Nmapを使ってみる

Nmap

参考ページのとほぼ同じことをしていますが、Nmapを試してみたのでそのメモです。


ローカルにNmapをインストールし、いくつかミドルウェアをインストールしておき、挙動を見ることにしました。
※自分の管理外のネットワークやサーバにポートスキャンをすると、不正アクセスに該当する可能性がありますので注意してください。


まずは「nmap <ホスト名>」でポートスキャンしてみます。

# nmap localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-13 16:37 JST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
5432/tcp open  postgresql
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds


「-A」オプションを付けるとサーバのバージョン等の調査も可能になります。

# nmap -A localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2014-01-13 16:40 JST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000065s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 7f:91:c5:35:cd:3a:f6:f2:d2:0b:b5:0e:23:a8:ba:cb (DSA)
|_2048 58:81:bc:c4:57:23:e4:ee:78:03:a2:c1:75:24:55:84 (RSA)
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.15 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
443/tcp  open  ssl/http    Apache httpd 2.2.15 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
3306/tcp open  mysql       MySQL 5.1.71
| mysql-info: Protocol: 10
| Version: 5.1.71
| Thread ID: 5
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_Salt: scxQjDSV5E;:MWM\ht-$
5432/tcp open  postgresql?
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods: Potentially risky methods: PUT DELETE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache Tomcat
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5432-TCP:V=5.51%I=7%D=1/13%Time=52D3988C%P=x86_64-redhat-linux-gnu%
SF:r(SMBProgNeg,C9,"E\0\0\0\xc8SFATAL\0C0A000\0M\xe3\x83\x95\xe3\x83\xad\x
SF:e3\x83\xb3\xe3\x83\x88\xe3\x82\xa8\xe3\x83\xb3\xe3\x83\x89\xe3\x83\x97\
SF:xe3\x83\xad\xe3\x83\x88\xe3\x82\xb3\xe3\x83\xab65363\.19778\xe3\x82\x92
SF:\xe3\x82\xb5\xe3\x83\x9d\xe3\x83\xbc\xe3\x83\x88\xe3\x81\x97\xe3\x81\xa
SF:6\xe3\x81\x84\xe3\x81\xbe\xe3\x81\x9b\xe3\x82\x93:\x20\xe3\x82\xb5\xe3\
SF:x83\xbc\xe3\x83\x90\xe3\x81\xaf1\.0\xe3\x81\x8b\xe3\x82\x89\x203\.0\xe3
SF:\x81\xbe\xe3\x81\xa7\xe3\x82\x92\xe3\x82\xb5\xe3\x83\x9d\xe3\x83\xbc\xe
SF:3\x83\x88\xe3\x81\x97\xe3\x81\xbe\xe3\x81\x99\0Fpostmaster\.c\0L1627\0R
SF:ProcessStartupPacket\0\0");
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=1/13%OT=22%CT=1%CU=43980%PV=N%DS=0%DC=L%G=Y%TM=52D3989E%P=
OS:x86_64-redhat-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M400CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M40
OS:0CST11NW5%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=80
OS:00)ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 0 hops
Service Info: Host:  localhost.localdomain

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.66 seconds


他、スキャンの間隔や、IPの範囲、ポート範囲の指定やスキャン方法を細かく制御できますが、とりあえずの使い方をメモ。


今日はこんなところで。

参考