info: OS: Unix
# 
# Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

# Daj brzinski osnovne informacije o hostu koji se skenira
nmap -A -T4 XXX.XXX.XXX.XXX

# -A = Skeniraj verziju OS-a, verziju onoga sto je na tom portu, uradi script scanning i traceroute
# -T4 = Timing sablon, 0-5...sto veci broj to je brze skeniranje

######### Rezultat skeniranja ############
# Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 10:05 CET
# Nmap scan report for XXX.XXX.XXX.XXX
# Host is up (0.053s latency).
# Not shown: 995 closed ports
# PORT     STATE    SERVICE        VERSION
# 22/tcp   open     tcpwrapped
# 646/tcp  filtered ldp
# 711/tcp  filtered cisco-tdp
# 2000/tcp open     bandwidth-test MikroTik bandwidth-test server
# 8291/tcp open     tcpwrapped
# Device type: general purpose
# Running: Linux 2.6.X|3.X
# OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
# OS details: Linux 2.6.32 - 3.9
# Network Distance: 12 hops
# 
# TRACEROUTE
# HOP RTT      ADDRESS
# 1   52.89 ms XXX.XXX.XXX.XXX
# 
# OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 11.16 seconds
# Skeniranje opsega portova na nekoj IP
nmap -Pn -p 1-10000 XXX.XXX.XXX.XXX

# -Pn ne pinguj nista i mimoidji firewall ako je dignut
# -p - jedan port (npr 80), vise portova (npr 21,80,1521) ili opseg portova (npr 80-500) koje treba skenirati

######## Rezultat skeniranja #########
# Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 10:18 CET
# Nmap scan report for XXX-XXX-XXX-XXX.static.isp.telekom.rs (XXX.XXX.XXX.XXX)
# Host is up (0.075s latency).
# Not shown: 59995 filtered ports
# PORT      STATE SERVICE
# 80/tcp    open  http
# 5766/tcp  open  unknown
# 15487/tcp open  unknown
# 31313/tcp open  unknown
# 36458/tcp open  unknown
# Ispis rezultata skeniranja u fajl (ako ima mnogo rezultata koristiti ovo
nmap -Pn -p- -T4 XXX.XXX.XXX.XXX -oN /tmp/rezultat.txt

# -p- - skeniraj sve portove
# -oN - normalan ispis u fajl (ima jos mogucih ispisa, tipa XML...)

# Rezultat skeniranja je u fajlu /tmp/rezultat.txt
vim /tmp/rezultat.txt
# Skeniranje svih hostova unutar nekog LAN opsega
nmap 192.168.224.0/24 -sP -sL

# -sP - Ako ima pinga
# -sL - daj ako je moguce i hostname

# Ako nam trebaju samo live IP adrese onda mozemoda umiksujemo i grep u pricu, tipa
nmap 192.168.224.0/24 -n -sP | grep report | awk '{print $5}'

# -n = Bez imena koje kompjuter ima na mrezi (DNS)
# Skeniraj i iskoristi difoltno dostupne skripte za proveru bezbednosti
# Na CentOSu se nalaze u folderu /usr/share/nmap/scripts/
nmap -sV -sC kompjuteras.com

# Više o skriptama: https://nmap.org/book/man-nse.html
# i ovde: https://goo.gl/JmyVen

##### Rezultat skeniranja kompjuteras.com sajta #####
# Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-21 16:41 CET
# Nmap scan report for kompjuteras.com (212.24.107.33)
# Host is up (0.053s latency).
# rDNS record for 212.24.107.33: sajt.ga
# Not shown: 989 filtered ports
# PORT     STATE  SERVICE     VERSION
# 25/tcp   closed smtp
# 53/tcp   closed domain
# 80/tcp   open   http        nginx
# |_http-methods: No Allow or Public header in OPTIONS response (status code 301)
# |_http-title: Did not follow redirect to https://kompjuteras.com/ and no page was returned.
# |_http-favicon:
# 110/tcp  closed pop3
# 143/tcp  closed imap
# 443/tcp  open   http        nginx
# |_http-title: 400 The plain HTTP request was sent to HTTPS port
# |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
# 465/tcp  closed smtps
# 587/tcp  closed submission
# 993/tcp  closed imaps
# 995/tcp  closed pop3s
# 2525/tcp closed ms-v-worlds
# 
# Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds