NMAP: Cos’è?

26-11-2017 | Information Gathering, Tutorial

NMAP sta per (Network Mapper), è un tool preinstallato su kali linux, viene utilizzato per individuare falle di sicurezza dunque, test di penetrazione, scansiona una rete di computer per rilevare host e servizi, creando così una “mappa” della rete.

Le funzionalità
  • Identificazione degli host su una rete.
  • L’enumerazione delle porte di un host.
  • Rilevamento versione, dunque il nome e la versione dei servizi attivi su una rete.
  • Rilevamento del sistema operativo e degli hardware di una macchina.
Usi di Nmap
  • Controllo della sicurezza di un dispositivo, in modo da avere una panoramica delle connessioni che potrebbero avvenire con la nostra macchina.
  • Identificazione delle porte aperte su un host.
  • Inventario di rete, identificazione delle macchine.
  • Controllo della sicurezza di una rete.
  • Generazione del traffico verso gli host su una rete, analisi e misurazione dei tempi di risposta
  • Trovare e sfruttare le vulnerabilità di una rete.
Come si presenta

Può essere utilizzato anche con GUI avviando zenmap!

Per avviare nmap basta eseguire il comando:

specifiche target:
  • -iL <inputfilename>: Input from list of hosts/networks
  • -iR <num hosts>: Choose random targets
  • –exclude <host1[,host2][,host3],…>: Exclude hosts/networks
  • –excludefile <exclude_file>: Exclude list from file
Ricerca host:
  • -sL: List Scan – simply list targets to scan
  • -sn: Ping Scan – disable port scan
  • -Pn: Treat all hosts as online — skip host discovery
  • -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  • -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  • -PO[protocol list]: IP Protocol Ping
  • -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  • –dns-servers <serv1[,serv2],…>: Specify custom DNS servers
  • –system-dns: Use OS’s DNS resolver
  • –traceroute: Trace hop path to each host
Tecniche di scanning:
  • -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  • -sU: UDP Scan
  • -sN/sF/sX: TCP Null, FIN, and Xmas scans
  • –scanflags <flags>: Customize TCP scan flags
  • -sI <zombie host[:probeport]>: Idle scan
  • -sO: IP protocol scan
  • -b <FTP relay host>: FTP bounce scan
specifiche delle porte e ordine di range:
  • -p <port ranges>: Only scan specified ports
  • Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  • –exclude-ports <port ranges>: Exclude the specified ports from scanning
  • -F: Fast mode – Scan fewer ports than the default scan
  • -r: Scan ports consecutively – don’t randomize
  • –top-ports <number>: Scan <number> most common ports
  • –port-ratio <ratio>: Scan ports more common than <ratio>
servizi e analisi delle versioni:
  • -sV: Probe open ports to determine service/version info
  • –version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  • –version-light: Limit to most likely probes (intensity 2)
  • –version-all: Try every single probe (intensity 9)
  • –version-trace: Show detailed version scan activity (for debugging)
  • -sC: equivalent to –script=default
  • –script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
  • –script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
  • –script-args-file=filename: provide NSE script args in a file
  • –script-trace: Show all data sent and received
  • –script-updatedb: Update the script database.
  • –script-help=<Lua scripts>: Show help about scripts.
rilevamento sistema operativo:
  • -O: Enable OS detection
  • –osscan-limit: Limit OS detection to promising targets
  • –osscan-guess: Guess OS more aggressively
tempi di risposta e performance:
  • -T<0-5>: Set timing template (higher is faster)
  • –min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  • –min-parallelism/max-parallelism <numprobes>: Probe parallelization
  • -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time.
  • –max-retries <tries>: Caps number of port scan probe retransmissions.
  • –host-timeout <time>: Give up on target after this long
  • –scan-delay/–max-scan-delay <time>: Adjust delay between probes
  • –min-rate <number>: Send packets no slower than <number> per second
  • –max-rate <number>: Send packets no faster than <number> per second
  • -f; –mtu <val>: fragment packets (optionally w/given MTU)
  • D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
  • -S <IP_Address>: Spoof source address
  • -e <iface>: Use specified interface
  • -g/–source-port <portnum>: Use given port number
  • –proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies
  • –data <hex string>: Append a custom payload to sent packets
  • –data-string <string>: Append a custom ASCII string to sent packets
  • –data-length <num>: Append random data to sent packets
  • –ip-options <options>: Send packets with specified ip options
  • -ttl <val>: Set IP time-to-live field
  • –spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  • –badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  • -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
  • -oA <basename>: Output in the three major formats at once
  • -v: Increase verbosity level (use -vv or more for greater effect)
  • -d: Increase debugging level (use -dd or more for greater effect)
  • –reason: Display the reason a port is in a particular state
  • –open: Only show open (or possibly open) ports
  • –packet-trace: Show all packets sent and received
  • –iflist: Print host interfaces and routes (for debugging)
  • –append-output: Append to rather than clobber specified output files
  • –resume <filename>: Resume an aborted scan
  • –stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  • –webxml: Reference stylesheet from Nmap.Org for more portable XML
  • –no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  • -6: Enable IPv6 scanning
  • -A: Enable OS detection, version detection, script scanning, and traceroute
  • –datadir <dirname>: Specify custom Nmap data file location
  • –send-eth/–send-ip: Send using raw ethernet frames or IP packets
  • –privileged: Assume that the user is fully privileged
  • –unprivileged: Assume the user lacks raw socket privileges
  • -V: Print version number
  • -h: Print this help summary page.


Comandi utili

Avere informazioni su un IP:

nmap --script whois-ip [xxx.xxx.xxx.xxx]
nmap --script whois-ip [www.hostbersaglio.xyz]

Scansionare un singolo IP:

nmap [xxx.xxx.xxx.xxx]

Scansionare un host:

nmap [www.hostbersaglio.xyz]

Scansionare una lista di ip e host savata su un documento di testo:

nmap -iL [percorso/lista_ip.txt]

Determinare servizi e sistema operativo:

nmap -A [xxx.xxx.xxx.xxx]
nmap -A [www.hostbersaglio.xyz]

Determinazione Servizi:

nmap -sV [xxx.xxx.xxx.xxx]
nmap -sV [www.hostbersaglio.xyz]

Determinazione servizi aggressiva:

nmap -sV --version-intensity 5 [xxx.xxx.xxx.xxx]
nmap -sV --version-intensity 5 [www.hostbersaglio.xyz]

Scansioneporte UDP:

nmap -sU [xxx.xxx.xxx.xxx]
nmap -sU [www.hostbersaglio.xyz]

Scansione porte TCP:

nmap -sT [xxx.xxx.xxx.xxx]
nmap -sT [www.hostbersaglio.xyz]

Scansione di una singola porta:

nmap -p [porta] [xxx.xxx.xxx.xxx]
nmap -p [porta] [www.hostbersaglio.xyz]

Scansione di un intervallo di porte:

nmap -p [porta-porta] [xxx.xxx.xxx.xxx]
nmap -p [porta-porta] [www.hostbersaglio.xyz]

Scansione delle porte più comuni:

nmap -F [xxx.xxx.xxx.xxx]
nmap -F [www.hostbersaglio.xyz]

Scansione di tutte le 65535 porte:

nmap -p- [xxx.xxx.xxx.xxx]
nmap -p- [www.hostbersaglio.xyz]

Rilevare i titoli di pagina HTTP

nmap --script = http-title [www.hostbersaglio.xyz]

Rilevare le web app da percorsi noti:

nmap --script=http-enum [www.hostbersaglio.xyz] (può provocare errori e generare numerosi 404)