Nmap – definicija i praktični primeri upotrebe
Nmap je poprilično moćan program otvorenog koda koji ima ulogu da skenira mrežu u potrazi za hostovima, operativnim sistemima i servisima koji se nalaze na otvorenim portovima i raznim drugim mrežnim scan aktivnostima ali i ranjivostima korišćenjem skriptinga – odnosno ukratko, služi ispitivanju mreže i proveri bezbednosti. Nmap je inače skraćenica od Network Mapper i ima ga u verziji za skoro sve operativne sisteme.
Odlično uputstvo za rad sa nmap-om na našem jeziku (da ne bude zabune, naš=srpski, hrvatski, bosanski) imate na zvaničnoj adresi nmapa: https://nmap.org/man/hr/Ovo su neki od primera, nisam hteo da stavljam realne javne adrese (označio sam sa XXX) da se ne bi neko naložio da ih skenira ni krive ni dužne. Umesto jedne IP adrese moze se malo „i cinculirati“ sa opsezima, npr:
- nmap 192.168.1.50 192.168.55.100 (dve IP adrese za skeniranje)
- nmap 192.168.1.0/24 (ceo „subnet“ tj 192.168.1.0-192.168.1.254)
- nmap 192.168.1.* (subnet korišćenjem wildcard karaktera)
- nmap 192.168.1.111,116,220 (skeniranje samo 3 IP adrese iz opsega razdvojene zarezom, tj u ovom slučaju 192.168.1.111, 192.168.1.116 i 192.168.1.220)
- nmap 192.168.1.50-115 (skeniranje opsega 192.168.1.50-192.168.1.115)
- nmap 192.168.1.0/24 –exclude 192.168.1.200 (skeniraj sve sem jedne IP adrese)
Kako maliciozni korisnik može da iskoristi nmap? Primer opštepoznate scene iz Matrixa – skenira mrežu, nađe recimo server koji koristi bušni SSH V1 protokol pa se kroz njega putem exploit-a uloguje na sam server. Ceo taj hak sa tehničke strane možete videti na ovom linku.
Ovo su neka skeniranja koja obično puštam.
# Skeniranje operativnog sistema na IP adresi nmap -O XXX.XXX.XXX.XXX # -O = Detekcija operativnog sistema ####### Rezultat skeniranja ########### # Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 09:56 CET # Nmap scan report for XXX.XXX.XXX.XXX # Host is up (0.044s latency). # Not shown: 996 filtered ports # PORT STATE SERVICE # 80/tcp open http # 443/tcp open https # 12000/tcp closed cce4x # 50000/tcp open ibm-db2 # Device type: general purpose|WAP|media device|specialized|webcam # Running (JUST GUESSING): Linuks 2.6.X|3.X (97%), Netgear embedded (93%), Western Digital embedded (93%), Crestron 2-Series (92%), AXIS Linuks 2.6.X (88%) # OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/h:netgear:dg834g cpe:/o:westerndigital:wd_tv cpe:/o:crestron:2_series cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/o:axis:linux_kernel:2.6 # Aggressive OS guesses: Linuks 2.6.32 - 3.6 (97%), Linuks 2.6.32 - 3.9 (97%), Linuks 2.6.32 (95%), Linuks 2.6.32 - 3.2 (94%), Netgear DG834G WAP or Western Digital WD TV media player (93%), Linuks 3.0 - 3.9 (93%), Linuks 3.3 (93%), Crestron XPanel control system (92%), Linuks 2.6.38 - 3.0 (92%), Linuks 3.0 - 3.1 (91%) # No exact OS matches for host (test conditions non-ideal). # # OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds
# Skeniranje verzije alata koji osluškuje na otvorenim portovima na IP adresi nmap -sV XXX.XXX.XXX.XXX # -sV = Detekcija verzije softvera koji osluškuje na datom portu ########### Rezultat skeniranja ############################## # Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 09:53 CET # Nmap scan report for XXX.XXX.XXX.XXX # Host is up (0.044s latency). # Not shown: 996 filtered ports # PORT STATE SERVICE VERSION # 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.6.28) # 443/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.6.28) # 12000/tcp closed cce4x # 50000/tcp open ftp vsftpd 3.0.2 # Service Info: OS: Unix # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds
# Daj brzinski osnovne informacije o hostu koji se skenira nmap -A -T4 XXX.XXX.XXX.XXX # -A = Skeniraj verziju OS-a, verziju onoga sto je na tom portu, uradi script 'scanning' i 'traceroute'. # -T4 = Tajming šablon, 0-5...što veći broj to je brze skeniranje ######### Rezultat skeniranja ############ # Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 10:05 CET # Nmap scan report for XXX.XXX.XXX.XXX # Host is up (0.053s latency). # Not shown: 995 closed ports # PORT STATE SERVICE VERSION # 22/tcp open tcpwrapped # 646/tcp filtered ldp # 711/tcp filtered cisco-tdp # 2000/tcp open bandwidth-test MikroTik bandwidth-test server # 8291/tcp open tcpwrapped # Device type: general purpose # Running: Linuks 2.6.X|3.X # OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 # OS details: Linuks 2.6.32 - 3.9 # Network Distance: 12 hops # # TRACEROUTE # HOP RTT ADDRESS # 1 52.89 ms XXX.XXX.XXX.XXX # # OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 11.16 seconds
# Skeniranje opsega portova na nekoj IP nmap -Pn -p 1-10000 XXX.XXX.XXX.XXX # -Pn ne pinguj ništa i mimoiđi firewall ako je dignut # -p - jedan port (npr 80), više portova (npr 21,80,1521) ili opseg portova (npr 80-500) koje treba skenirati ######## Rezultat skeniranja ######### # Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-21 10:18 CET # Nmap scan report for XXX.XXX.XXX.XXX.static.isp.telekom.rs (XXX.XXX.XXX.XXX) # Host is up (0.075s latency). # Not shown: 59995 filtered ports # PORT STATE SERVICE # 80/tcp open http # 5766/tcp open unknown # 15487/tcp open unknown # 31313/tcp open unknown # 36458/tcp open unknown
# Ispis rezultata skeniranja u fajl (ako ima mnogo rezultata koristiti ovo nmap -Pn -p- -T4 XXX.XXX.XXX.XXX -oN /tmp/rezultat.txt # -p- - skeniraj sve portove # -oN - normalan ispis u fajl (ima još mogućih ispisa, tipa XML...) # Rezultat skeniranja je u fajlu /tmp/rezultat.txt vim /tmp/rezultat.txt
# Skeniranje svih hostova unutar nekog LAN opsega nmap 192.168.224.0/24 -sP -sL # -sP - Ako ima pinga # -sL - daj ako je moguće i hostname # Ako nam trebaju samo live IP adrese onda možemo da umiksujemo i grep u priču, tipa nmap 192.168.224.0/24 -n -sP | grep report | awk '{print $5}' # -n = Bez imena koje kompjuter ima na mreži (DNS)
# Skeniraj i iskoristi difoltno dostupne skripte za proveru bezbednosti # Na CentOS-u se nalaze u folderu /usr/share/nmap/scripts/ nmap -sV -s Ckompjuteras.com # Više o skriptama: https://nmap.org/book/man-nse.html # i ovde: https://goo.gl/JmyVen ##### Rezultat skeniranja kompjuteras.com sajta ##### # Starting Nmap 5.51 ( http://nmap.org ) at 2016-11-21 16:41 CET # Nmap scan report for kompjuteras.com (212.24.107.33) # Host is up (0.053s latency). # rDNS record for 212.24.107.33: sajt.ga # Not shown: 989 filtered ports # PORT STATE SERVICE VERSION # 25/tcp closed smtp # 53/tcp closed domain # 80/tcp open http nginx # |_http-methods: No Allow or Public header in OPTIONS response (status code 301) # |_http-title: Did not follow redirect to https://kompjuteras.com/ andno page was returned. # |_http-favicon: # 110/tcp closed pop3 # 143/tcp closed imap # 443/tcp open http nginx # |_http-title: 400 The plain HTTP request was sent to HTTPS port # |_http-methods: No Allow or Public header in OPTIONS response (status code 400) # 465/tcp closed smtps # 587/tcp closed submission # 993/tcp closed imaps # 995/tcp closed pop3s # 2525/tcp closed ms-v-worlds # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds
Miša
16/05/2020 @ 01:16
Hvala Dražo! Je l beše zabranjeno da se skeniraju (masovno) druge IP adrese?
Stevan
21/11/2020 @ 00:10
Mozete koristiti zonetransfer.me za vezbanje 😀