nmap
est un outil d'exploration réseau permettant de découvir
les machines présentes ainsi que les services qu'elles utilisent.
On va donc voir quelles sont les commandes dont on peut avoir besoin au
quotidien en la matière.
1. Lister les machines à explorer
Cette commande va se contenter de lister les machines que nmap
explorerait sur le réseau en question. La valeur 24 indique que les trois
premières valeurs sont fixes et que seule la dernière va varier.
nmap -sL 192.168.0.1/24
La fin de cette commande affiche donc:
Nmap scan report for 192.168.0.249
Nmap scan report for 192.168.0.250
Nmap scan report for 192.168.0.251
Nmap scan report for 192.168.0.252
Nmap scan report for 192.168.0.253
Nmap scan report for 192.168.0.254
Nmap scan report for 192.168.0.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 0.10 seconds
2. Scanner les machines du réseau
On va maintenant passer la même commande en faisant un ping
sur
chaque machine.
nmap -sP 192.168.0.1/24
Et le résultat est le suivant:
Starting Nmap 6.47 ( http://nmap.org ) at 2018-02-25 09:56 CET
Nmap scan report for 192.168.0.72
Host is up (0.00036s latency).
Nmap scan report for 192.168.0.27
Host is up (0.00049s latency).
Nmap scan report for 192.168.0.254
Host is up (0.0058s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.25 seconds
Il y a deux machines sur le réseau, ou une machine connectée à la fois en
filaire et en Wi-Fi, en plus de la Box Internet.
3. Scanner une machine
nmap 192.168.0.72
Starting Nmap 6.47 ( http://nmap.org ) at 2018-02-25 10:14 CET
Nmap scan report for 192.168.0.72
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
La commande nmap
nous affiche les ports à l'écoute ainsi que
les services correspondants.
4. Scanner une machine plus en détail
On peut en plus activer la détection du système d'exploitation et des
versions dans la commande précédente an ajoutant le flag -A
:
nmap -A 192.168.0.72
Starting Nmap 6.47 ( http://nmap.org ) at 2018-02-25 10:24 CET
Nmap scan report for 192.168.0.72
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-title: Index of /
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
Ici on a "scanné" la machine sur laquelle on est. Les versions des services
ssh
et http
nous disent que l'OS est Debian.
Si maintenant on scanne la Box Internet:
nmap -A 192.168.0.254
Starting Nmap 6.47 ( http://nmap.org ) at 2018-02-25 10:25 CET
Nmap scan report for 192.168.0.254
Host is up (0.0059s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Freebox ftpd
| ssl-cert: Subject: commonName=542vabcn.fbxos.fr/countryName=FR
| Not valid before: 2018-01-04T18:42:00+00:00
|_Not valid after: 2018-04-04T17:47:00+00:00
|_ssl-date: 2089-01-02T17:11:25+00:00; +70y312d7h28m31s from local time.
80/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Freebox OS
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=542vabcn.fbxos.fr/countryName=FR
| Not valid before: 2018-01-04T18:42:00+00:00
|_Not valid after: 2018-04-04T17:47:00+00:00
|_ssl-date: 2054-09-05T18:09:35+00:00; +36y192d8h26m40s from local time.
| tls-nextprotoneg:
| spdy/3.1
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
554/tcp open rtsp Freebox rtspd 1.2
| rtsp-methods:
|_ DESCRIBE, OPTIONS, SETUP, TEARDOWN, PLAY, PAUSE
2020/tcp open tcpwrapped
5000/tcp open upnp?
8090/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-title: Freebox :: Probl\xC3\xA8me de connexion Internet
9091/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-title: 404 Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5000-TCP:V=6.47%I=7%D=2/25%Time=5A9284F5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,25,"\0\0\0P/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x200\r\n\
SF:r\n")%r(GetRequest,25,"\0\0\0P/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x
SF:200\r\n\r\n")%r(RTSPRequest,77,"RTSP/1\.0\x20200\x20OK\r\nPublic:\x20OP
SF:TIONS,\x20ANNOUNCE,\x20SETUP,\x20RECORD,\x20SET_PARAMETER,\x20GET_PARAM
SF:ETER,\x20FLUSH,\x20TEARDOWN,\x20POST,\x20GET\r\n\r\n")%r(HTTPOptions,25
SF:,"\0\0\0P/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x200\r\n\r\n")%r(Help,
SF:25,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x200\r\n\r\n")%r(FourOh
SF:FourRequest,25,"\0\0\0P/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x200\r\n
SF:\r\n")%r(LPDString,25,"RTSP/1\.0\x20400\x20Bad\x20Request\r\nCSeq:\x200
SF:\r\n\r\n")%r(SIPOptions,25,"\0\0\0ept:\x20application/sdp\0\0\0\0\0\0o\
SF:0\0\0\r\n\r\n");
Service Info: Device: media device
Host script results:
|_nbstat: NetBIOS name: FREEBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.37)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2018-02-25T09:41:53+00:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1041.61 seconds
On obtiens le même genre d'informations, la Box Internet ayant elle beaucoup
plus de ports ouverts.
5. Accélérer le scan de la machine
Le précédent scan ayant duré 17mn, on va essayer d'obtenir un résultat plus
rapidement en changeant la politique de temporisation de nmap
:
nmap -A -T5 192.168.0.254
Le scan ne nous prends maintenant que 90 secondes en donnant quasiment les
même résultats.
On verra dans un prochain billet, 5 autres commandes nmap
pour
scanner votre réseau.