Comandos nmap y tcpdump. Escaneando una red.

Comandos para escaner una red, comprobar si el trafico en un punto se ha roto o identificar dentro de una red quien esta consumiendo todo el ancho de banda. Así como técnica para averiguar vulnerabilidades de tu plataforma y posibles agujeros de seguridad.

nmap - Network exploration tool and security / port scanner

instalamos nmap en el servidor

[root@pventura Server]# rpm -ivh nmap-4.11-1.1.x86_64.rpm Preparing… ########################################### [100%] 1:nmap ########################################### [100%] [root@pventura Server]#

Lo primero. Escaneando una ip

# nmap 192.168.1.161

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 21:25 CEST Interesting ports on 192.168.1.161: Not shown: 1675 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 796/tcp open unknown 912/tcp open unknown MAC Address: 00:26:B9:84:9C:06 (Unknown) Nmap finished: 1 IP address (1 host up) scanned in 11.183 seconds [root@pventura Server]#

Escaneando un rango de ips

# nmap 192.168.1.20-30

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 21:33 CEST Interesting ports on 192.168.1.20: Not shown: 1672 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 129/tcp open pwdgen 139/tcp open netbios-ssn 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect MAC Address: 00:1C:EE:43:0D:E9 (Unknown) Interesting ports on 192.168.1.21: Not shown: 1678 closed ports PORT STATE SERVICE 21/tcp open ftp 515/tcp open printer MAC Address: 08:00:37:32:96:28 (Fuji-xerox CO.) Interesting ports on 192.168.1.22: Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 80/tcp open http 515/tcp open printer 9100/tcp open jetdirect MAC Address: 00:1B:A9:0C:BD:F7 (Unknown) Interesting ports on 192.168.1.30: Not shown: 1671 closed ports PORT STATE SERVICE 49/tcp open tacacs 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 2000/tcp open callbook 2001/tcp open dc 2002/tcp open globe MAC Address: 00:80:AD:07:C8:38 (Cnet Technology) Nmap finished: 11 IP addresses (4 hosts up) scanned in 1.505 seconds [root@pventura Server]#

Escaneando rangos de ip asignando la mascara

# nmap 192.168.1.0/30

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 21:35 CEST Interesting ports on 192.168.1.1: Not shown: 1678 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet MAC Address: 40:4A:03:84:D0:2D (Unknown) Interesting ports on 192.168.1.2: Not shown: 1677 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 443/tcp open https MAC Address: 40:4A:03:69:E9:66 (Unknown) Interesting ports on 192.168.1.3: Not shown: 1675 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1040/tcp open netsaint 3389/tcp open ms-term-serv MAC Address: 00:03:FF:32:03:61 (Microsoft) Nmap finished: 4 IP addresses (3 hosts up) scanned in 24.545 seconds [root@pventura Server]#

Detectar el sistema operativo

# nmap -O 192.168.1.2

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 21:59 CEST Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on 192.168.1.2: Not shown: 1677 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 443/tcp open https MAC Address: 40:4A:03:69:E9:66 (Unknown) Device type: firewall|general purpose Running: Checkpoint Windows NT/2K/XP, Linux 2.4.X OS details: Checkpoint SecurePlatform NG FP3, Linux 2.4.20 Nmap finished: 1 IP address (1 host up) scanned in 67.997 seconds

Como se puede observar ya va tomando mas tiempo escaner una ip cuando se van añadiendo más opciones.

Obtener mas información acerca de los puertos y el software que usa

# nmap -A -T4 192.168.1.241

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 21:53 CEST Interesting ports on academia-jafc.com (192.168.1.241): Not shown: 1668 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 53/tcp open domain 80/tcp open http Apache httpd 110/tcp open pop3 Dovecot pop3d 111/tcp open rpc 143/tcp open imap Dovecot imapd 443/tcp open http Apache httpd 669/tcp open rpc 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 6969/tcp open ssl/unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port6969-TCP:V=4.11%T=SSL%I=7%D=4/26%Time=4DB722EE%P=x86_64-redhat-linux-gnu%r(GetRequest,A2E,"HTTP/1.0x20200x20Documentx20followsrnDate:x2 SF:0Tue,x2026x20Aprx202011x2019:54:22x20GMTrnServer:x20MiniServ/1 SF:.530rnConnection:x20closernSet-Cookie:x20testing=1;x20path=/;x2 SF:0securernContent-type:x20text/html;x20Charset=iso-8859-1rnrn<!d SF:octypex20htmlx20publicx20"-//W3C//DTDx20HTMLx203.2x20Final//EN SF:">nnn<>n<></script>nn<></script>nnn</head>n<bod SF:>n<tablex20class='header'x20 SF:width=100%>n<tdx20id='headln2l'x20width=15%x20valign=topx20ali SF:gn=left>")%r(HTTPOptions,A2E,"HTTP/1.0x20200x20Documentx20followsr SF:nDate:x20Tue,x2026x20Aprx202011x2019:54:22x20GMTrnServer:x20M SF:iniServ/1.530rnConnection:x20closernSet-Cookie:x20testing=1;x20 SF:path=/;x20securernContent-type:x20text/html;x20Charset=iso-8859-1 SF:rnrn<!doctypex20htmlx20publicx20"-//W3C//DTDx20HTMLx203.2x20 SF:Final//EN">nnn<>n<></script>nn<></script>nnn</h SF:ead>n<>n<tablex20class='h SF:eader'x20width=100%>n<tdx20id='headln2l'x20width=15%x20valign= SF:topx20align=left>"); No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=x86_64-redhat-linux-gnu%D=4/26%Tm=4DB72334%O=22%C=1) TSeq(Class=RI%gcd=1%SI=36AB1D%IPID=Z%TS=1000HZ) TSeq(Class=RI%gcd=1%SI=36AAF4%IPID=Z%TS=1000HZ) TSeq(Class=RI%gcd=1%SI=36AB0F%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 0.033 days (since Tue Apr 26 21:07:50 2011) Service Info: Host: mail.filaizq.com Nmap finished: 1 IP address (1 host up) scanned in 97.782 seconds [root@pventura Server]#</blockquote> Hay técnicas en las que un servidor simula estar apagado, o directamente tiene bloqueado el acceso por ping u otros comandos Forzar el rastreo de una ip ```# nmap -P0 -O -PA 192.168.1.2```

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-26 22:03 CEST Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on 192.168.1.2: Not shown: 1677 filtered ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 443/tcp open https MAC Address: 40:4A:03:69:E9:66 (Unknown) Device type: firewall|general purpose Running: Checkpoint Windows NT/2K/XP, Linux 2.4.X OS details: Checkpoint SecurePlatform NG FP3, Linux 2.4.20 Nmap finished: 1 IP address (1 host up) scanned in 22.243 seconds

TCPDUMP

tcpdump es un herramienta en línea de comandos cuya utilidad principal es analizar el tráfico que circula por la red. Permite al usuario capturar y mostrar a tiempo real los paquetes transmitidos y recibidos en la red a la cual el ordenador está conectado. La tarjeta de red se pone en modo promiscuo y va a escuchar todo lo que va en la red. Vaya para la tarjeta o no. Si una tarjeta esta en modo promiscuo mal asunto. Puede ser un ataque man in the middle. Muestra todo lo que esta pasando por la red #tcpdump Muestra todo lo que esta pasando por un servidor en concreto ```# tcpdump src host 192.168.1.1``` Volcar el contenido a un fichero ```# tcpdump src host 192.168.1.1 -w /home/peter/escuchando.txt```