Muestreo de Máquinas con nmap

El programa nmap es una herramienta multifunción que permite el examen de IPs, puertos asi como averiguar el S.O. de la máquina remota.

Algunas de las funcionalidades pueden requerir privilegios de Administrador.

casiano@beowulf:~$ nmap -O nereida.deioc.ull.es
TCP/IP fingerprinting (for OS scan) requires root privileges.
QUITTING!

nmap como alternativa a ping

Una de las funcionalidades mas sencillas es usarlo para ver si una máquina está activa:

nereida:~# nmap -sP somemachine

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 18:16 WEST
Host somemachine (193.130.112.241) appears to be up.
Nmap finished: 1 IP address (1 host up) scanned in 0.138 seconds

Examen de Puertos

Para utilizarlo en el examen de puertos basta con dar la dirección de la máquina:

remotehost:~# nmap remotehost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 12:58 WEST
Interesting ports on remotehost (123.130.109.241):
Not shown: 1668 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
933/tcp  open  unknown
2049/tcp open  nfs
2628/tcp open  dict
8000/tcp open  http-alt

Nmap finished: 1 IP address (1 host up) scanned in 2.130 seconds

Es posible especificar rangos:

nmap 172.16.2.200-250,260

Se puede tambien usar el asterisco * como comodín:

nereida:~# nmap '190.175.101.*'

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 17:37 WEST
Interesting ports on router (190.175.101.1):
Not shown: 1676 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
23/tcp   open     telnet
135/tcp  filtered msrpc
9999/tcp open     abyss
MAC Address: 00:2B:1F:E6:A8:00 (Unknown)

All 1680 scanned ports on 190.175.101.13 are filtered
MAC Address: 00:1B:32:EF:59:9A (Unknown)
................................................

Se pueden especificar subredes en notación CIDR:

Nmap finished: 16 IP addresses (1 host up) scanned in 0.825 seconds
mars:~# nmap 194.134.107.252/27

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-09 12:04 WEST
Interesting ports on alg14.algebra.MIT.res.uk (194.134.107.230):
Not shown: 1679 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: FF:E0:7D:D4:0C:4F (Netronix)

Interesting ports on 194.134.107.232:
Not shown: 1673 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
280/tcp  open  http-mgmt
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect
MAC Address: FF:FF:E6:78:43:29 (Hewlett-Packard Company)

Interesting ports on alg1.algebra.MIT.res.uk (194.134.107.233):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
515/tcp  open  printer
756/tcp  open  unknown
7100/tcp open  font-service
MAC Address: FF:13:21:AE:3F:49 (Hewlett Packard)

Interesting ports on mizar.gt.MIT.res.uk (194.134.107.239):
Not shown: 1676 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 00:FF:F2:EB:70:94 (Asustek Computer)

Interesting ports on mars (194.134.107.252):
Not shown: 1670 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
933/tcp  open  unknown
2049/tcp open  nfs

Nmap finished: 32 IP addresses (5 hosts up) scanned in 33.284 seconds
mars:~#

Fingerprinting

Se conoce con el nombre de fingerprinting el proceso de detección del sistema operativo de una máquina. Las opción -O de nmap nos permite hacer fingerprinting:

nereida:~# nmap -O -v 193.242.83.91

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-05-08 13:35 WEST
DNS resolution of 1 IPs took 11.52s.
Initiating SYN Stealth Scan against Lbateau-111-44-27-85.w193-252.willy.wonka.fr 
             (193.242.83.91) [1680 ports] at 13:35
Discovered open port 22/tcp on 193.242.83.91
Discovered open port 53/tcp on 193.242.83.91
SYN Stealth Scan Timing: About 10.37% done; ETC: 13:40 (0:04:19 remaining)
The SYN Stealth Scan took 107.36s to scan 1680 total ports.
Warning:  OS detection will be MUCH less reliable because we did not find at 
          least 1 open and 1 closed TCP port
For OSScan assuming port 22 is open, 39879 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 40432 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 35452 is closed, and neither are firewalled
Host Lbateau-111-44-27-85.w193-252.willy.wonka.fr (193.242.83.91) appears to be up ... good.
Interesting ports on Lbateau-111-44-27-85.w193-252.willy.wonka.fr (193.252.5.85):
Not shown: 1678 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
Device type: general purpose
Running (JUST GUESSING) : Linux 2.6.X (97%), Microsoft Windows NT/2K/XP (88%)
Aggressive OS guesses: Linux 2.6.3 or 2.6.8 (97%), 
      Microsoft Windows 2000 Server SP4 (88%), Microsoft Windows XP Pro SP1 (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime 3.166 days (since Mon May  5 09:38:32 2008)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3877295 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 129.275 seconds
               Raw packets sent: 6685 (296.496KB) | Rcvd: 81 (4826B)

El Módulo Nmap::Scanner

El módulo Nmap::Scanner provee una API para controlar rastreos con nmap.

nereida:~/src/perl/Nmap-scanner# cat -n event_ping.pl
 1  #!/usr/bin/perl
 2  use warnings;
 3  use strict;
 4
 5  use Nmap::Scanner;
 6  $|++;
 7
 8  use strict;
 9
10  my $scanner = new Nmap::Scanner;
11
12  my $target_spec = "$ARGV[0]" ||
13                    die "Missing target spec\n$0 target_spec (e.g. 192.168.1.1)\n";
14  $scanner->ping_scan();
15  $scanner->ack_icmp_ping();
16  $scanner->add_target($target_spec);
17  $scanner->register_scan_started_event(\&scan_started);

En modo orientado a eventos el usuario registra los eventos en los que está interesado pasando como argumento un callback. El scanner llamará al callback en la fase especificada del scan. El callback recibe argumentos que describen el objeto Nmap::Sacnner::Scanner, lo que ha pasado y los datos encontrados.

18  $scanner->scan();
19
20  sub scan_started {
21      my $self = shift;
22      my $host = shift;
23
24      my $hostname = $host->hostname();
25      my $ip       = ($host->addresses)[0]->addr();
26      my $status   = $host->status;
27
28      print "$hostname ($ip) is $status\n";
29
30  }

Hay cinco tipos de eventos soportados:

• scan_started
• host closed
• no ports open
• port found
• scan complete

La librería requiere que el usuario sea el root. Al ejecutar obtenemos:

nereida:~/src/perl/Nmap-scanner# event_ping.pl beowulf
beowulf (193.145.102.240) is up