10 comandos nmap que todo sysadmin debería de saber

A la mayoría de los Administradores de Sistemas nos toca a menudo jugar con nmap, y creo que es una muy buena herramienta que todos debería de conocer. No en profundidad, ya que da para un libro, pero sí cuando menos tener en mente siempre algunos comandos básicos. Hoy os dejo aquí los 10 que yo considero bastante habituales.
  1. Descubrir IPs de una red (no root)
    shell> nmap -sP 192.168.0.0/24
    
    Starting Nmap 6.40
    Nmap scan report for server1.local.net (192.168.0.2)
    Host is up (0.00053s latency).
    Nmap scan report for 192.168.0.3
    Host is up (0.00080s latency).
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00076s latency).
    Nmap scan report for 192.168.0.7
    Host is up (0.00067s latency).
    Nmap scan report for remote.local.net (192.168.0.11)
    Host is up (0.00088s latency).
    ...
    
  2. Escanear puertos abiertos de un equipo (no root)
    shell> nmap 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00056s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    873/tcp open  rsync
    
    Nmap: 1 IP address (1 host up) scanned in 0.04 seconds
    
  3. Escanear protocolo TCP (no root)
    shell> nmap -sT 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00063s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    873/tcp open  rsync
    
    Nmap: 1 IP address (1 host up) scanned in 0.04 seconds
    
  4. Identificar el sistema operativo de un equipo (root)
    shell> nmap -O 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00022s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    873/tcp open  rsync
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.32
    Network Distance: 1 hop
    
    OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap: 1 IP address (1 host up) scanned in 1.70 seconds
    
  5. Identificar los hostname de una red (root)
    shell> nmap -sL 192.168.0.0/24
    
    Starting Nmap 6.40
    Nmap scan report for 192.168.0.0
    Nmap scan report for 192.168.0.1
    Nmap scan report for server1.local.net (192.168.0.2)
    Nmap scan report for 192.168.0.3
    Nmap scan report for 192.168.0.4
    Nmap scan report for zabbix.local.net (192.168.0.5)
    ...
    
  6. Escanear UDP y TCP Syn (root)
    shell> nmap -sS -sU -PN 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00018s latency).
    Not shown: 1996 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    873/tcp open  rsync
    123/udp open  ntp
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    
    Nmap: 1 IP address (1 host up) scanned in 989.80 seconds
    
  7. Escanear de todos los puertos (root)
    shell> nmap -p 1-65535 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00027s latency).
    Not shown: 65530 closed ports
    PORT      STATE SERVICE
    22/tcp    open  ssh
    25/tcp    open  smtp
    873/tcp   open  rsync
    10050/tcp open  unknown
    10051/tcp open  unknown
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    
    Nmap: 1 IP address (1 host up) scanned in 1.15 seconds
    
  8. Escaneo de host agresivo (no root)
    shell> nmap -T4 -A 192.168.0.0/24
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00020s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE VERSION
    22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4 (protocol 2.0)
    | ssh-hostkey: 1024 d3:cd:5d:0f:f1:86:09:ff (DSA)
    |_2048 64:45:95:18:26:5a:f1:94 (RSA)
    25/tcp  open  smtp    Postfix smtpd
    |_smtp-commands: zabbix.local.net, PIPELINING, SIZE 31457280, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
    | ssl-cert: Subject: commonName=zabbix
    | Not valid before: 2012-06-14T12:37:01+00:00
    |_Not valid after:  2022-06-12T12:37:01+00:00
    |_ssl-date: 2014-05-15T15:02:35+00:00; -12s from local time.
    873/tcp open  rsync   (protocol version 30)
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.32
    Network Distance: 1 hop
    Service Info: Host:  zabbix.local.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.20 ms zabbix.local.net (192.168.0.5)
    
    Nmap: 1 IP address (1 host up) scanned in 1.93 seconds
    
  9. Escaneo rápido (no root)
    shell> nmap -T4 -F 192.168.0.5
    
    Starting Nmap 6.40
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00042s latency).
    Not shown: 97 closed ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    25/tcp  open  smtp
    873/tcp open  rsync
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    
    Nmap: 1 IP address (1 host up) scanned in 0.13 seconds
    
  10. Escaneo detallado (no root)
    shell> nmap -T4 -A -v 192.168.0.5
    
    Starting Nmap 6.40
    NSE: Loaded 110 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating ARP Ping Scan at 17:03
    Scanning 192.168.0.5 [1 port]
    Completed ARP Ping Scan at 17:03, 0.02s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 17:03
    Scanning zabbix.local.net (192.168.0.5) [1000 ports]
    Discovered open port 25/tcp on 192.168.0.5
    Discovered open port 22/tcp on 192.168.0.5
    Discovered open port 873/tcp on 192.168.0.5
    Completed SYN Stealth Scan at 17:03, 0.04s elapsed (1000 total ports)
    Initiating Service scan at 17:03
    Scanning 3 services on zabbix.local.net (192.168.0.5)
    Completed Service scan at 17:03, 0.01s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against zabbix.local.net (192.168.0.5)
    NSE: Script scanning 192.168.0.5.
    Initiating NSE at 17:03
    Completed NSE at 17:03, 0.13s elapsed
    Nmap scan report for zabbix.local.net (192.168.0.5)
    Host is up (0.00020s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE VERSION
    22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4 (protocol 2.0)
    | ssh-hostkey: 1024 d3:87:ad:ca:6f:6e:09:ff (DSA)
    |_2048 64:45:95:c9:c8:06:f1:94 (RSA)
    25/tcp  open  smtp    Postfix smtpd
    |_smtp-commands: zabbix.local.net, PIPELINING, SIZE 31457280, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
    | ssl-cert: Subject: commonName=zabbix
    | Issuer: commonName=zabbix
    | Public Key type: rsa
    | Public Key bits: 2048
    | Not valid before: 2012-06-14T12:37:01+00:00
    | Not valid after:  2022-06-12T12:37:01+00:00
    | MD5:   5870 5ed4 9962 6bcc cc3a 37dd 2ffa 5c13
    |_SHA-1: 66f3 3495 37b4 3ace b1e9 8bed 4a18 5e9a 57af 8794
    |_ssl-date: 2014-05-15T15:03:18+00:00; -11s from local time.
    873/tcp open  rsync   (protocol version 30)
    MAC Address: 00:BC:5D:71:99:4A (XenServer)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.32
    Uptime guess: 196.083 days (since Thu Oct 31 14:04:32 2013)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=262 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: Host:  zabbix.local.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.20 ms zabbix.local.net (192.168.0.5)
    
    NSE: Script Post-scanning.
    Initiating NSE at 17:03
    Completed NSE at 17:03, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap: 1 IP address (1 host up) scanned in 1.93 seconds
    Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
    


No hay comentarios :

Publicar un comentario

Formulario de contacto

Nombre

Correo electrónico *

Mensaje *

Últimos comentarios