Nmap (Network MAPper) es una utilidad Open Source (y por tanto, no hay que
pagar por usarla) para la exploración de redes y la auditoría de seguridad [7].
Actualmente se puede ejecutar (al menos) bajo los siguientes sistemas operativos:
Linux ( http://www.linux.org/http://www.linux.org/), Microsoft Windows
( http://www.microsoft.com/spain/windows/default.mspx), FreeBSD
( http://www.freebsd.org/), OpenBSD ( http://www.openbsd.org/),
Solaris ( http://www.sun.com/software/solaris/), IRIX (
http://www.sgi.com/products/software/irix/), Mac OS X (
http://www.apple.com/es/macosx/), HP-UX ( http://www.hp.com/products1/unix/operating),
NetBSD ( http://www.netbsd.org/), Sun OS ( http://en.wikipedia.org/wiki/SunOS)
y AmigaOS ( http://www.amiga.com/amigaos/).
-
Debian Linux:
-
root# apt-get install nmap
-
Fedora Core Linux:
-
root# yum install nmap nmap-frontend
-
Gentoo Linux:
-
root# emerge nmap
_____________________________________________________________
Taller D.6: Instale Nmap.
_____________________________________________________________
Nmap puede utilizarse desde la línea de comandos (nmap) o desde una GUI (xnmap).
Aquí interactuaremos sólo con la versión de consola y explicaremos algunos ejemplos muy
básicos. Nmap es increiblemente rico en opciones y posibilidades que deben consultarse
en el manual online ( http://insecure.org/nmap/man/).
El sondeo de puertos consiste en ver si pueden establecerse conexiones TCP con los
diferentes puertos, y sirve para conocer los servicios activos que se basan en este
protocolo. Este escaneo puede realizarse realizando conexiones estándar o un tipo de
conexiones que en Nmap llama “SYN sigiloso” que no llega a establecer realmente las
conexiones y por lo tanto no le aparecen al usuario de la máquina escaneada cuando
“hace” un netstat.
El primer tipo (conexión estándar) puede realizarse como usuario normal y es el tipo
de sondeo por defecto. El segundo (que utiliza el flag -sS) sólo puede realizarlo el usuario
root. Ejemplos:
usuario$ nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:44 CET
Interesting ports on localhost (127.0.0.1):
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
953/tcp open rndc
Nmap finished: 1 IP address (1 host up) scanned in 0.152 seconds
# Más info!!!
usuario$ nmap -v localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:44 CET
Initiating Connect() Scan against localhost (127.0.0.1) [1680 ports] at 10:44
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 53/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 953/tcp on 127.0.0.1
The Connect() Scan took 0.04s to scan 1680 total ports.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
953/tcp open rndc
Nmap finished: 1 IP address (1 host up) scanned in 0.154 seconds
# Ahora sólo algunos puertos
usuario$ nmap -v -p 22,53 localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:40 CET
Initiating Connect() Scan against localhost (127.0.0.1) [2 ports] at 08:40
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 53/tcp on 127.0.0.1
The Connect() Scan took 0.00s to scan 2 total ports.
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
Nmap finished: 1 IP address (1 host up) scanned in 0.110 seconds
# Ahora un rango de máquinas, sólo puerto 80
usuario$ nmap -v -p 80 193.147.118.128-255
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:45 CET
Machine 193.147.118.154 MIGHT actually be listening on probe port 80
Machine 193.147.118.131 MIGHT actually be listening on probe port 80
Machine 193.147.118.176 MIGHT actually be listening on probe port 80
Machine 193.147.118.170 MIGHT actually be listening on probe port 80
Machine 193.147.118.174 MIGHT actually be listening on probe port 80
Machine 193.147.118.192 MIGHT actually be listening on probe port 80
Machine 193.147.118.195 MIGHT actually be listening on probe port 80
Machine 193.147.118.196 MIGHT actually be listening on probe port 80
Machine 193.147.118.199 MIGHT actually be listening on probe port 80
Machine 193.147.118.220 MIGHT actually be listening on probe port 80
Machine 193.147.118.218 MIGHT actually be listening on probe port 80
Machine 193.147.118.217 MIGHT actually be listening on probe port 80
DNS resolution of 18 IPs took 0.00s.
Initiating Connect() Scan against 18 hosts [1 port/host] at 08:45
Discovered open port 80/tcp on 193.147.118.170
Discovered open port 80/tcp on 193.147.118.174
Discovered open port 80/tcp on 193.147.118.176
Discovered open port 80/tcp on 193.147.118.199
Discovered open port 80/tcp on 193.147.118.154
Discovered open port 80/tcp on 193.147.118.196
Discovered open port 80/tcp on 193.147.118.217
Discovered open port 80/tcp on 193.147.118.220
Discovered open port 80/tcp on 193.147.118.192
Discovered open port 80/tcp on 193.147.118.218
Discovered open port 80/tcp on 193.147.118.195
Discovered open port 80/tcp on 193.147.118.131
The Connect() Scan took 0.00s to scan 18 total ports.
Host 193.147.118.131 appears to be up ... good.
Interesting ports on 193.147.118.131:
PORT STATE SERVICE
80/tcp open http
Host 193.147.118.145 appears to be up ... good.
Interesting ports on 193.147.118.145:
PORT STATE SERVICE
80/tcp closed http
Host tornasol.ual.es (193.147.118.154) appears to be up ... good.
Interesting ports on tornasol.ual.es (193.147.118.154):
PORT STATE SERVICE
80/tcp open http
Host 193.147.118.170 appears to be up ... good.
Interesting ports on 193.147.118.170:
PORT STATE SERVICE
80/tcp open http
Host invernadero.ual.es (193.147.118.174) appears to be up ... good.
Interesting ports on invernadero.ual.es (193.147.118.174):
PORT STATE SERVICE
80/tcp open http
Host sauce.ual.es (193.147.118.176) appears to be up ... good.
Interesting ports on sauce.ual.es (193.147.118.176):
PORT STATE SERVICE
80/tcp open http
Host 193.147.118.192 appears to be up ... good.
Interesting ports on 193.147.118.192:
PORT STATE SERVICE
80/tcp open http
Host www.dgpaa.ual.es (193.147.118.195) appears to be up ... good.
Interesting ports on www.dgpaa.ual.es (193.147.118.195):
PORT STATE SERVICE
80/tcp open http
Host indalo.ual.es (193.147.118.196) appears to be up ... good.
Interesting ports on indalo.ual.es (193.147.118.196):
PORT STATE SERVICE
80/tcp open http
Host acacia.ual.es (193.147.118.199) appears to be up ... good.
Interesting ports on acacia.ual.es (193.147.118.199):
PORT STATE SERVICE
80/tcp open http
Host 193.147.118.201 appears to be up ... good.
Interesting ports on 193.147.118.201:
PORT STATE SERVICE
80/tcp closed http
Host 193.147.118.206 appears to be up ... good.
Interesting ports on 193.147.118.206:
PORT STATE SERVICE
80/tcp closed http
Host aer.ual.es (193.147.118.217) appears to be up ... good.
Interesting ports on aer.ual.es (193.147.118.217):
PORT STATE SERVICE
80/tcp open http
Host lsi.ual.es (193.147.118.218) appears to be up ... good.
Interesting ports on lsi.ual.es (193.147.118.218):
PORT STATE SERVICE
80/tcp open http
Host 193.147.118.220 appears to be up ... good.
Interesting ports on 193.147.118.220:
PORT STATE SERVICE
80/tcp open http
Host libras.ual.es (193.147.118.234) appears to be up ... good.
Interesting ports on libras.ual.es (193.147.118.234):
PORT STATE SERVICE
80/tcp closed http
Host desaveal.ual.es (193.147.118.238) appears to be up ... good.
Interesting ports on desaveal.ual.es (193.147.118.238):
PORT STATE SERVICE
80/tcp closed http
Host cabezon.ual.es (193.147.118.244) appears to be up ... good.
Interesting ports on cabezon.ual.es (193.147.118.244):
PORT STATE SERVICE
80/tcp closed http
Nmap finished: 128 IP addresses (18 hosts up) scanned in 1.317 seconds
Sólo como root. Nmap envía una colección de paquetes específico al sistema remoto
para tratar de adivinar el sistema operativo que ejecuta. Ejemplo:
root# nmap -O localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:48 CET
Interesting ports on localhost (127.0.0.1):
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
953/tcp open rndc
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2\
Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10
Nmap finished: 1 IP address (1 host up) scanned in 2.049 seconds
__________________________________________________________________
Taller D.7: Pruebe los anteriores comandos. Sea imaginativo y no
enfade a nadie :-)
_________________________________________________________________________
Hay determinados servicios que sólo se ofrecen a través de UDP. Para descubirlos se
utiliza este tipo de escaneo. Un ejemplo (sólo root):
usuario$ nmap -sU localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:56 CET
Interesting ports on localhost (127.0.0.1):
Not shown: 1486 closed ports
PORT STATE SERVICE
53/udp open|filtered domain
Nmap finished: 1 IP address (1 host up) scanned in 1.288 seconds
Ahora damos otro ejemplo donde escaneamos un rango de direcciones IPutilizando el
mensaje Echo Request del protocolo ICMP. Ejemplo:
usuario$ nmap -sP 193.147.118.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:59 CET
Host 193.147.118.1 appears to be up.
Host 193.147.118.2 appears to be up.
Host 193.147.118.3 appears to be up.
Host 193.147.118.5 appears to be up.
Host 193.147.118.21 appears to be up.
Host 193.147.118.24 appears to be up.
Host 193.147.118.25 appears to be up.
Host 193.147.118.26 appears to be up.
Host 193.147.118.27 appears to be up.
Host 193.147.118.28 appears to be up.
Host 193.147.118.29 appears to be up.
Host 193.147.118.30 appears to be up.
Host 193.147.118.38 appears to be up.
Host indalog.ual.es (193.147.118.39) appears to be up.
Host 193.147.118.40 appears to be up.
Host 193.147.118.43 appears to be up.
Host 193.147.118.45 appears to be up.
Host europa.ace.ual.es (193.147.118.46) appears to be up.
Host 193.147.118.47 appears to be up.
Host 193.147.118.48 appears to be up.
Host 193.147.118.49 appears to be up.
Host vermeer.ace.ual.es (193.147.118.50) appears to be up.
Host iron.ace.ual.es (193.147.118.54) appears to be up.
Host dali.ace.ual.es (193.147.118.56) appears to be up.
Host gogh.ace.ual.es (193.147.118.57) appears to be up.
Host renoir.ace.ual.es (193.147.118.61) appears to be up.
Host caesarg.ace.ual.es (193.147.118.67) appears to be up.
Host 193.147.118.73 appears to be up.
Host davinci.ace.ual.es (193.147.118.77) appears to be up.
Host 193.147.118.80 appears to be up.
Host 193.147.118.81 appears to be up.
Host io.ace.ual.s (193.147.118.89) appears to be up.
Host 193.147.118.92 appears to be up.
Host 193.147.118.131 appears to be up.
Host 193.147.118.145 appears to be up.
Host tornasol.ual.es (193.147.118.154) appears to be up.
Host 193.147.118.170 appears to be up.
Host invernadero.ual.es (193.147.118.174) appears to be up.
Host sauce.ual.es (193.147.118.176) appears to be up.
Host 193.147.118.192 appears to be up.
Host www.dgpaa.ual.es (193.147.118.195) appears to be up.
Host indalo.ual.es (193.147.118.196) appears to be up.
Host acacia.ual.es (193.147.118.199) appears to be up.
Host 193.147.118.201 appears to be up.
Host 193.147.118.206 appears to be up.
Host aer.ual.es (193.147.118.217) appears to be up.
Host lsi.ual.es (193.147.118.218) appears to be up.
Host 193.147.118.220 appears to be up.
Host libras.ual.es (193.147.118.234) appears to be up.
Host desaveal.ual.es (193.147.118.238) appears to be up.
Host cabezon.ual.es (193.147.118.244) appears to be up.
Nmap finished: 256 IP addresses (51 hosts up) scanned in 1.892 seconds
__________________________________________________________________
Taller D.8: Encuentre los hosts encendidos en su red privada.
________________