[tool] nmap, network scanning tool

nmap은 가장 기본적인 네트워크 스캐닝 툴로, 실제로 다양한 옵션 정보를 지원해 주는 강력한 툴이다.
더 상세한 옵션 값 및 설정 정보는 실제 nmap의 헬프 메시지를 통해 습득하도록 한다.

NMAP 주요 옵션 정보

옵션값	설명
-iL 파일경로	스캔할 리스트를 읽어들인다 (nmap -iL /tmp/test.txt)
-oN 파일경로	결과값 파일로 저장 (nmap -oN /tmp/result.txt 192.168.0.1)
-v	자세한 정보를 보여준다
-f	패킷을 아주 작게 쪼개서 보낸다
-F	Fast Scan , well-known port만 스캐닝
-P0	ICMP echo requests를 막아놓은 곳도 네트워크 스캔이 가능 (호스트 discovery를 생략하고 모두 online 상태로 간주한다는 뜻)
-PT	ICMP 대신 TCP 패킷을 사용, ACK를 보내여 RST 받기를 기다림
-p 포트 범위	연속된 포트는 -를, 연속되지 않는 경우는 ,를 구분자로 사용
-sT	TCP Connect scan, connect()를 이용한 스캔으로 Listen 상태이면 성공
-sS	TCP SYN scan, 응답이 SYN과 ACK이면 Listen 상태, RST이 응답이면 Non Listen 상태, 로그가 남지 않는다
-sA	TCP ACK scan, ACK을 보내므로 RST를 받으면 Unfilter 상태, 방화벽 상태 확인에 사용
-sW	Window scan, ACK Scan과 비슷한데 open port도 알 수 있다
-sF	Stealth Fin scan, Open 포트로 FIN을 보내면 패킷을 무시하고, Non Listen 포트로 FIN을 보내면 RST 패킷이 온다
-sX	XMAS Tree scan, FIN 스캔과 비슷 TCP의 여러 플래그(FIN,PUSH, URG등)를 설정하여 보냄
-sN	Null scan, FIN 스캔과 비슷.모든 플래그를 끈 상태로 패킷을 보냄
-sP	Ping scan,icmp 패킷을 보냄. RST이거나 UP이거나 모두 호스트가 살아있음
-sU	UDP scan, 오픈된 UDP 포트를 스캔한다.
-b	FTP bounce scan, 익명 FTP 서버를 이용해 그 FTP를 경유하여 호스트를 스캔
-O	호스트의 운영체제 정보를 보여준다
-sR	RPC scan, prcinfo -p와 비슷한 정보를 얻을 수 있다
-6	IPv6 스캐닝

NMAP 사용 예

[root@forensic] # nmap -sS -O -p 1-1024,6000 192.168.0.1

Port  State  Service
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  filtered  telnet
80/tcp  open  http
443/tcp  open https
Remote operating system guess : Linux Kernel 2.4.0 - 2.5.20(x86)
Uptime 1,321 days (Since Fri Oct 2 11:42:22 2009)
Nmap run completed -- 1 IP address (1 host up) scanned in 107 seconds


[root@forensic] # nmap -sP 192.168.1.0/24

Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second


[root@forensic] # nmap -v -O --osscan-guess 192.168.1.1

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1: Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

map -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
 
## Scan TCP port 80
nmap -p T:80 192.168.1.1
 
## Scan UDP port 53
nmap -p U:53 192.168.1.1
 
## Scan two ports ##
nmap -p 80,443 192.168.1.1
 
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
 
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
 
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
 
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1
 
### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
 
### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

 
### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1 
## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254
 
## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254
 
## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254 
### Stealthy scan ###
nmap -sS 192.168.1.1
 
### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###
nmap -sT 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1