A la mayoría de los Administradores de Sistemas nos toca a menudo jugar con nmap, y creo que es una muy buena herramienta que todos debería de conocer. No en profundidad, ya que da para un libro, pero sí cuando menos tener en mente siempre algunos comandos básicos. Hoy os dejo aquí los 10 que yo considero bastante habituales.
- Descubrir IPs de una red (no root)
shell> nmap -sP 192.168.0.0/24 Starting Nmap 6.40 Nmap scan report for server1.local.net (192.168.0.2) Host is up (0.00053s latency). Nmap scan report for 192.168.0.3 Host is up (0.00080s latency). Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00076s latency). Nmap scan report for 192.168.0.7 Host is up (0.00067s latency). Nmap scan report for remote.local.net (192.168.0.11) Host is up (0.00088s latency). ...
- Escanear puertos abiertos de un equipo (no root)
shell> nmap 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00056s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync Nmap: 1 IP address (1 host up) scanned in 0.04 seconds
- Escanear protocolo TCP (no root)
shell> nmap -sT 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00063s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync Nmap: 1 IP address (1 host up) scanned in 0.04 seconds
- Identificar el sistema operativo de un equipo (root)
shell> nmap -O 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00022s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync MAC Address: 00:BC:5D:71:99:4A (XenServer) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.32 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap: 1 IP address (1 host up) scanned in 1.70 seconds
- Identificar los hostname de una red (root)
shell> nmap -sL 192.168.0.0/24 Starting Nmap 6.40 Nmap scan report for 192.168.0.0 Nmap scan report for 192.168.0.1 Nmap scan report for server1.local.net (192.168.0.2) Nmap scan report for 192.168.0.3 Nmap scan report for 192.168.0.4 Nmap scan report for zabbix.local.net (192.168.0.5) ...
- Escanear UDP y TCP Syn (root)
shell> nmap -sS -sU -PN 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00018s latency). Not shown: 1996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync 123/udp open ntp MAC Address: 00:BC:5D:71:99:4A (XenServer) Nmap: 1 IP address (1 host up) scanned in 989.80 seconds
- Escanear de todos los puertos (root)
shell> nmap -p 1-65535 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00027s latency). Not shown: 65530 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync 10050/tcp open unknown 10051/tcp open unknown MAC Address: 00:BC:5D:71:99:4A (XenServer) Nmap: 1 IP address (1 host up) scanned in 1.15 seconds
- Escaneo de host agresivo (no root)
shell> nmap -T4 -A 192.168.0.0/24 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00020s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0) | ssh-hostkey: 1024 d3:cd:5d:0f:f1:86:09:ff (DSA) |_2048 64:45:95:18:26:5a:f1:94 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: zabbix.local.net, PIPELINING, SIZE 31457280, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=zabbix | Not valid before: 2012-06-14T12:37:01+00:00 |_Not valid after: 2022-06-12T12:37:01+00:00 |_ssl-date: 2014-05-15T15:02:35+00:00; -12s from local time. 873/tcp open rsync (protocol version 30) MAC Address: 00:BC:5D:71:99:4A (XenServer) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.32 Network Distance: 1 hop Service Info: Host: zabbix.local.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.20 ms zabbix.local.net (192.168.0.5) Nmap: 1 IP address (1 host up) scanned in 1.93 seconds
- Escaneo rápido (no root)
shell> nmap -T4 -F 192.168.0.5 Starting Nmap 6.40 Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00042s latency). Not shown: 97 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 873/tcp open rsync MAC Address: 00:BC:5D:71:99:4A (XenServer) Nmap: 1 IP address (1 host up) scanned in 0.13 seconds
- Escaneo detallado (no root)
shell> nmap -T4 -A -v 192.168.0.5 Starting Nmap 6.40 NSE: Loaded 110 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 17:03 Scanning 192.168.0.5 [1 port] Completed ARP Ping Scan at 17:03, 0.02s elapsed (1 total hosts) Initiating SYN Stealth Scan at 17:03 Scanning zabbix.local.net (192.168.0.5) [1000 ports] Discovered open port 25/tcp on 192.168.0.5 Discovered open port 22/tcp on 192.168.0.5 Discovered open port 873/tcp on 192.168.0.5 Completed SYN Stealth Scan at 17:03, 0.04s elapsed (1000 total ports) Initiating Service scan at 17:03 Scanning 3 services on zabbix.local.net (192.168.0.5) Completed Service scan at 17:03, 0.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against zabbix.local.net (192.168.0.5) NSE: Script scanning 192.168.0.5. Initiating NSE at 17:03 Completed NSE at 17:03, 0.13s elapsed Nmap scan report for zabbix.local.net (192.168.0.5) Host is up (0.00020s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0) | ssh-hostkey: 1024 d3:87:ad:ca:6f:6e:09:ff (DSA) |_2048 64:45:95:c9:c8:06:f1:94 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: zabbix.local.net, PIPELINING, SIZE 31457280, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=zabbix | Issuer: commonName=zabbix | Public Key type: rsa | Public Key bits: 2048 | Not valid before: 2012-06-14T12:37:01+00:00 | Not valid after: 2022-06-12T12:37:01+00:00 | MD5: 5870 5ed4 9962 6bcc cc3a 37dd 2ffa 5c13 |_SHA-1: 66f3 3495 37b4 3ace b1e9 8bed 4a18 5e9a 57af 8794 |_ssl-date: 2014-05-15T15:03:18+00:00; -11s from local time. 873/tcp open rsync (protocol version 30) MAC Address: 00:BC:5D:71:99:4A (XenServer) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.32 Uptime guess: 196.083 days (since Thu Oct 31 14:04:32 2013) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: zabbix.local.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.20 ms zabbix.local.net (192.168.0.5) NSE: Script Post-scanning. Initiating NSE at 17:03 Completed NSE at 17:03, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap: 1 IP address (1 host up) scanned in 1.93 seconds Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)