Nmap (Network MAPper) es una utilidad Open Source (y por tanto, no hay que pagar por usarla) para la exploración de redes y la auditoría de seguridad [7]. Actualmente se puede ejecutar (al menos) bajo los siguientes sistemas operativos: Linux (http://www.linux.org/http://www.linux.org/), Microsoft Windows (http://www.microsoft.com/spain/windows/default.mspx), FreeBSD (http://www.freebsd.org/), OpenBSD (http://www.openbsd.org/), Solaris (http://www.sun.com/software/solaris/), IRIX (http://www.sgi.com/products/software/irix/), Mac OS X (http://www.apple.com/es/macosx/), HP-UX (http://www.hp.com/products1/unix/operating), NetBSD (http://www.netbsd.org/), Sun OS (http://en.wikipedia.org/wiki/SunOS) y AmigaOS (http://www.amiga.com/amigaos/).
root# apt-get install nmap
|
root# yum install nmap nmap-frontend
|
root# emerge nmap
|
Nmap puede utilizarse desde la línea de comandos (nmap) o desde una GUI (xnmap). Aquí interactuaremos sólo con la versión de consola y explicaremos algunos ejemplos muy básicos. Nmap es increiblemente rico en opciones y posibilidades que deben consultarse en el manual online (http://insecure.org/nmap/man/).
El sondeo de puertos consiste en ver si pueden establecerse conexiones TCP con los diferentes puertos, y sirve para conocer los servicios activos que se basan en este protocolo. Este escaneo puede realizarse realizando conexiones estándar o un tipo de conexiones que en Nmap llama “SYN sigiloso” que no llega a establecer realmente las conexiones y por lo tanto no le aparecen al usuario de la máquina escaneada cuando “hace” un netstat.
El primer tipo (conexión estándar) puede realizarse como usuario normal y es el tipo de sondeo por defecto. El segundo (que utiliza el flag -sS) sólo puede realizarlo el usuario root. Ejemplos:
usuario$ nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:44 CET Interesting ports on localhost (127.0.0.1): Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 953/tcp open rndc Nmap finished: 1 IP address (1 host up) scanned in 0.152 seconds # Más info!!! usuario$ nmap -v localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:44 CET Initiating Connect() Scan against localhost (127.0.0.1) [1680 ports] at 10:44 Discovered open port 21/tcp on 127.0.0.1 Discovered open port 25/tcp on 127.0.0.1 Discovered open port 53/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 953/tcp on 127.0.0.1 The Connect() Scan took 0.04s to scan 1680 total ports. Host localhost (127.0.0.1) appears to be up ... good. Interesting ports on localhost (127.0.0.1): Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 953/tcp open rndc Nmap finished: 1 IP address (1 host up) scanned in 0.154 seconds # Ahora sólo algunos puertos usuario$ nmap -v -p 22,53 localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:40 CET Initiating Connect() Scan against localhost (127.0.0.1) [2 ports] at 08:40 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 53/tcp on 127.0.0.1 The Connect() Scan took 0.00s to scan 2 total ports. Host localhost (127.0.0.1) appears to be up ... good. Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain Nmap finished: 1 IP address (1 host up) scanned in 0.110 seconds # Ahora un rango de máquinas, sólo puerto 80 usuario$ nmap -v -p 80 193.147.118.128-255 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:45 CET Machine 193.147.118.154 MIGHT actually be listening on probe port 80 Machine 193.147.118.131 MIGHT actually be listening on probe port 80 Machine 193.147.118.176 MIGHT actually be listening on probe port 80 Machine 193.147.118.170 MIGHT actually be listening on probe port 80 Machine 193.147.118.174 MIGHT actually be listening on probe port 80 Machine 193.147.118.192 MIGHT actually be listening on probe port 80 Machine 193.147.118.195 MIGHT actually be listening on probe port 80 Machine 193.147.118.196 MIGHT actually be listening on probe port 80 Machine 193.147.118.199 MIGHT actually be listening on probe port 80 Machine 193.147.118.220 MIGHT actually be listening on probe port 80 Machine 193.147.118.218 MIGHT actually be listening on probe port 80 Machine 193.147.118.217 MIGHT actually be listening on probe port 80 DNS resolution of 18 IPs took 0.00s. Initiating Connect() Scan against 18 hosts [1 port/host] at 08:45 Discovered open port 80/tcp on 193.147.118.170 Discovered open port 80/tcp on 193.147.118.174 Discovered open port 80/tcp on 193.147.118.176 Discovered open port 80/tcp on 193.147.118.199 Discovered open port 80/tcp on 193.147.118.154 Discovered open port 80/tcp on 193.147.118.196 Discovered open port 80/tcp on 193.147.118.217 Discovered open port 80/tcp on 193.147.118.220 Discovered open port 80/tcp on 193.147.118.192 Discovered open port 80/tcp on 193.147.118.218 Discovered open port 80/tcp on 193.147.118.195 Discovered open port 80/tcp on 193.147.118.131 The Connect() Scan took 0.00s to scan 18 total ports. Host 193.147.118.131 appears to be up ... good. Interesting ports on 193.147.118.131: PORT STATE SERVICE 80/tcp open http Host 193.147.118.145 appears to be up ... good. Interesting ports on 193.147.118.145: PORT STATE SERVICE 80/tcp closed http Host tornasol.ual.es (193.147.118.154) appears to be up ... good. Interesting ports on tornasol.ual.es (193.147.118.154): PORT STATE SERVICE 80/tcp open http Host 193.147.118.170 appears to be up ... good. Interesting ports on 193.147.118.170: PORT STATE SERVICE 80/tcp open http Host invernadero.ual.es (193.147.118.174) appears to be up ... good. Interesting ports on invernadero.ual.es (193.147.118.174): PORT STATE SERVICE 80/tcp open http Host sauce.ual.es (193.147.118.176) appears to be up ... good. Interesting ports on sauce.ual.es (193.147.118.176): PORT STATE SERVICE 80/tcp open http Host 193.147.118.192 appears to be up ... good. Interesting ports on 193.147.118.192: PORT STATE SERVICE 80/tcp open http Host www.dgpaa.ual.es (193.147.118.195) appears to be up ... good. Interesting ports on www.dgpaa.ual.es (193.147.118.195): PORT STATE SERVICE 80/tcp open http Host indalo.ual.es (193.147.118.196) appears to be up ... good. Interesting ports on indalo.ual.es (193.147.118.196): PORT STATE SERVICE 80/tcp open http Host acacia.ual.es (193.147.118.199) appears to be up ... good. Interesting ports on acacia.ual.es (193.147.118.199): PORT STATE SERVICE 80/tcp open http Host 193.147.118.201 appears to be up ... good. Interesting ports on 193.147.118.201: PORT STATE SERVICE 80/tcp closed http Host 193.147.118.206 appears to be up ... good. Interesting ports on 193.147.118.206: PORT STATE SERVICE 80/tcp closed http Host aer.ual.es (193.147.118.217) appears to be up ... good. Interesting ports on aer.ual.es (193.147.118.217): PORT STATE SERVICE 80/tcp open http Host lsi.ual.es (193.147.118.218) appears to be up ... good. Interesting ports on lsi.ual.es (193.147.118.218): PORT STATE SERVICE 80/tcp open http Host 193.147.118.220 appears to be up ... good. Interesting ports on 193.147.118.220: PORT STATE SERVICE 80/tcp open http Host libras.ual.es (193.147.118.234) appears to be up ... good. Interesting ports on libras.ual.es (193.147.118.234): PORT STATE SERVICE 80/tcp closed http Host desaveal.ual.es (193.147.118.238) appears to be up ... good. Interesting ports on desaveal.ual.es (193.147.118.238): PORT STATE SERVICE 80/tcp closed http Host cabezon.ual.es (193.147.118.244) appears to be up ... good. Interesting ports on cabezon.ual.es (193.147.118.244): PORT STATE SERVICE 80/tcp closed http Nmap finished: 128 IP addresses (18 hosts up) scanned in 1.317 seconds |
Sólo como root. Nmap envía una colección de paquetes específico al sistema remoto para tratar de adivinar el sistema operativo que ejecuta. Ejemplo:
root# nmap -O localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-28 10:48 CET Interesting ports on localhost (127.0.0.1): Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 953/tcp open rndc Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or Gentoo 1.2\ Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10 Nmap finished: 1 IP address (1 host up) scanned in 2.049 seconds |
Hay determinados servicios que sólo se ofrecen a través de UDP. Para descubirlos se utiliza este tipo de escaneo. Un ejemplo (sólo root):
usuario$ nmap -sU localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:56 CET Interesting ports on localhost (127.0.0.1): Not shown: 1486 closed ports PORT STATE SERVICE 53/udp open|filtered domain Nmap finished: 1 IP address (1 host up) scanned in 1.288 seconds |
Ahora damos otro ejemplo donde escaneamos un rango de direcciones IPutilizando el mensaje Echo Request del protocolo ICMP. Ejemplo:
usuario$ nmap -sP 193.147.118.*
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-29 08:59 CET Host 193.147.118.1 appears to be up. Host 193.147.118.2 appears to be up. Host 193.147.118.3 appears to be up. Host 193.147.118.5 appears to be up. Host 193.147.118.21 appears to be up. Host 193.147.118.24 appears to be up. Host 193.147.118.25 appears to be up. Host 193.147.118.26 appears to be up. Host 193.147.118.27 appears to be up. Host 193.147.118.28 appears to be up. Host 193.147.118.29 appears to be up. Host 193.147.118.30 appears to be up. Host 193.147.118.38 appears to be up. Host indalog.ual.es (193.147.118.39) appears to be up. Host 193.147.118.40 appears to be up. Host 193.147.118.43 appears to be up. Host 193.147.118.45 appears to be up. Host europa.ace.ual.es (193.147.118.46) appears to be up. Host 193.147.118.47 appears to be up. Host 193.147.118.48 appears to be up. Host 193.147.118.49 appears to be up. Host vermeer.ace.ual.es (193.147.118.50) appears to be up. Host iron.ace.ual.es (193.147.118.54) appears to be up. Host dali.ace.ual.es (193.147.118.56) appears to be up. Host gogh.ace.ual.es (193.147.118.57) appears to be up. Host renoir.ace.ual.es (193.147.118.61) appears to be up. Host caesarg.ace.ual.es (193.147.118.67) appears to be up. Host 193.147.118.73 appears to be up. Host davinci.ace.ual.es (193.147.118.77) appears to be up. Host 193.147.118.80 appears to be up. Host 193.147.118.81 appears to be up. Host io.ace.ual.s (193.147.118.89) appears to be up. Host 193.147.118.92 appears to be up. Host 193.147.118.131 appears to be up. Host 193.147.118.145 appears to be up. Host tornasol.ual.es (193.147.118.154) appears to be up. Host 193.147.118.170 appears to be up. Host invernadero.ual.es (193.147.118.174) appears to be up. Host sauce.ual.es (193.147.118.176) appears to be up. Host 193.147.118.192 appears to be up. Host www.dgpaa.ual.es (193.147.118.195) appears to be up. Host indalo.ual.es (193.147.118.196) appears to be up. Host acacia.ual.es (193.147.118.199) appears to be up. Host 193.147.118.201 appears to be up. Host 193.147.118.206 appears to be up. Host aer.ual.es (193.147.118.217) appears to be up. Host lsi.ual.es (193.147.118.218) appears to be up. Host 193.147.118.220 appears to be up. Host libras.ual.es (193.147.118.234) appears to be up. Host desaveal.ual.es (193.147.118.238) appears to be up. Host cabezon.ual.es (193.147.118.244) appears to be up. Nmap finished: 256 IP addresses (51 hosts up) scanned in 1.892 seconds |