miércoles, 30 de abril de 2008

Un uso distinto para el Nmap

Nmap permite guardar los resultados de un scan, en varios tipos de formato de

archivo: Normal, XML, Grepable, All, y en formato "S" (s|

Si deseamos hacer un stealth scan del tipo Xmas Tree, también deseamos conocer
que sistema operativo esta corriendo el host de destino, y además deseamos
guardar el resultado de este scan en un archivo llamado "resultado_nmap.txt", ejecutamos:

  • $sudo nmap -sX -O 172.26.103.20 -oN resultado_nmap.txt. Y tendremos algo como ésto.











Ahora vemos que en nuestra carpeta personal se han guardado dos archivos .txt, uno que tiene como nombre la IP de la maquina "víctima", y otro con el nombre que le hemos asignado anteriormente resultado_nmap.txt.






Referencias Bibliogŕaficas:

Nmap Continuación

Debido a mi falta de experiencia en la gestoría de blogs, y a la longitud de este tutorial he tenido que dividirlo en dos segmento para hacer más cómoda la lectura y compresión del artículo...


7. Si queremos averiguar que equipos poseen un servidor FTP, HTTP o DNS buscamos los puertos 21, 80 y 53 respectivamente.

  • Usamos $ sudo nmap -sU -p 21,80,53 172.26.103.1-255. Nos aparece algo así (se han omitido algunos resultados):

Interesting ports on 172.26.103.4:
PORT STATE SERVICE
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:0D:61:05:68:61 (Giga-Byte Technology Co.)

Interesting ports on 172.26.103.5:
PORT STATE SERVICE
21/udp closed ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.7:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp closed domain
80/udp open|filtered http
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.8:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp closed domain
80/udp open|filtered http
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.9:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.12:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)

Interesting ports on 172.26.103.13:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:16:17:4F:AF:D5 (MSI)

Interesting ports on 172.26.103.17:
PORT STATE SERVICE
21/udp open|filtered ftp
53/udp open|filtered domain
80/udp open|filtered http
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)

Interesting ports on 172.26.103.20:
PORT STATE SERVICE
21/udp closed ftp
53/udp closed domain
80/udp closed http
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

8. Averiguamos los puertos abiertos de cada uno de los equipos
de la red que están encendidos. Para ello escaneamos en los protocolos TCP y UDP, cabe destacar que esta operación puede tardar un buen tiempo asi que es mejor no tocar la ventana y esperar que la maquina haga todo solita xD....

  • Usamos $sudo nmap -sT -sU 172.26.103.1-255 y nos tomamos una coca-cola xD...Mi resultado quedo así:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-30 09:25 CEST
Interesting ports on 172.26.103.2:
Not shown: 3200 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)

Interesting ports on 172.26.103.5:
Not shown: 3197 closed ports
PORT STATE SERVICE
3128/tcp open squid-http
68/udp open|filtered dhcpc
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
32768/udp open|filtered omad
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.7:
Not shown: 3195 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure-sensor
68/udp open|filtered dhcpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.8:
Not shown: 3200 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.9:
Not shown: 3199 closed ports
PORT STATE SERVICE
10000/tcp open snet-sensor-mgmt
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.12:
Not shown: 3201 closed ports
PORT STATE SERVICE
5353/udp open|filtered zeroconf
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)

All 3202 scanned ports on 172.26.103.13 are filtered (1714) or open|filtered (1488)
MAC Address: 00:16:17:4F:AF:D5 (MSI)

Interesting ports on 172.26.103.17:
Not shown: 3200 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
5353/udp open|filtered zeroconf
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)

Interesting ports on 172.26.103.20:
Not shown: 3191 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

Interesting ports on 172.26.103.26:
Not shown: 3184 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3128/tcp open squid-http
8080/tcp open http-proxy
111/udp open|filtered rpcbind
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
642/udp open|filtered unknown
2049/udp open|filtered nfs
3130/udp open|filtered squid-ipc
5353/udp open|filtered zeroconf
32768/udp open|filtered omad
32773/udp open|filtered sometimes-rpc10
32774/udp open|filtered sometimes-rpc12
32775/udp open|filtered sometimes-rpc14
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)

Interesting ports on 172.26.103.28:
Not shown: 3201 closed ports
PORT STATE SERVICE
5353/udp open|filtered zeroconf

Nmap done: 255 IP addresses (11 hosts up) scanned in 1508.373 seconds

lunes, 28 de abril de 2008

Nmap

A continuacion expondremos un pequeño tutorial sobre el uso de la herramienta Nmap. Para empezar les voy a poner algunas de las caracteríscas de este programa (nota: esta información ha sido extraida de la Wikipedia).

Nmap es un programa de que sirve para efectuar rastreo a redes TCP y UDP. Se usa para evaluar la seguridad de sistemas informáticos, así como para descubrir servicios o servidores en una red informática.
  • Descubrimiento de servidores: Identifica computadoras en una red, por ejemplo listando aquellas que responden ping.
  • Identifica puertos abiertos en una computadora objetivo
  • Determina qué servicios está ejecutando la misma
  • Determinar qué sistema operativo y versión utiliza dicha computadora, (esta técnica es también conocida como fingerprinter)
  • Obtiene algunas características del hardware de red de la máquina objeto de la prueba

Lo primero que vamos a hacer es instalar nmap en nuestro sistema Linux (en mi caso se va a hacer la practica desde Ubuntu Hardy Heron 8.04 xD)...Para ello escribimos en consola:
  • sudo apt-get install nmap
Seguidamente vamos a hacer una serie de pruebas con el nmap a uno de los equipos de nuestra red. Por ejemplo 172.26.103.20...

1. Viendo que puertos tiene abiertos el equipo, ....
  • usamos $nmap 172.26.103.20, y nos aparece algo como esto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:18 CEST
Interesting ports on 172.26.103.20:
Not shown: 1710 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.375 seconds

Aqui observamos que el equipo en cuestión tiene abiertos los puertos 80, 135, 139, y 445...

2. Ahora vamos a averiguar que sistema operativo utiliza el equipo "victima"...

  • usamos $sudo nmap -O 172.26.103.20 y nos aparece algo como esto:
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:17 CEST
Interesting ports on 172.26.103.20:
Not shown: 1710 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.940 seconds

Observamos que nos indica justamente después de la dirección MAC las indicaciones del S.O:
  • Running: Microsoft Windows XP
  • OS details: Microsoft Windows XP SP2

3. Ahora queremos saber que ordenadores de nuestra red están encendidos...

  • usamos $sudo nmap -sP 172.26.0.0/17, aqui le estamos indicando la dirección seguidamente de la máscara de subred (/17).
Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-29 10:23 CEST
Host 172.26.0.1 appears to be up.
MAC Address: 00:02:B3:E9:97:06 (Intel)
Host 172.26.0.2 appears to be up.
MAC Address: 00:50:56:41:F3:E4 (VMWare)
Host 172.26.0.4 appears to be up.
MAC Address: 00:0C:29:4D:A5:9C (VMware)
Host 172.26.0.10 appears to be up.
MAC Address: 00:0C:29:19:5D:77 (VMware)
Host 172.26.0.11 appears to be up.
MAC Address: 00:0C:29:06:81:AF (VMware)
Host 172.26.100.4 appears to be up.
MAC Address: 00:1A:92:55:DC:EF (Asustek Computer)
Host 172.26.103.2 appears to be up.
MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)
Host 172.26.103.5 appears to be up.
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)
Host 172.26.103.7 appears to be up.
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)
Host 172.26.103.8 appears to be up.
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)
Host 172.26.103.9 appears to be up.
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Host 172.26.103.12 appears to be up.
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Host 172.26.103.13 appears to be up.
MAC Address: 00:16:17:4F:AF:D5 (MSI)
Host 172.26.103.26 appears to be up.
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Host 172.26.103.28 appears to be up.
Host 172.26.104.4 appears to be up.
MAC Address: 00:0D:61:05:68:61 (Giga-Byte Technology Co.)
Nmap done: 32768 IP addresses (16 hosts up) scanned in 523.869 seconds


4. Qué ordenadores de nuestra clase están encendidos??

  • usamos $sudo nmap -sP [dirección de red-direcciones de host desde 1 hasta 255]. Por ejemplo en mi caso quedaria asi: $sudo nmap -sP 172.26.103.1-255. Aqui le estaremos indicando al programa que vaya desde la dirección 172.26.103.1 hasta la dirección 172.26.103.255. Nos mostrará algo como ésto:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-28 12:39 CEST
Host 172.26.103.2 appears to be up.
MAC Address: 00:1A:4D:6E:07:EB (Gigabyte Technology Co.)
Host 172.26.103.5 appears to be up.
MAC Address: 00:1A:4D:7F:9D:D3 (Gigabyte Technology Co.)
Host 172.26.103.7 appears to be up.
MAC Address: 00:1A:4D:6E:08:60 (Gigabyte Technology Co.)
Host 172.26.103.8 appears to be up.
MAC Address: 00:1A:4D:75:71:79 (Gigabyte Technology Co.)
Host 172.26.103.9 appears to be up.
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)
Host 172.26.103.12 appears to be up.
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)
Host 172.26.103.17 appears to be up.
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)
Host 172.26.103.20 appears to be up.
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)
Host 172.26.103.26 appears to be up.
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)
Host 172.26.103.28 appears to be up.
Nmap done: 255 IP addresses (10 hosts up) scanned in 12.067 seconds

5. Averiguamos si, por ejemplo, el equipo "victima" está jugando al Worms. Para saber esto debemos verificar que se encuentren abiertos los puertos 17010 y 17012.

  • Usamos $sudo nmap -sU -p 1-20000 172.26.103.20. Nos aparece algo como ésto:

Starting Nmap 4.53 ( http://insecure.org ) at 2008-04-30 08:46 CEST
Interesting ports on 172.26.103.20:
Not shown: 19990 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1035/udp open|filtered unknown
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
17010/udp open|filtered unknown
17012/udp open|filtered unknown
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

Nmap done: 1 IP address (1 host up) scanned in 4.061 seconds

6. Ahora, si queremos saber directamente quien está jugando al Worms en la clase, hacemos un escaneo a los puertos específicos y a todos los equipos.

  • Usamos $sudo nmap -sU -p 17010,17012 172.26.103.1-255.

Interesting ports on 172.26.103.9:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:1A:4D:75:70:74 (Gigabyte Technology Co.)

Interesting ports on 172.26.103.12:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:C0:9F:F2:ED:63 (Quanta Computer)

Interesting ports on 172.26.103.13:
PORT STATE SERVICE
17010/udp open|filtered unknown
17012/udp open|filtered unknown
MAC Address: 00:16:17:4F:AF:D5 (MSI)

Interesting ports on 172.26.103.17:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:1B:38:AB:BE:A2 (Compal Information (kunshan) CO.)

Interesting ports on 172.26.103.20:
PORT STATE SERVICE
17010/udp open|filtered unknown
17012/udp open|filtered unknown
MAC Address: 00:0F:EA:31:C5:FA (Giga-Byte Technology Co.)

Interesting ports on 172.26.103.26:
PORT STATE SERVICE
17010/udp closed unknown
17012/udp closed unknown
MAC Address: 00:19:66:44:E6:F3 (Asiarock Technology Limited)

Continua en la siguiente entrada....