Nmap bestpractice: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 80: | Zeile 80: | ||
<pre> | <pre> | ||
| − | ... ( | + | Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET |
| + | Nmap scan report for www.xinux.de (94.130.248.212) | ||
| + | Host is up (0.027s latency). | ||
| + | Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1 | ||
| + | rDNS record for 94.130.248.212: thor.tuxmen.de | ||
| + | |||
| + | PORT STATE SERVICE VERSION | ||
| + | 443/tcp open ssl/ssl Apache httpd (SSL-only mode) | ||
| + | |_http-server-header: Apache/2.4.29 (Ubuntu) | ||
| + | | ssl-enum-ciphers: | ||
| + | | TLSv1.0: | ||
| + | | ciphers: | ||
| + | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | ||
| + | | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | ||
| + | | compressors: | ||
| + | | NULL | ||
| + | | cipher preference: server | ||
| + | | TLSv1.1: | ||
| + | | ciphers: | ||
| + | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | ||
| + | | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | ||
| + | | compressors: | ||
| + | | NULL | ||
| + | | cipher preference: server | ||
| + | | TLSv1.2: | ||
| + | | ciphers: | ||
| + | | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | ||
| + | | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | ||
| + | | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | ||
| + | | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | ||
| + | | compressors: | ||
| + | | NULL | ||
| + | | cipher preference: server | ||
| + | |_ least strength: A | ||
| + | |||
| + | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | ||
| + | Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds | ||
</pre> | </pre> | ||
Aktuelle Version vom 10. Mai 2025, 16:52 Uhr
TLDR
- Host discovery
nmap -sP a.b.c.d/24 > hosts
- Port discovery mit Hostlist ohne Pingcheck
nmap -sS -PN -iL ip.list
- Einmal alles
nmap -A -PN -iL ip.list
basics
ping scan
- Im gleichen Netz wird ARP genutzt, ansonsten ICMP.
nmap -sn 10.0.10.0/24
vollständiger connect
- SYN - SYN/ACK - ACK - RST
nmap -sT 10.0.10.104
einfacher scan
- SYN - SYN/ACK - RST (ohne Root-Rechte nicht möglich)
nmap -sS 10.0.10.104
udp scan
- Ports von 50 bis 70 werden gescannt (zeigte keine gewünschten Ergebnisse)
nmap -sU 10.0.10.104 -p 50-70
tcp und udp scan
- TCP und UDP gleichzeitig prüfen
nmap -sTU 10.0.10.104
bestimmte Ports scannen
- Scant gezielt bestimmte Ports
nmap -p21,22,80 10.0.10.104
alle Ports scannen
- Scan aller 65535 Ports
nmap -p- 10.0.10.104
reverse Auflösung der Hosts
- Zeigt Hostnamen, löst Adressen rückwärts auf
nmap -sL 10.0.10.102
Angabe von Source Address und Interface
- Eigene IP + Interface definieren
nmap -e eth0 -S 10.0.10.101 -P0 -sS 10.0.10.104
kompletter Scan in numerischer Reihenfolge
- -r = Reihenfolge, -p- = alle Ports, -v = verbose
nmap -v -r -p- -sS 10.0.10.104
Zeigt nur Rechner mit offenem Port 22
- Erkennt offene SSH-Zugänge
nmap -sS 10.81.111.0/24 -p 20108 --open
Webserver detection
- Versionserkennung für HTTP
nmap -sV 10.0.10.104 -p 80
Nameserver detection
- BIND erkennen auf DNS-Port
nmap -sV 10.0.10.103 -p 53
SSH Server detection
- OpenSSH identifizieren
nmap -sV 10.0.10.104 -p 22
os detection
Linux
- Ermittelt Linux-Kernel-Version
nmap -O -v 10.0.10.104 --osscan-guess
Windows
- Windows-Systeme durch TCP/IP-Stack erkennen
nmap -O -v 10.0.10.102 --osscan-guess
ssl-enum-ciphers
- Zeigt unterstützte Ciphers auf HTTPS-Port
nmap -sV --script ssl-enum-ciphers -p 443 xinux.de
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET Nmap scan report for www.xinux.de (94.130.248.212) Host is up (0.027s latency). Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1 rDNS record for 94.130.248.212: thor.tuxmen.de PORT STATE SERVICE VERSION 443/tcp open ssl/ssl Apache httpd (SSL-only mode) |_http-server-header: Apache/2.4.29 (Ubuntu) | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds
Alle Schwachstellen
- Nutzt CVE-Datenbank über vulners NSE-Script
nmap -sV --script vulners 10.0.10.104
schneller Scan mit weniger Ports
- Fast Scan (-F) nutzt Nmaps Standard-Portliste
nmap -F 10.0.10.0/24
Ziele aus einer Datei lesen
- Zielsysteme aus Datei nutzen
vi secure.local.list 10.0.10.1 10.0.10.102 10.0.10.103 10.0.10.104 10.0.10.105
Anwenden
- Scan der IP-Liste ohne Ping
nmap -sP -iL secure.local.list
ICMP Timestamp Request Remote Date Disclosure
- ICMP-Zeitprüfung zur Systemuhr-Abfrage
nmap -sP -PE --script=icmp-timestamp 10.0.10.103