Nmap là công cụ quét số một của các Admin, Hacker, Security, … Nó có tất cả những tính năng cần thiết của một chương trình quyét trên mạng. Tôi giới thiệu đến các bạn bài viết về Nmap.

Link down:
http://insecure.org/nmap/download.html

Hướng dẫn sử dụng Nmap

PHAN 1

Vai dieu nhan nhu: Huong dan mot so tuy chon quet co ban cua nmap. Tieng anh cua toi hoi kem, co the dich chua duoc sat nghia mong cac ban thong cam. Cac thuat ngu viet tat nhu: TCP, UDP, SYN, ACK,… co le ban phai tu minh tim hieu lay tren mang thoi. Bai dich nay chi co tinh chat hoc hoi trao doi kinh nghiem.

Nmap = Network exploration tool and security scanner (Network Mapper)

Dung nhu ten goi la mot cong cu Scan hang dau… No Scan tat ca nhung gi co the Scan duoc tren Network. Mot Scanner da chuc nang va cung da luon ca OS ma toi duoc biet.

Cau truc lenh cua Nmap
nmap [Scan Type(s)] [Options]
Duoi day la mot so Scan Type.

Scan Type

* -sT TCP connect Scan: Day la kieu quet don gian nhat cua qua trinh quet giao thuc TCP. Ket noi goi he thong do, he dieu hanh cua ban cung cap duoc su dung de open mot ket noi toi mot so Port tren he thong. Neu Port dang o trang thai lang nghe, thi ket noi se thanh cong, va nguoc lai ket noi se khong thanh cong. Mot loi the manh me cua ky thuat quet nay la khong can bat cu nhung dac quyen cao cap nao ca. Moi nguoi dung Unix co the tu do su dung ky thuat nay. Ky thuat nay co the de dang phat hien duoc nhung muc tieu va cho ta biet tinh trang ket noi va thong bao nhung sai lam ve dich vu chap nhan ket noi.
* -sS TCP SYN Scan: Day la ky that quet duoc gioi thieu toi nhu la ky thuat quet “half-open”. Duoc dung trong truong hop ban khong the mo mot ket noi TCP day du. Ban gui mot SYN Packet, trong khi neu ban muon mo mot ket noi thuc te va ban dang doi mot su dap lai. Mot SYH|ACK chi bao rang port dang lang nghe. Mot RST bieu thi o trang thai khong lang nghe. Neu SYN|ACK nhan duoc, mot RST duoc gui suong de xe ket noi. Bat loi trong ky thuat quet nay la ban can phai co nhieu dac quyen de xay dung nhung SYN Packet. (*)
* -sF -sX -sN Stealth FIN, Xmas Tree, or Null scan modes: Duoc dung khi khong du dac quyen de su dung ky thuat SYN Scan. Mot vai Firewall va bo loc Packet giam sat cac SYN de han che den cac Port, va nhung chuong trinh nhu SYNlogger va Counrtey san sang phat hien ra cac hanh dong Scan cua ban. Loi the cua kieu Scan nay la co the Scan xuyen qua cac Firewall va bo loc Packet ma it bi tro ngai, ngan can. Y tuong dong cac Port va yeu cau tra loi toi Packet tham do cua ban voi mot RST, trong khi mo nhung cong phai thi phai bo qua cac goi trong cau hoi (xem RFC 793 pp 64). FIN Scan su dung cac FIN Packet nhu de tham do, trong khi Xmas tree quay tro lai Scan tren FIN, URG. Microsoft hoan toan khong ho tro cac tieu chuan kieu nay. Do do ky thuat Scan nay khong the su dung duoc tren cac he thong Windows (95, 97, 98, 98Se, Me, NT, 2000). Ky thuat quet nay thuong duoc tren cac he thong cua Cisco, Unix, HP-UX, Irix,… (*)
* -sP Ping scanning: Ky thuat nay duoc dung trong truong hop ban chi muon biet co bao nhieu Host hien dang Online tren mot Network nao do. Nmap co the thuc hien dieu nay bang cach send nhung goi ICMP yeu cau doi lai den cac dia chi IP tren mang. Tuy nhien cung co mot so Host co the chan lai cac ICMP Packet phan hoi. Nhu vay nmap co the send Packet TCP ack den port 80 (mac dinh, co the doi port). Neu chung ta co mot RST tro lai, dieu do co nghia la host do dang Online. Hoac mot ky thuat thu 3 keo theo viec send mot SYN Packet va doi cho nhung RST hay SYN/ACK. Duoc dung cho nhung Normal User (khong phai Root User – khong co nhung dac quyen rieng). Neu ban co quyen Root, nmap se su dung ca ICMP va ACK song song voi nhau. Ban co the thay doi tuy chon -P mo ta ve sau.
* -sU UDP Scan: Ky thuat nay duoc su dung de xac dinh xem Port UDP nao dang open tren host. Nmap se send UDP Packet co dung luong 0 byte den moi Port tren muc tieu. Neu chung ta nhan duoc thong bao khong the Connect den Port ICMP, sau do Port bi dong. Truong hop khac, gia thiet rang no mo (Port). Mot vai nguoi thuong nghi rang ky thuat UDP Scan khong hieu qua. Nhung chung thuong duoc dung cho lo hong Rpcbind tren OS Solaris. Hoac mot so Backdoor nhu Back Orifice duoc Config tren Port UDP cua OS Windows. (*)
* -sA ACK Scan: Ky thuat nay duoc su dung de thu thap cac thong tin ve he thong tu ben ngoai Firewall. Dac biet no co the xac dinh xem cac Firewall co phai la mot Firewall theo dung nghia hay chi la mot bo loc Packet SYN tu ben ngoai. Ky thuat nay co the send nhung ACK Packet den nhung Port duoc chi ro. Neu mot RST tro lai thi dieu do co nghia la cac Port do khong co chuc nang loc SYN Packet, va nguoc lai.
* -sW Window scan: Ky thuat tuong tu nhu ACK Scan. Chi co dieu ban de phat hien duoc nhung Port open voi bo loc, cung nhu khong voi bo loc. Duoc chi dinh dung cho cac OS nhu: AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks,…
* -sR RPC Scan: Ky thuat nay se lam lay tat ca cac Port UDP/TCP dang Open sau do lam ngap chung voi chuong trinh Sun RPC, vo hieu hoa nhung lenh de xac dinh xem no co phai la Port RPC khong. Ban se thu thap duoc mot so thong tin ve he thong, nhu ve Firewall chang han,…

PHAN 2

Nmap phan II – Ban ve cac Option va vi du cu the chuc nang cua no

Truoc het anh em can xem lai cau truc lenh cua Nmap

nmap [Scan Type(s)] [Options]

Duoi day la cac tuy chon chuc nang cua Nmap:

Some Common Options (none are required, most can be combined)

* -O Use TCP/IP fingerprinting to guess remote operating system. (*)
* -p ports to scan. Example range: ‘1-1024,1080,6666,31337’.
* -F Only scans ports listed in nmap-services.
* -v Verbose. Its use is recommended. Use twice for greater effect.
* -P0 Don’t ping hosts (needed to scan http://www.microsoft.com and others).-
* Ddecoy_host1,decoy2[,…] Hide scan using many decoys. (*)
* -T General timing policy.
* -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve].
* -oN/-oM Output normal/machine parsable scan logs to.
* -iL Get targets from file; Use ‘-‘ for stdin.
* -S /-e Specify source address or network interface. (*)

Chung ta hay xem xet tung VD cu the

1. Quet Port (Scan Port)

Muc dich: Xem Port nao dang Open, tu do chung ta co the biet duoc Target dang Run nhung Service gi. Ban co cau hinh, them bot dinh nghia cac Port o File namp-services. De thuc hien cong viec tren ban go:

nmap -sT http://www.target.com

Neu thich kin dao ban co the dung tuy chon Scan SYN

nmap -sS http://www.target.com -o info.txt

Tuy chon -o filname de luu ket qua ra mot file cho phep ta doc lai sau.

Sau khi Scan ban se thay:

Starting nmap V 2.53 by Fyodor (fyodor@dhp.com, http://www.insecure.com/nmap)

Interesting ports on (IP cua target.com).

Port State Protocol Service

21 open TCP FTP

23 open TCP Telnet

25 open TCP SMTP

80 open TCP HTTP

Chac toi khong can phai giai thich gi them nua.

2. Quet Ping

Muc dich: Tuong tu nhu quet ICMP, muc dich cua quet Ping la se quet phan lop D cua mot he thong mang nao do tu do cho ta biet hien trong phan lop do hien dang co bao nhieu host dang Online (cung nhu dang Open mot Port nao do do ta dat). Lenh sau se Ping cac host dang Open Port 80:

nmap -sP -PT80 202.162.48.0/24

Hoac

nmap -sP -PT80 202.162.48.0-254

Ban se thay:

TCP probe ports is 80

Starting nmap V 2.53 by Fyodor (fyodor@dhp.com, http://www.insecure.com/nmap)

Host (202.162.48.0) appears to be up

Host (202.162.48.1) appears to be up

Host (202.162.48.2) appears to be up

Host (202.162.48.x) appears to be up

Nmap run completed — 256 IP addreses (x hosts up) scanned in x seconds.

3. Scan Indent

Muc dich: Tuong tu nhu quet Port, nhung quet Indent se cho ban biet duoc cac Service nay thuoc quyen so huu, quyen han cua ai,… Thuong duoc dung tren cac OS Unix/BSD/Solaris/Linux/AIX/HP-UX,…

nmap -sS -I http://www.target.com

Ban se thay:

Starting nmap V 2.53 by Fyodor (fyodor@dhp.com, http://www.insecure.com/nmap)

Interesting ports on (IP cua target.com).

Port State Protocol Service Owner

21 open TCP FTP Root

23 open TCP Telnet Root

25 open TCP SMTP Root

80 open TCP HTTP Root

4. Scan OS and Banner

Muc dich: cho phep ta xac dinh xem target.com hien dang dung he OS gi, hoac xac dinh thong tin ve Software or Hardware cua cac thiet bi mang. Vi du de Scan OS ta dung lenh:

nmap -sS -O http://www.target.com

Ban se thay:

Starting nmap V 2.53 by Fyodor (fyodor@dhp.com, http://www.insecure.com/nmap)

Interesting ports on (IP cua target.com).

Port State Protocol Service Owner

21 open TCP FTP Root

23 open TCP Telnet Root

25 open TCP SMTP Root

80 open TCP HTTP Root

TCP Sequence Prediction: Class=randoom positive increments Diffculty=

26590 (Worthy Challenge)

Remote operating system guess: Solaris x.x

Cac thong tin de nhan dien OS duoc chua trong file nmap-os-fingers, ban co the len Site cua Nmap de cap nhat cac dau hieu nhan dien OS moi. Tuong tu ban co the cho Banner cua Firewall. Neu dinh chop Banner cua Firewall thi ban len dung tuy chon quet SYN cho kin dao. Truoc het ban phai xac dinh vi tri cua Firewall:

Windows:

tracert http://www.target.com

Ban se thay danh sach cac Node phai di qua truoc khi den target.com, thong thuong thi cai Node sat Target.com chinh la Firewall,… Toi khong chac, nhung ba co tu dung Nmap quet o che do TCP xem, neu no bao la Port bi khoa thi dung 90 % no la Firewall roi

1. attack-gw (192.168.50.1)

2. gw1-isp (202.65.45.1)

2. gw2-isp (202.65.45.2)

7. gwrouter-isp (202.65.45.67)

8. target.com (202.65.45.70)

Sau khi da xac dinh duoc Node 7.gwrouter-isp (202.65.45.1) la Firewall, muon chop Banner cua no ban dung lenh:

nmap -sS -O 202.65.45.67

OK! Nmap con rat nhieu chuc nang nua ma toi chua kham pha ra het. Phan con lai de cac ban kham pha not. Noi chung Nmap la mot cong cu quet so mot cua cac Admin, Hacker, Security,… Danh sanh dieu ko the ko xai Nmap.