|
10 yýlý aþkýn süredir açýk kaynak kodlu geliþtirilen Nmap’e özellikle son birkaç yýldýr güvenlik uzmanlarýnýn iþlerini kolaylaþtýran özellikler ekleniyor. Yine yoðun olarak eðitim notlarýný güncellerken aslýnda Nmap’in birçok özelliðini eksik býraktýðýmý farkettim. Nmap notlarým iki senedir felan güncellenmediði için gözüme bayat geliyordu.
Bu aralar iþimin de tamamen güvenlik testlerine kaymasý ile birlikte bol zaman bulabiliyorum. Eðitim notlarý hazýrlarken buraya da ufak tefek eklemeler yapýyorum.
Ýþte nmap’in az bilinen fakat çok iþe yarayan özelliklerinden birkaçý.
En sýk kullanýlan portlar üzerinde tarama
Port taramalarýnda en büyük sorunlardan biri hangi portlarýn taramaya dahil edileceðidir. Bilindiði üzere TCP ve UDP protokollerinin her biri 65535 port olasýlýðý var. Taramalarda tüm bu portlarý taramaya dahil edecek olursak tarama zamaný oldukça uzayacaktýr. Dahil edilmezse de arada açýk olup fakat bizim taramadýðýmýz portlar olabilir. Bu sýkýntýyý aþmak için Nmap yazarý Fyodor geçen sene internet üzerinde yaptýðý uzun araþtýrmalar sonucu internete açýk portlarýn belli oranýný çýkartmýþ. Bu araþtýrma ile top 10, top 100, top 1000 gibi portlarý taratmak mümkün hale gelmiþtir.
Taramanýn sonuçlarýna göre internette en fazla bulunan açýk portlar þu þekildedir.
TCP
1. 80
2. 23
3. 22
4. 443
5. 3389
6. 445
7. 139
8. 21
9. 135
10. 25
UDP
1. 137
2. 161
3. 1434
4. 123
5. 138
6. 445
7. 135
8. 67
9. 139
10. 53
Taramalarda bu özelliði kullanmak için –top-ports 10 ya da –top-ports 1000 parametreleri kullanýlabilir.
C:\Documents and Settings\elmasekeri>nmap 192.168.2.1 –top-ports 10
Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-17 15:23 GTB Standard Time
Interesting ports on RT (192.168.2.1):
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
Tarama sonuçlarýnýn sebepleri
Nmap taramasý yaparken bir porta ait open|closed|Filtered gibi sonuçlar alýrýz. Bu sonuçlarýn neden olduðunu konusunda detay bilgi için –reason parametresi kullanýlabilir. Böylece açýk olan portun neden açýk olduðu, kapalý olan portun neden kapalý olduðu konusunda bilgimiz olur.
UDP taramalar için –reason kullanýmý
# nmap -sU -p 52,53 192.168.2.1 –reason
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:35 GMT
Interesting ports on RT (192.168.2.1):
PORT STATE SERVICE REASON
52/udp closed xns-time port-unreach
53/udp open domain udp-response
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
TCP taramalar için –reason kullanýmý
# nmap -n -p 80,3389 -sS 192.168.2.1 –reason
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:36 GMT
Interesting ports on 192.168.2.1:
PORT STATE SERVICE REASON
80/tcp open http syn-ack
3389/tcp closed ms-term-serv reset
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.170 seconds
Bu çýktýlar tatmin etmediyse daha detaylý çýktý almak için paket_trace özelliði ve -v parametresi kullanýlabilir.
Taramalarda detay çýktý alma(nmap -v)
# nmap -n -p 80,3389 -sS 192.168.2.1 -vv
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:37 GMT
Initiating ARP Ping Scan at 13:37
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 13:37, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:37
Scanning 192.168.2.1 [2 ports]
Discovered open port 80/tcp on 192.168.2.1
Completed SYN Stealth Scan at 13:37, 0.01s elapsed (2 total ports)
Host 192.168.2.1 appears to be up … good.
Interesting ports on 192.168.2.1:
PORT STATE SERVICE
80/tcp open http
3389/tcp closed ms-term-serv
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.176 seconds
Raw packets sent: 3 (130B) | Rcvd: 3 (134B)
-v kullanmadan yapýlan tarama
home-labs scripts # nmap -n -p 80,3389 -sS 192.168.2.1
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:37 GMT
Interesting ports on 192.168.2.1:
PORT STATE SERVICE
80/tcp open http
3389/tcp closed ms-term-serv
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds
-v parametresinin yeterli olmadýðý durumlarda -d[seviye] parametresi ile oldukça detaylý çýktýlar alýnabilir. Özellikle sonuçlarýndan þüphelendiðiniz ve sebebini bulamadýðýnýz taramalarda oldukça yardýmcý olacaktýr.
home-labs scripts # nmap localhost -p 22 -d9
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:48 GMT
Fetchfile found /usr/local/share/nmap/nmap-services
The max # of sockets we are using is: 0
————— Timing report —————
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
———————————————
mass_rdns: Using DNS server 192.168.2.1
Initiating SYN Stealth Scan at 13:48
Scanning localhost (127.0.0.1) [1 port]
Pcap filter: dst host 127.0.0.1 and (icmp or (tcp and (src host 127.0.0.1)))
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or (tcp and (src host 127.0.0.1)))
SENT (0.0370s) TCP 127.0.0.1:55455 > 127.0.0.1:22 S ttl=40 id=42642 iplen=44 seq=2252809853 win=1024 <mss 1460>
**TIMING STATS** (0.0370s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/
Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/75/* 1000000/-1/-1
127.0.0.1: 1/0/0/1/0/0 10.00/75/0 1000000/-1/-1
RCVD (0.0380s) TCP 127.0.0.1:55455 > 127.0.0.1:22 S ttl=40 id=42642 iplen=44 seq=2252809853 win=1024 <mss 1460>
Found 127.0.0.1 in incomplete hosts list.
RCVD (0.0380s) TCP 127.0.0.1:22 > 127.0.0.1:55455 SA ttl=64 id=0 iplen=44 seq=644236104 win=32792 ack=2252809854 <mss 16396>
Found 127.0.0.1 in incomplete hosts list.
Discovered open port 22/tcp on 127.0.0.1
Changing ping technique for 127.0.0.1 to TCP
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1352 ==> srtt: 1352 rttvar: 5000 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 1352 ==> srtt: 1352 rttvar: 5000 to: 100000
Moving 127.0.0.1 to completed hosts list with 0 outstanding probes.
Completed SYN Stealth Scan at 13:48, 0.02s elapsed (1 total ports)
pcap stats: 6 packets received by filter, 0 dropped by kernel.
Host localhost (127.0.0.1) appears to be up … good.
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
Final times for host: srtt: 1352 rttvar: 5000 to: 100000
Read from /usr/local/share/nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.049 seconds
Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
-flist
Bu parametre ile Nmap sistemde gördüðü arabirimleri ve yönlendirme tanýmlarýný gösterir.
home-labs scripts # nmap -iflist
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:50 GMT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo (lo) 127.0.0.1/8 loopback up
eth0 (eth0) 192.168.2.22/24 ethernet up 00:0C:29:29:96:05
eth1 (eth1) 100.100.100.2/8 ethernet up 00:0C:29:29:96:0F
**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.2.0/0 eth0
100.0.0.0/0 eth1
127.0.0.0/0 lo
0.0.0.0/0 eth0 192.168.2.1
0.0.0.0/0 eth1 100.100.100.1
–packet_trace ile tarama için tüm adýmlarýn takibi
Nmap tarama yaparken gönderdiði ve aldýðý tüm paketleri görmek isterseniz –packet_trace parametresini kullanabilirsiniz. Arada baþka bir cihaz yüzünden taramalarýnýz saðlýklý sonuçlar vermiyorsa bu çýktýlarda görülecektir.
home-labs scripts # nmap -p 80,3389 -sS 192.168.2.1 –packet_trace
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:38 GMT
SENT (0.0340s) ARP who-has 192.168.2.1 tell 192.168.2.22
RCVD (0.0350s) ARP reply 192.168.2.1 is-at 00:1A:2A:A7:22:5C
NSOCK (0.0460s) msevent_new (IOD #1) (EID #8)
NSOCK (0.0460s) UDP connection requested to 192.168.2.1:53 (IOD #1) EID 8
NSOCK (0.0460s) msevent_new (IOD #1) (EID #18)
NSOCK (0.0460s) Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 18
NSOCK (0.0460s) msevent_new (IOD #1) (EID #27)
NSOCK (0.0460s) Write request for 42 bytes to IOD #1 EID 27 [192.168.2.1:53]: ………….1.2.168.192.in-addr.arpa…..
NSOCK (0.0470s) nsock_loop() started (timeout=500ms). 3 events pending
NSOCK (0.0470s) wait_for_events
NSOCK (0.0470s) Callback: CONNECT SUCCESS for EID 8 [192.168.2.1:53]
NSOCK (0.0470s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.0470s) Callback: WRITE SUCCESS for EID 27 [192.168.2.1:53]
NSOCK (0.0470s) msevent_delete (IOD #1) (EID #27)
NSOCK (0.0480s) wait_for_events
NSOCK (0.0520s) Callback: READ SUCCESS for EID 18 [192.168.2.1:53] (58 bytes): ………….1.2.168.192.in-addr.arpa………….’….RT.
NSOCK (0.0520s) msevent_new (IOD #1) (EID #34)
NSOCK (0.0520s) Read request from IOD #1 [192.168.2.1:53] (timeout: -1ms) EID 34
NSOCK (0.0520s) msevent_delete (IOD #1) (EID #34)
NSOCK (0.0520s) msevent_delete (IOD #1) (EID #18)
SENT (0.0650s) TCP 192.168.2.22:37890 > 192.168.2.1:80 S ttl=40 id=12041 iplen=44 seq=1831862001 win=1024 <mss 1460>
SENT (0.0660s) TCP 192.168.2.22:37890 > 192.168.2.1:3389 S ttl=39 id=63913 iplen=44 seq=1831862001 win=4096 <mss 1460>
RCVD (0.0660s) TCP 192.168.2.1:80 > 192.168.2.22:37890 SA ttl=64 id=0 iplen=44 seq=303354857 win=5840 ack=1831862002 <mss 1460>
RCVD (0.0670s) TCP 192.168.2.1:3389 > 192.168.2.22:37890 RA ttl=255 id=0 iplen=40 seq=0 win=0 ack=1831862002
Interesting ports on RT (192.168.2.1):
PORT STATE SERVICE
80/tcp open http
3389/tcp closed ms-term-serv
MAC Address: 00:1A:2A:A7:22:5C (Arcadyan Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.182 seconds
Çýktýdan görüleceði üzere Nmap öncelikle hedef ip adresinin MAC adresini almak için arp istek paketi gönderiyor ve sonrasýnda -n parametresi kullanýlmadýðý için hedef
ip adresinin dns sorgulamasýný yapmaya çalýþýyor. Sonradan ilgili TCP portlarina SYN bayraklý paketler göndererek bunlarýn cevabýný alýyor ve taramayý bitiriyor.
Nmap ile Traceroute
Nmap bir port üzerinde TCP ya da UDP protokolünü kullanarak traceroute yapabilir.
# nmap -n -P0 –traceroute www.gezginler.net
Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-17 13:43 GMT
Interesting ports on 208.43.98.30:
Not shown: 1700 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
26/tcp open unknown
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
1720/tcp filtered H.323/Q.931
TRACEROUTE (using port 1/tcp)
HOP RTT ADDRESS
1 0.94 192.168.2.1
2 10.51 85.96.186.1
3 …
4 815.81 212.156.118.253
5 10.71 81.212.26.125
6 17.01 212.156.117.38
7 28.49 212.156.119.246
8 77.55 212.73.206.9
9 78.76 4.68.109.158
10 87.75 4.69.133.82
11 80.41 4.69.132.142
12 106.71 4.69.140.21
13 169.46 4.69.141.110
14 167.60 4.69.141.110
15 174.82 4.69.134.146
16 166.92 4.68.17.70
17 166.83 4.79.170.174
18 167.89 208.43.98.30
Nmap done: 1 IP address (1 host up) scanned in 46.502 seconds
Nmap GUI-Zenmap
Uzun yýllar sonra Nmap hem yazarýný hem de kullanýcýlarý memnun eden bir GUI’ye kavuþtu. Google SOC kapsamýnda bir öðrencinin baþlattýðý proje(umit ) Zenmap adý ile resmi Nmap GUI’si olarak daðýtlýýyor. Arabirimde birbirinden hoþ özellikler var. Benim en çok iþime yarayan özelliklerden birisi yapýlan taramalarýn kaydedilmesi ve sonrasýnda ayný hedefe farklý zamanlarda yapýlan taramalarýn karþýlaþtýrýlarak sonuç üretilmesi. Böylece X tarihinde Y hostuna yapýlan tarama ile Z tarihinde Y hostuna yapýlan tarama arasýndaki fark görülebilir oluyor.
Saygýlar..
|