Nmap bestpractice: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 59: Zeile 59:
 
*https://nmap.org/book/osdetect.html
 
*https://nmap.org/book/osdetect.html
  
=Aktiviert OS detection und Version detection, Script scanning und Traceroute=
 
-T 4 timing
 
*nmap -A -T 4 192.168.242.50
 
 
<pre>
 
Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-14 14:22 CEST
 
Nmap scan report for 192.168.242.50
 
Host is up (0.00015s latency).
 
Not shown: 991 closed ports
 
PORT      STATE SERVICE    VERSION
 
135/tcp  open  msrpc      Microsoft Windows RPC
 
139/tcp  open  netbios-ssn
 
445/tcp  open  netbios-ssn
 
49152/tcp open  msrpc      Microsoft Windows RPC
 
49153/tcp open  msrpc      Microsoft Windows RPC
 
49154/tcp open  msrpc      Microsoft Windows RPC
 
49155/tcp open  msrpc      Microsoft Windows RPC
 
49156/tcp open  msrpc      Microsoft Windows RPC
 
49157/tcp open  msrpc      Microsoft Windows RPC
 
MAC Address: 48:5B:39:AD:8A:F3 (Asustek Computer)
 
Device type: general purpose
 
Running: Microsoft Windows 2008|7
 
OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
 
OS details: Microsoft Windows Server 2008 SP2, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
 
Network Distance: 1 hop
 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
 
Host script results:
 
|_nbstat: NetBIOS name: WIN-VJCRWQXC6A7, NetBIOS user: <unknown>, NetBIOS MAC: 48:5b:39:ad:8a:f3 (Asustek Computer)
 
| smb-os-discovery:
 
|  OS: Windows Server (R) 2008 Enterprise 6001 Service Pack 1 (Windows Server (R) 2008 Enterprise 6.0)
 
|  OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
 
|  Computer name: WIN-VJCRWQXC6A7
 
|  NetBIOS computer name: WIN-VJCRWQXC6A7
 
|  Workgroup: WORKGROUP
 
|_  System time: 2015-10-14T14:23:23+02:00
 
| smb-security-mode:
 
|  Account that was used for smb scripts: guest
 
|  User-level authentication
 
|  SMB Security: Challenge/response passwords supported
 
|_  Message signing disabled (dangerous, but default)
 
|_smbv2-enabled: Server supports SMBv2 protocol
 
 
TRACEROUTE
 
HOP RTT    ADDRESS
 
1  0.16 ms 192.168.242.50
 
 
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
 
Nmap done: 1 IP address (1 host up) scanned in 64.83 seconds
 
</pre>
 
=Timing Template=
 
Timing Templates werden benutzt wenn man vermutet das die Firewall einen Portscan erkennt und man deshalb verzögert scannen will. Oder man aggressiver an die Sache rangehen will.
 
 
*nmap -A -T sneaky 192.168.242.50
 
Es gibt folgende Templates
 
*paranoid (0) - verhindert IDS Erkennung
 
*sneaky (1) - verhindert IDS Erkennung
 
*polite (2) - langsamer Scan
 
*normal (3) - normaler Scan
 
*aggressive (4) - setzt schnelles Netzwerk voraus
 
*insane (5) - setzt sehr schnelles Netzwerk voraus
 
 
=ssl-enum-ciphers=
 
=ssl-enum-ciphers=
 
*nmap -sV --script ssl-enum-ciphers -p 443  www.xinux.de
 
*nmap -sV --script ssl-enum-ciphers -p 443  www.xinux.de

Version vom 5. Juli 2021, 12:16 Uhr

basics

reine pings scan

  • nmap -sP 192.168.66.0/24

schneller scan mit weniger Ports

  • nmap -F 192.168.66.0/24

vollständiger connect

SYN - SYN/ACK - ACK - RST

  • nmap -sT 192.168.66.52

einfacher scan

SYN - SYN/ACK - RST (ohne root rechte nicht möglich)=

  • nmap -sS 192.168.66.52

udp scan

ports von 50 bis 70 werden gescanned (zeigte keine gewünschte ergebnisse)

  • nmap -sU 192.168.66.52 -p 50-70

tcp und udp scan

  • nmap -sTU 192.168.66.52

bestimmer Ports scannen

  • nmap -p21,22,80 192.168.66.52

alle Ports scannen

  • nmap -p- 192.168.66.52

reverse auflösung der host

  • nmap -sL 192.168.66.50-60

Angabe von Source Address und Interface

  • nmap -e eth0 -S 192.168.66.54 -P0 -sS 192.168.66.53

kompletter scan in numerischer reihenfolge

-r numerische reihenfolge -p- alle ports -v verbose

  • nmap -v -r -p- -sS 192.168.66.52

os detection

Linux

  • nmap -O -v 192.168.240.69 | grep OS
Initiating OS detection (try #1) against 192.168.240.69
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0

Windows

  • nmap -O -v 192.168.242.75 | grep OS
Initiating OS detection (try #1) against 192.168.242.75
OS CPE: cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_2012 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1

Webserver detection

  • nmap -sV userver -p 80
...
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Webserver detection

  • nmap -sV userver -p 53
...
53/tcp open  domain  ISC BIND 9.16.1 (Ubuntu Linux)

SSH Server detection

  • nmap -sV userver -p 22
...
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)

Links

ssl-enum-ciphers

  • nmap -sV --script ssl-enum-ciphers -p 443 www.xinux.de
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 10:44 CET
Nmap scan report for www.xinux.de (94.130.248.212)
Host is up (0.027s latency).
Other addresses for www.xinux.de (not scanned): 2a01:4f8:13b:1e15:8000:0:212:1
rDNS record for 94.130.248.212: thor.tuxmen.de

PORT    STATE SERVICE VERSION
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.85 seconds

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Nmap_bestpractice&oldid=25484