본문 바로가기
Linux/보안

보안 체킹 프로그램 - Nmap - port scanning

2009. 2. 3. 16:57

Nmap

- 네트워크 감시 및 포트 스캐닝 프로그램이다.
- 수 많은 포트와 서비스를 효과적으로 체크해서 관리하기 위해서 nmap 명령어를 이용해서 사용중인 포트를 확인할 수 있습니다.


-------------------------------------------------------------------

http://insecure.org/

- 대형 포털 사이트 등에 nmap 명령어 또는 tool을 사용하면 해킹의 오해를 받을 수 있습니다.

-------------------------------------------------------------------


1. 설치 확인

 
[root@server3 ~]# rpm -qa | grep nmap
nmap-4.11-1.1



2. 실행

 
[root@server3 ~]# nmap --help - 좀더 자세한 정보는 man page를 참조한다.
Nmap 4.11 ( http://www.insecure.org/nmap/ )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sP: Ping Scan - go no further than determining if host is online
  -P0: Treat all hosts as online -- skip host discovery
  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idlescan
  -sO: IP protocol scan
  -b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
  -F: Fast - Scan only the ports listed in the nmap-services file)
  -r: Scan ports consecutively - don't randomize

- 중략

[root@server3 ~]# nmap -sP 10.10.0.0/16 > hostlist.txt - -sP: Ping Scan 옵션으로 10.10.0.0 대역을 ping 스캔한다.
caught SIGINT signal, cleaning up
[root@server3 ~]# vi hostlist.txt
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:45 KST
Host 10.10.0.1 appears to be up.
MAC Address: 00:15:FA:24:C2:91 (Cisco Systems)
Host 10.10.0.3 appears to be up.
MAC Address: 00:16:76:1C:56:D8 (Intel)

- 중략


[root@server3 ~]# nmap 10.10.33.3

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:50 KST
Interesting ports on server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets

Nmap finished: 1 IP address (1 host up) scanned in 0.096 seconds

[root@server3 ~]# nmap -v 10.10.33.3 - -v 옵션은 좀더 자세하게 표시해준다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:50 KST
DNS resolution of 1 IPs took 0.00s.
Initiating SYN Stealth Scan against www.server3.co.kr (10.10.33.3) [1680 ports] at 16:50
Discovered open port 80/tcp on 10.10.33.3
Discovered open port 22/tcp on 10.10.33.3
Discovered open port 53/tcp on 10.10.33.3
Discovered open port 25/tcp on 10.10.33.3
Discovered open port 23/tcp on 10.10.33.3
Discovered open port 587/tcp on 10.10.33.3
Discovered open port 111/tcp on 10.10.33.3
Discovered open port 873/tcp on 10.10.33.3
Discovered open port 992/tcp on 10.10.33.3
The SYN Stealth Scan took 0.09s to scan 1680 total ports.
Host www.server3.co.kr (10.10.33.3) appears to be up ... good.
Interesting ports on www.server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets

Nmap finished: 1 IP address (1 host up) scanned in 0.102 seconds
               Raw packets sent: 1680 (73.920KB) | Rcvd: 3369 (141.516KB)

[root@server3 ~]# nmap -vO 10.10.33.3 - -O 옵션은 운영체제를 검출한다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:51 KST
DNS resolution of 1 IPs took 0.00s.
Initiating SYN Stealth Scan against server3.co.kr (10.10.33.3) [1680 ports] at 16:51
Discovered open port 80/tcp on 10.10.33.3
Discovered open port 25/tcp on 10.10.33.3
Discovered open port 22/tcp on 10.10.33.3
Discovered open port 53/tcp on 10.10.33.3
Discovered open port 23/tcp on 10.10.33.3
Discovered open port 992/tcp on 10.10.33.3
Discovered open port 111/tcp on 10.10.33.3
Discovered open port 873/tcp on 10.10.33.3
Discovered open port 587/tcp on 10.10.33.3
The SYN Stealth Scan took 0.10s to scan 1680 total ports.
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
Host server3.co.kr (10.10.33.3) appears to be up ... good.
Interesting ports on server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=2/3%Tm=4987F792%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=123857%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=1238B8%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=123971%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Uptime 1.337 days (since Mon Feb  2 08:45:52 2009)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1194353 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 9.694 seconds
               Raw packets sent: 1725 (77.424KB) | Rcvd: 3471 (147.864KB)

[root@server3 ~]# nmap -sS -O 10.10.33.3 - -sS 옵션은 로그 기록을 남기지 않고 스캔하는 옵션이다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:54 KST
Interesting ports on www.server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=2/3%Tm=4987F82E%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=1FBF27%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=1FC22B%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=1FBD20%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Uptime 1.339 days (since Mon Feb  2 08:45:53 2009)

Nmap finished: 1 IP address (1 host up) scanned in 9.665 seconds

[root@server3 ~]# nmap 10.10.33.1-3 - 10.10.33.1 번부터 10.10.33.3 번까지  스캔한다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:58 KST
Interesting ports on 10.10.33.2:
Not shown: 1674 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
53/tcp  open  domain
111/tcp open  rpcbind
604/tcp open  unknown
873/tcp open  rsync
MAC Address: 00:16:76:08:B2:8B (Intel)

Interesting ports on www.server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets

Nmap finished: 3 IP addresses (2 hosts up) scanned in 1.741 seconds

[root@server3 ~]# nmap -p 1-30 10.10.33.3 - 10.10.33.3 호스트의 1-30번까지의 포트를 스캔한다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 16:59 KST
Interesting ports on server3.co.kr (10.10.33.3):
Not shown: 27 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
23/tcp open  telnet
25/tcp open  smtp

Nmap finished: 1 IP address (1 host up) scanned in 0.013 seconds

[root@server3 ~]# nmap -sR -p 1-40000 10.10.33.3 - 10.10.33.3 호스트의 1-40000번까지의 포트에서 RPC 포트를 찾아 보여준다.

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 17:00 KST
Interesting ports on www.server3.co.kr (10.10.33.3):
Not shown: 39991 closed ports
PORT    STATE SERVICE              VERSION
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind (rpcbind V2)  2 (rpc #100000)
587/tcp open  submission
873/tcp open  rsync
992/tcp open  status (status V1)    1 (rpc #100024)

Nmap finished: 1 IP address (1 host up) scanned in 3.288 seconds

[root@server3 ~]# nmap -v -sS -O 10.10.33.3

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-02-03 17:00 KST
DNS resolution of 1 IPs took 0.00s.
Initiating SYN Stealth Scan against www.server3.co.kr (10.10.33.3) [1680 ports] at 17:00
Discovered open port 22/tcp on 10.10.33.3
Discovered open port 80/tcp on 10.10.33.3
Discovered open port 23/tcp on 10.10.33.3
Discovered open port 25/tcp on 10.10.33.3
Discovered open port 53/tcp on 10.10.33.3
Discovered open port 992/tcp on 10.10.33.3
Discovered open port 873/tcp on 10.10.33.3
Discovered open port 111/tcp on 10.10.33.3
Discovered open port 587/tcp on 10.10.33.3
The SYN Stealth Scan took 0.09s to scan 1680 total ports.
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
Host www.server3.co.kr (10.10.33.3) appears to be up ... good.
Interesting ports on www.server3.co.kr (10.10.33.3):
Not shown: 1671 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
23/tcp  open  telnet
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
111/tcp open  rpcbind
587/tcp open  submission
873/tcp open  rsync
992/tcp open  telnets
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=2/3%Tm=4987F9BF%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=2DF4CB%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2DF690%IPID=Z%TS=1000HZ)
TSeq(Class=RI%gcd=1%SI=2DF32F%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


Uptime 1.344 days (since Mon Feb  2 08:45:53 2009)
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=3011375 (Good luck!)
IPID Sequence Generation: All zeros

Nmap finished: 1 IP address (1 host up) scanned in 9.680 seconds
               Raw packets sent: 1725 (77.424KB) | Rcvd: 3471 (147.864KB)
[root@server3 ~]#



저작자표시 비영리 변경금지

'Linux > 보안' 카테고리의 다른 글

보안 체킹 프로그램 - Nessus  (0) 2009.02.04
백신 프로그램 - avast  (0) 2009.02.04
백신 프로그램 - antivir  (0) 2009.02.04
보안 체킹 프로그램 - rootkit hunter  (0) 2009.02.03
보안 체킹 프로그램 - chkrootkit  (0) 2009.02.03
보안 체킹 프로그램 - sxid  (0) 2009.02.03

'Linux/보안' Related Articles

티스토리툴바