A continuacion expondremos un pequeño tutorial sobre el uso de la herramienta Nmap. Para empezar les voy a poner algunas de las caracteríscas de este programa (nota: esta información ha sido extraida de la
Wikipedia).
Nmap es un programa de que sirve para efectuar
rastreo a redes TCP y UDP
. Se usa para evaluar la seguridad de sistemas informáticos, así como para descubrir servicios o servidores en una red informática.
- Descubrimiento de servidores: Identifica computadoras en una red, por ejemplo listando aquellas que responden ping.
- Identifica puertos abiertos en una computadora objetivo
- Determina qué servicios está ejecutando la misma
- Determinar qué sistema operativo y versión utiliza dicha computadora, (esta técnica es también conocida como fingerprinter)
- Obtiene algunas características del hardware de red de la máquina objeto de la prueba
Lo primero que vamos a hacer es instalar nmap en nuestro sistema Linux (en mi caso se va a hacer la practica desde Ubuntu Hardy Heron 8.04 xD)...Para ello escribimos en consola:
- sudo apt-get install nmap
Seguidamente vamos a hacer una serie de pruebas con el nmap a uno de los equipos de nuestra red. Por ejemplo 172.26.103.20...
1. Viendo que puertos tiene abiertos el equipo, ....
- usamos $nmap 172.26.103.20, y nos aparece algo como esto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:18 CEST
Interesting ports on 172.26.103.20:
Not shown: 1710 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 1.375 seconds
Aqui observamos que el equipo en cuestión tiene abiertos los puertos 80, 135, 139, y 445...
2. Ahora vamos a averiguar que sistema operativo utiliza el equipo "victima"...
- usamos $sudo nmap -O 172.26.103.20 y nos aparece algo como esto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:17 CEST
Interesting ports on 172.26.103.20:
Not shown: 1710 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Device type: general purpose
Running: Microsoft Windows XPOS details: Microsoft Windows XP SP2Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.940 seconds
Observamos que nos indica justamente después de la dirección MAC las indicaciones del S.O:
- Running: Microsoft Windows XP
- OS details: Microsoft Windows XP SP2
3. Ahora queremos saber que ordenadores de nuestra red están encendidos...
- usamos $sudo nmap -sP 172.26.0.0/17, aqui le estamos indicando la dirección seguidamente de la máscara de subred (/17).
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-29 10:23 CEST
Host 172.26.0.1 appears to be up.MAC Address: 00:02:B3:E9:97:06 (Intel)
Host 172.26.0.2 appears to be up.MAC Address: 00:50:56:41:F3:E4 (VMWare)
Host 172.26.0.4 appears to be up.MAC Address: 00:0C:29:4D:A5:9C (VMware)
Host 172.26.0.10 appears to be up.MAC Address: 00:0C:29:19:5D:77 (VMware)
Host 172.26.0.11 appears to be up.MAC Address: 00:0C:29:06:81:AF (VMware)
Host 172.26.100.4 appears to be up.MAC Address: 00:1A:92:55:DC:EF (Asustek Computer)
Host 172.26.103.2 appears to be up.MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)
Host 172.26.103.5 appears to be up.MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)
Host 172.26.103.7 appears to be up.MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)
Host 172.26.103.8 appears to be up.
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)
Host 172.26.103.9 appears to be up.MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Host 172.26.103.12 appears to be up.MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Host 172.26.103.13 appears to be up.MAC Address: 00:16:17:4F:AF:D5 (MSI)
Host 172.26.103.26 appears to be up.MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Host 172.26.103.28 appears to be up.Host 172.26.104.4 appears to be up.MAC Address: 00:0D:61:05:68:61 (Giga-Byte Technology Co.)
Nmap done: 32768 IP addresses (16 hosts up) scanned in 523.869 seconds
4. Qué ordenadores de nuestra clase están encendidos??
- usamos $sudo nmap -sP [dirección de red-direcciones de host desde 1 hasta 255]. Por ejemplo en mi caso quedaria asi: $sudo nmap -sP 172.26.103.1-255. Aqui le estaremos indicando al programa que vaya desde la dirección 172.26.103.1 hasta la dirección 172.26.103.255. Nos mostrará algo como ésto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:39 CEST
Host 172.26.103.2 appears to be up.MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)
Host 172.26.103.5 appears to be up.MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)
Host 172.26.103.7 appears to be up.MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)
Host 172.26.103.8 appears to be up.MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)
Host 172.26.103.9 appears to be up.MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Host 172.26.103.12 appears to be up.MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Host 172.26.103.17 appears to be up.MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)
Host 172.26.103.20 appears to be up.MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Host 172.26.103.26 appears to be up.MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Host 172.26.103.28 appears to be up.Nmap done: 255 IP addresses (10 hosts up) scanned in 12.067 seconds
5. Averiguamos si, por ejemplo, el equipo "victima" está jugando al Worms. Para saber esto debemos verificar que se encuentren abiertos los puertos 17010 y 17012.
- Usamos $sudo nmap -sU -p 1-20000 172.26.103.20. Nos aparece algo como ésto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-30 08:46 CEST
Interesting ports on 172.26.103.20:
Not shown: 19990 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1035/udp open|filtered unknown
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
17010/udp open|filtered unknown17012/udp open|filtered unknownMAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Nmap done: 1 IP address (1 host up) scanned in 4.061 seconds
6. Ahora, si queremos saber directamente quien está jugando al Worms en la clase, hacemos un escaneo a los puertos específicos y a todos los equipos.
- Usamos $sudo nmap -sU -p 17010,17012 172.26.103.1-255.
Interesting ports on 172.26.103.9:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Interesting ports on 172.26.103.12:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Interesting ports on 172.26.103.13:PORT STATE SERVICE
17010/udp open|filtered unknown17012/udp open|filtered unknownMAC Address: 00:16:17:4F:AF:D5 (MSI)
Interesting ports on 172.26.103.17:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)
Interesting ports on 172.26.103.20:PORT STATE SERVICE
17010/udp open|filtered unknown17012/udp open|filtered unknownMAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Interesting ports on 172.26.103.26:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Continua en la siguiente entrada....