PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

merge soc07 r5124:5142 - build/install system updates; changelog updates; umit install code; compilation fixes; integrate umit

Browse Source
This commit is contained in:
fyodor
2007-08-11 05:41:41 +00:00
parent 1ec0823730
commit 5528726e5b
35 changed files with 358 additions and 10650 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
CHANGELOG
View File

@@ -2,8 +2,13 @@
4.22SOC1
o Upgraded from WinPcap 4.0 to WinPcap 4.01 and fixed a versioning
error [Eddie]
o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
release) with the Nmap tarball distribution. It isn't yet in the
RPMs or the Windows distributions. UMIT is written with Python/GTK
and has many huge advantages over NmapFE. It installs from the Nmap
source tarballs as part of the "make install" process unless you
specify --without-umit to configure. Please give UMIT a try (the
executable is named umit) and let us know the results!
o The port selection mechanism was overhauled. Nmap now knows
(roughly) how common various services are, so you can specify
@@ -62,7 +67,8 @@ o The build dependencies were dramatically reduced by removing
This should make Nmap compilation faster and prevent some
portability problems. [David Fifield]
o Upgraded from WinPcap 3.1 to WinPcap 4.0 [Eddie]
o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a pcap installer
error. [Eddie]
o In verbose mode, Nmap now reports where it obtains data files (such as
nmap-services) from. [David Fifield]
@@ -112,6 +118,8 @@ o A number of changes were made to the Windows build system to handle
version numbers, publisher field, add/remove program support,
etc. [Eddie]
o The Nmap -A option now enables the traceroute option too [Eddie]
o Improved how the Gen1 OS Detection system selects which UDP ports to
send probes to. [Kris]

9
Makefile.in
View File

@@ -53,6 +53,7 @@ TARGET = nmap
TARGETNMAPFE=@TARGETNMAPFE@
INSTALLNMAPFE=@INSTALLNMAPFE@
INSTALLNSE=@INSTALLNSE@
INSTALLUMIT=@INSTALLUMIT@
ifneq (@LIBLUA_LIBS@,)
NSE_SRC=nse_main.cc nse_auxiliar.cc nse_nsock.cc nse_init.cc nse_nmaplib.cc nse_debug.cc nse_pcrelib.cc nse_string.cc
@@ -103,7 +104,7 @@ $(NSOCKDIR)/src/libnsock.a: $(NSOCKDIR)/src/Makefile FORCE
cd $(NSOCKDIR)/src && $(MAKE)
$(LIBLUADIR)/liblua.a: $(LIBLUADIR)/Makefile FORCE
@echo Compiling liblua; cd $(LIBLUADIR) && $(MAKE) @LUAFLAVOR@
@echo Compiling liblua; cd $(LIBLUADIR) && $(MAKE) liblua.a @LUAFLAGS@
#$(LIBPCAPDIR)/Makefile:
# @echo Configuring libpcap; cd $(LIBPCAPDIR); ./configure
@@ -197,6 +198,9 @@ install-nmapfe: $(TARGETNMAPFE)
@echo "If the next command fails -- you cannot use the X front end"
-test -f nmapfe/nmapfe && $(INSTALL) -c -m 755 -s nmapfe/nmapfe $(DESTDIR)$(bindir)/nmapfe && rm -f $(DESTDIR)$(bindir)/xnmap && $(SHTOOL) mkln -f -s $(DESTDIR)$(bindir)/nmapfe $(DESTDIR)$(bindir)/xnmap && $(INSTALL) -c -m 644 nmapfe.desktop $(DESTDIR)$(deskdir)/nmapfe.desktop && $(INSTALL) -c -m 644 docs/nmapfe.1 $(DESTDIR)$(mandir)/man1/nmapfe.1 && $(INSTALL) -c -m 644 docs/xnmap.1 $(DESTDIR)$(mandir)/man1/xnmap.1
install-umit: umit/setup.py
cd umit && python setup.py install --prefix $(DESTDIR)$(prefix)
NSE_FILES = scripts/script.db scripts/*.nse
NSE_LIB_FILES = nselib/*lua nselib/*so
install-nse: $(TARGET)
@@ -205,7 +209,8 @@ install-nse: $(TARGET)
$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(nmapdatadir)/nselib
cp -f $(NSE_LIB_FILES) $(DESTDIR)$(nmapdatadir)/nselib
install: install-nmap $(INSTALLNMAPFE) $(INSTALLNSE)
install: install-nmap $(INSTALLNMAPFE) $(INSTALLNSE) $(INSTALLUMIT)
@echo "NMAP SUCCESSFULLY INSTALLED"
uninstall:
rm -f $(bindir)/$(TARGET) $(bindir)/nmapfe $(bindir)/xnmap

115
configure vendored
View File

@@ -673,12 +673,13 @@ host
host_cpu
host_vendor
host_os
LUAFLAVOR
LUAFLAGS
CPP
GREP
EGREP
TARGETNMAPFE
INSTALLNMAPFE
INSTALLUMIT
OPENSSL_LIBS
PCAP_DEPENDS
PCAP_CLEAN
@@ -1300,7 +1301,8 @@ Optional Packages:
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-localdirs Explicitly ask compiler to use
/usr/local/{include,libs} if they exist
--without-nmapfe skip nmapfe X-window GUI
--without-nmapfe Skip nmapfe X-window GUI
--without-umit Skip installation of the UMIT graphical frontend
--with-openssl=DIR Use optional openssl libs and includes from
DIR/lib/ and DIR/include/openssl/)
--with-libpcap=DIR Look for pcap in DIR/include and DIR/libs.
@@ -3408,14 +3410,14 @@ case "$host" in
#define DEC 1
_ACEOF
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-netbsd* | *-knetbsd*-gnu)
cat >>confdefs.h <<\_ACEOF
#define NETBSD 1
_ACEOF
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-openbsd*)
@@ -3423,7 +3425,7 @@ _ACEOF
#define OPENBSD 1
_ACEOF
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-sgi-irix5*)
@@ -3433,8 +3435,8 @@ _ACEOF
if test -z "$GCC"; then
sgi_cc=yes
LUAFLAVOR=posix
fi
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-sgi-irix6*)
cat >>confdefs.h <<\_ACEOF
@@ -3444,7 +3446,7 @@ _ACEOF
if test -z "$GCC"; then
sgi_cc=yes
fi
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-hpux*)
cat >>confdefs.h <<\_ACEOF
@@ -3524,7 +3526,7 @@ _ACEOF
fi
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.0*)
cat >>confdefs.h <<\_ACEOF
@@ -3535,14 +3537,14 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.[1-9][0-9]*)
cat >>confdefs.h <<\_ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.1*)
cat >>confdefs.h <<\_ACEOF
@@ -3553,7 +3555,7 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.2*)
cat >>confdefs.h <<\_ACEOF
@@ -3564,7 +3566,7 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.3*)
cat >>confdefs.h <<\_ACEOF
@@ -3575,7 +3577,7 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.4*)
cat >>confdefs.h <<\_ACEOF
@@ -3586,7 +3588,7 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.5.1)
cat >>confdefs.h <<\_ACEOF
@@ -3597,14 +3599,14 @@ _ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris*)
cat >>confdefs.h <<\_ACEOF
#define SOLARIS 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-sunos4*)
cat >>confdefs.h <<\_ACEOF
@@ -3615,7 +3617,7 @@ _ACEOF
#define SPRINTF_RETURNS_STRING 1
_ACEOF
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-linux*)
linux=yes
@@ -3628,7 +3630,7 @@ _ACEOF
_ACEOF
# libpcap doesn't even LOOK at
# the timeout you give it under Linux
LUAFLAVOR=linux
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
@@ -3636,7 +3638,7 @@ _ACEOF
#define FREEBSD 1
_ACEOF
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-bsdi*)
@@ -3645,7 +3647,7 @@ _ACEOF
_ACEOF
LUAFLAVOR=bsd
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-apple-darwin*)
macosx=yes
@@ -3654,10 +3656,10 @@ _ACEOF
_ACEOF
needs_cpp_precomp=yes
LUAFLAVOR=macosx
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_MACOSX\""
;;
*)
LUAFLAVOR=posix
LUAFLAGS=MYCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN"
esac
@@ -5426,7 +5428,23 @@ fi
# First we test whether they specified openssl desires explicitly
# Do they want UMIT?
INSTALLUMIT=install-umit
# Check whether --with-umit was given.
if test "${with_umit+set}" = set; then
withval=$with_umit; case "$with_umit" in
no)
INSTALLUMIT=""
;;
esac
fi
# We test whether they specified openssl desires explicitly
use_openssl="yes"
specialssldir=""
@@ -7067,6 +7085,7 @@ if test "${with_liblua+set}" = set; then
LUA_DEPENDS="$LIBLUADIR/liblua.a"
LUA_CLEAN="lua_clean"
LUA_DIST_CLEAN="lua_dist_clean"
have_lua="yes"
;;
no)
@@ -9593,12 +9612,13 @@ host!$host$ac_delim
host_cpu!$host_cpu$ac_delim
host_vendor!$host_vendor$ac_delim
host_os!$host_os$ac_delim
LUAFLAVOR!$LUAFLAVOR$ac_delim
LUAFLAGS!$LUAFLAGS$ac_delim
CPP!$CPP$ac_delim
GREP!$GREP$ac_delim
EGREP!$EGREP$ac_delim
TARGETNMAPFE!$TARGETNMAPFE$ac_delim
INSTALLNMAPFE!$INSTALLNMAPFE$ac_delim
INSTALLUMIT!$INSTALLUMIT$ac_delim
OPENSSL_LIBS!$OPENSSL_LIBS$ac_delim
PCAP_DEPENDS!$PCAP_DEPENDS$ac_delim
PCAP_CLEAN!$PCAP_CLEAN$ac_delim
@@ -9629,7 +9649,6 @@ NSOCKDIR!$NSOCKDIR$ac_delim
LIBNSOCK_LIBS!$LIBNSOCK_LIBS$ac_delim
GTK_CONFIG!$GTK_CONFIG$ac_delim
LIBOBJS!$LIBOBJS$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -9668,6 +9687,50 @@ CEOF$ac_eof
_ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 1; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
{ (exit 1); exit 1; }; }
else
ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
fi
done
ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
if test -n "$ac_eof"; then
ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
ac_eof=`expr $ac_eof + 1`
fi
cat >>$CONFIG_STATUS <<_ACEOF
cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
_ACEOF
sed '
s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
s/^/s,@/; s/!/@,|#_!!_#|/
:n
t n
s/'"$ac_delim"'$/,g/; t
s/$/\\/; p
N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
' >>$CONFIG_STATUS <conf$$subs.sed
rm -f conf$$subs.sed
cat >>$CONFIG_STATUS <<_ACEOF
:end
s/|#_!!_#|//g
CEOF$ac_eof
_ACEOF
# VPATH may cause trouble with some makes, so we remove $(srcdir),
# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
# trailing colons and then remove the whole line if VPATH becomes empty
@@ -9906,7 +9969,7 @@ s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
$ac_datarootdir_hack
" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed 's/|#_!!_#|//g' >$tmp/out
" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out
test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
{ ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&

59
configure.ac
View File

@@ -136,111 +136,111 @@ needs_cpp_precomp=no
case "$host" in
*alpha-dec-osf*)
AC_DEFINE(DEC)
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-netbsd* | *-knetbsd*-gnu)
AC_DEFINE(NETBSD)
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-openbsd*)
AC_DEFINE(OPENBSD)
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-sgi-irix5*)
AC_DEFINE(IRIX)
if test -z "$GCC"; then
sgi_cc=yes
LUAFLAVOR=posix
fi
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-sgi-irix6*)
AC_DEFINE(IRIX)
if test -z "$GCC"; then
sgi_cc=yes
fi
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-hpux*)
AC_DEFINE(HPUX)
# To link with libnet and NM (/usr/lib/libnm.sl) library
# on HP-UX 11.11 (other versions?) Mikhail Zakharov (zmey20000@yahoo.com)
AC_CHECK_LIB(nm, open_mib)
LUAFLAVOR=posix
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.0*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.[[1-9]][[0-9]]*)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.1*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.2*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.3*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.4*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris2.5.1)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-solaris*)
AC_DEFINE(SOLARIS)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-sunos4*)
AC_DEFINE(SUNOS)
AC_DEFINE(SPRINTF_RETURNS_STRING)
LUAFLAVOR=solaris
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-linux*)
linux=yes
AC_DEFINE(LINUX)
AC_DEFINE(PCAP_TIMEOUT_IGNORED) # libpcap doesn't even LOOK at
# the timeout you give it under Linux
LUAFLAVOR=linux
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
AC_DEFINE(FREEBSD)
LUAFLAVOR=bsd
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
;;
*-bsdi*)
AC_DEFINE(BSDI)
LUAFLAVOR=bsd
LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
;;
*-apple-darwin*)
macosx=yes
AC_DEFINE(MACOSX)
needs_cpp_precomp=yes
LUAFLAVOR=macosx
LUAFLAGS="MYCFLAGS=\"-DLUA_USE_MACOSX\""
;;
*)
LUAFLAVOR=posix
LUAFLAGS=MYCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN"
esac
AC_SUBST(LUAFLAVOR)
AC_SUBST(LUAFLAGS)
AC_SEARCH_LIBS(dlopen, dl)
dnl equiv to '#define inline' to 'inline', '__inline__', '__inline' or ''
@@ -300,7 +300,7 @@ test "${with_nmapfe+set}" != "set" && with_nmapfe=yes
TARGETNMAPFE=nmapfe/nmapfe
INSTALLNMAPFE=install-nmapfe
AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [skip nmapfe X-window GUI]),
AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [Skip nmapfe X-window GUI]),
[ case "$with_nmapfe" in
no)
TARGETNMAPFE=""; INSTALLNMAPFE=""
@@ -310,7 +310,19 @@ AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [skip nmapfe X-window GUI
AC_SUBST(TARGETNMAPFE)
AC_SUBST(INSTALLNMAPFE)
# First we test whether they specified openssl desires explicitly
# Do they want UMIT?
INSTALLUMIT=install-umit
AC_ARG_WITH(umit, AC_HELP_STRING([--without-umit], [Skip installation of the UMIT graphical frontend]),
[ case "$with_umit" in
no)
INSTALLUMIT=""
;;
esac]
)
AC_SUBST(INSTALLUMIT)
# We test whether they specified openssl desires explicitly
use_openssl="yes"
specialssldir=""
@@ -589,6 +601,7 @@ AC_HELP_STRING([--without-liblua], [Compile without lua (this will exclude all o
LUA_DEPENDS="$LIBLUADIR/liblua.a"
LUA_CLEAN="lua_clean"
LUA_DIST_CLEAN="lua_dist_clean"
have_lua="yes"
;;
no)

2
docs/leet-nmap-ascii-art.txt
View File

@@ -12,5 +12,3 @@
/ / _/ / + / \/
' (__/ / \
NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
[ Sick of the Nmap dragon? Submit your art and tag ]
[ lines to nmap-dev@insecure.org for next release! ]

620
docs/nmap-fingerprinting-article.txt
View File

@@ -1,620 +0,0 @@
[ NOTE -- A more up-to-date version of this paper and translations to
many other languages are available from
http://www.insecure.org/nmap/nmap-fingerprinting-article.html ]
Remote OS detection via TCP/IP Stack FingerPrinting
by Fyodor <fyodor@insecure.org> (www.insecure.org)
October 18, 1998
ABSTRACT
This paper discusses how to glean precious information about a host by
querying its TCP/IP stack. I first present some of the "classical"
methods of determining host OS which do not involve stack
fingerprinting. Then I describe the current "state of the art" in
stack fingerprinting tools. Next comes a description of many
techniques for causing the remote host to leak information about
itself. Finally I detail my (nmap) implementation of this, followed
by a snapshot gained from nmap which discloses what OS is running on
many popular Internet sites.
REASONS
I think the usefulness of determining what OS a system is running is
pretty obvious, so I'll make this section short. One of the strongest
examples of this usefulness is that many security holes are dependent
on OS version. Lets say you are doing a penetration test and you find
port 53 open. If this is a vulnerable version of Bind, you only get
one chance to exploit it since a failed attempt will crash the daemon.
With a good TCP/IP fingerprinter, you will quickly find that this
machine is running 'Solaris 2.51' or 'Linux 2.0.35' and you can adjust
your shellcode accordingly.
A worse possibility is someone scanning 500,000 hosts in advance to
see what OS is running and what ports are open. Then when someone
posts (say) a root hole in Sun's comsat daemon, our little cracker
could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately
has pages and pages of rootable boxes. It should be noted that this
is SCRIPT KIDDIE behavior. You have demonstrated no skill and nobody
is even remotely impressed that you were able to find some vulnerable
.edu that had not patched the hole in time. Also, people will be even
_less_ impressed if you use your newfound access to deface the
department's web site with a self-aggrandizing rant about how damn
good you are and how stupid the sysadmins must be.
Another possible use is for social engineering. Lets say that you are
scanning your target company and nmap reports a 'Datavoice TxPORT
PRISM 3000 T1 CSU/DSU 6.22/2.06'. The hacker might now call up as
'Datavoice support' and discuss some issues about their PRISM 3000.
"We are going to announce a security hole soon, but first we want all
our current customers to install the patch -- I just mailed it to you
..." Some naive administrators might assume that only an authorized
engineer from Datavoice would know so much about their CSU/DSU.
Another potential use of this capability is evaluation of companies
you may want to do business with. Before you choose a new ISP, scan
them and see what equipment is in use. Those "$99/year" deals don't
sound nearly so good when you find out they have crappy routers and
offer PPP services off a bunch of Windows boxes.
CLASSICAL TECHNIQUES
Stack fingerprinting solves the problem of OS identification in a
unique way. I think this technique holds the most promise, but there
are currently many other solutions. Sadly, this is still one the most
effective of those techniques:
playground~> telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12...
Connected to hpux.u-aizu.ac.jp.
Escape character is '^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
There is no point going to all this trouble of fingerprinting if the
machine will blatantly announce to the world exactly what it is
running! Sadly, many vendors ship _current_ systems with these kind
of banners and many admins do not turn them off. Just because there
are other ways to figure out what OS is running (such as
fingerprinting), does not mean we should just announce our OS and
architecture to every schmuck who tries to connect.
The problems with relying on this technique are that an increasing
number of people are turning banners off, many systems don't give much
information, and it is trivial for someone to "lie" in their banners.
Nevertheless, banner reading is all you get for OS and OS Version
checking if you spend $thousands on the commercial ISS scanner.
Download nmap or queso instead and save your money :).
Even if you turn off the banners, many applications will happily give
away this kind of information when asked. For example lets look at an
FTP server:
payfonez> telnet ftp.netscape.com 21
Trying 207.200.74.26...
Connected to ftp.netscape.com.
Escape character is '^]'.
220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
SYST
215 UNIX Type: L8 Version: SUNOS
First of all, it gives us system details in its default banner. Then
if we give the 'SYST' command it happily feeds back even more information.
If anon FTP is supported, we can often download /bin/ls or other
binaries and determine what architecture it was built for.
Many other applications are too free with information. Take web
servers for example:
playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:'
Server: Microsoft-IIS/4.0
playground>
Hmmm ... I wonder what OS those lamers are running.
Other classic techniques include DNS host info records (rarely
effective) and social engineering. If the machine is listening on
161/udp (snmp), you are almost guaranteed a bunch of detailed info
using 'snmpwalk' from the CMU SNMP tools distribution and the 'public'
community name.
CURRENT FINGERPRINTING PROGRAMS
Nmap is not the first OS recognition program to use TCP/IP
fingerprinting. The common IRC spoofer sirc by Johan has included
very rudimentary fingerprinting techniques since version 3 (or
earlier). It attempts to place a host in the classes "Linux",
"4.4BSD", "Win95", or "Unknown" using a few simple TCP flag tests.
Another such program is checkos, released publicly in January of this
year by Shok in Confidence Remains High Issue #7.
The fingerprinting techniques are exactly the same as SIRC, and even
the _code_ is identical in many places. Checkos was privately
available for a long time prior to the public release, so I have no
idea who swiped code from whom. But neither seems to credit the
other. One thing checkos does add is telnet banner checking, which is
useful but has the problems described earlier. [ Update: Shok wrote in
to say that chekos was never intended to be public and this is why he
didn't bother to credit SIRC for some of the code. ]
Su1d also wrote an OS checking program. His is called SS and as of
Version 3.11 it can identify 12 different OS types. I am somewhat
partial to this one since he credits my nmap program for some of the
networking code :).
Then there is queso. This program is the newest and it is a huge leap
forward from the other programs. Not only do they introduce a couple
new tests, but they were the first (that I have seen) to move the
OS fingerprints _out_ of the code. The other scanners included code like:
/* from ss */
if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) &&
(flagsthree & TH_ACK))
reportos(argv[2],argv[3],"Livingston Portmaster ComOS");
Instead, queso moves this into a configuration file which obviously
scales much better and makes adding an OS as easy as appending a few
lines to a fingerprint file.
Queso was written by Savage, one of the fine folks at Apostols.org .
One problem with all the programs describe above is that they are very
limited in the number of fingerprinting tests which limits the
granularity of answers. I want to know more than just 'this machine
is OpenBSD, FreeBSD, or NetBSD', I wish to know exactly which of those
it is as well as some idea of the release version number. In the same
way, I would rather see 'Solaris 2.6' than simply 'Solaris'. To
achieve this response granularity, I worked on a number of
fingerprinting techniques which are described in the next section.
FINGERPRINTING METHODOLOGY
There are many, many techniques which can be used to fingerprint
networking stacks. Basically, you just look for things that differ
among operating systems and write a probe for the difference. If you
combine enough of these, you can narrow down the OS very tightly. For
example nmap can reliably distinguish Solaris 2.4 vs. Solaris 2.5-2.51
vs Solaris 2.6. It can also tell Linux kernel 2.0.30 from 2.0.31-34
or 2.0.35. Here are some techniques:
The FIN probe -- Here we send a FIN packet (or any packet without an
ACK or SYN flag) to an open port and wait for a response. The
correct RFC793 behavior is to NOT respond, but many broken
implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and
IRIX send a RESET back. Most current tools utilize this
technique.
The BOGUS flag probe -- Queso is the first scanner I have seen to use
this clever test. The idea is to set an undefined TCP "flag" ( 64
or 128) in the TCP header of a SYN packet. Linux boxes prior to
2.0.35 keep the flag set in their response. I have not found any
other OS to have this bug. However, some operating systems seem
to reset the connection when they get a SYN+BOGUS packet. This
behavior could be useful in identifying them.
TCP ISN Sampling -- The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations when responding to
a connection request. These can be categorized in to many groups
such as the traditional 64K (many old UNIX boxes), Random
increments (newer versions of Solaris, IRIX, FreeBSD, Digital
UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
newer AIX, etc). Windows boxes (and a few others) use a "time
dependent" model where the ISN is incremented by a small fixed
amount each time period. Needless to say, this is almost as
easily defeated as the old 64K behavior. Of course my favorite
technique is "constant". The machines ALWAYS use the exact same
ISN :). I've seen this on some 3Com hubs (uses 0x803) and Apple
LaserWriter printers (uses 0xC7001).
You can also subclass groups such as random incremental by
computing variances, greatest common divisors, and other functions
on the set of sequence numbers and the differences between the
numbers.
It should be noted that ISN generation has important security
implications. For more information on this, contact "security
expert" Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was
owned. Nmap is the first program I have seen to use this for OS
identification.
Don't Fragment bit -- Many operating systems are starting to set the
IP "Don't Fragment" bit on some of the packets they send. This
gives various performance benefits (though it can also be annoying
-- this is why nmap fragmentation scans do not work from Solaris
boxes). In any case, not all OS's do this and some do it in
different cases, so by paying attention to this bit we can glean
even more information about the target OS. I haven't seen this
one before either.
TCP Initial Window -- This simply involves checking the window size on
returned packets. Older scanners simply used a non-zero window on
a RST packet to mean "BSD 4.4 derived". Newer scanners such as
queso and nmap keep track of the exact window since it is actually
pretty constant by OS type. This test actually gives us a lot of
information, since some operating systems can be uniquely
identified by the window alone (for example, AIX is the only OS I
have seen which uses 0x3F25). In their "completely rewritten"
TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is
exactly the number used by OpenBSD and FreeBSD.
ACK Value -- Although you would think this would be completely
standard, implementations differ in what value they use for the
ACK field in some cases. For example, lets say you send a
FIN|PSH|URG to a closed TCP port. Most implementations will set
the ACK to be the same as your initial sequence number, though
Windows and some stupid printers will send your seq + 1. If you
send a SYN|FIN|URG|PSH to an open port, Windows is very
inconsistent. Sometimes it sends back your seq, other times it
sends S++, and still other times is sends back a seemingly random
value. One has to wonder what kind of code MS is writing that
changes its mind like this.
ICMP Error Message Quenching -- Some (smart) operating systems follow
the RFC 1812 suggestion to limit the rate at which various error
messages are sent. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable message generation
to 80 per 4 seconds, with a 1/4 second penalty if that is
exceeded. One way to test this is to send a bunch of packets to
some random high UDP port and count the number of unreachables
received. I have not seen this used before, and in fact I have
not added this to nmap (except for use in UDP port scanning).
This test would make the OS detection take a bit longer since you
need to send a bunch of packets and wait for them to return. Also
dealing with the possibility of packets dropped on the network
would be a pain.
ICMP Message Quoting -- The RFCs specify that ICMP error messages
quote some small amount of an ICMP message that causes various
errors. For a port unreachable message, almost all
implementations send only the required IP header + 8 bytes back.
However, Solaris sends back a bit more and Linux sends back even
more than that. The beauty with this is it allows nmap to
recognize Linux and Solaris hosts even if they don't have any
ports listening.
ICMP Error message echoing integrity -- I got this idea from something
Theo De Raadt (lead OpenBSD developer) posted to
comp.security.unix. As mentioned before, machines have to send
back part of your original message along with a port unreachable
error. Yet some machines tend to use your headers as 'scratch
space' during initial processing and so they are a bit warped by
the time you get them back. For example, AIX and BSDI send back an
IP 'total length' field that is 20 bytes too high. Some BSDI,
FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent
them. While the checksum is going to change due to the changed
TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send
back an inconsistent or 0 checksum. Same thing goes with the UDP
checksum. All in all, nmap does nine different tests on the ICMP
errors to sniff out subtle differences like these.
Type of Service -- For the ICMP port unreachable messages I look at
the type of service (TOS) value of the packet sent back. Almost
all implementations use 0 for this ICMP error although Linux uses
0xC0. This does not indicate one of the standard TOS values, but instead is
part of the unused (AFAIK) precedence field. I do not know why
this is set, but if they change to 0 we will be able to keep
identifying the old versions _and_ we will be able to identify
between old and new.
Fragmentation Handling -- This is a favorite technique of Thomas
H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows
users at NAI). This takes advantage of the fact that different
implementations often handle overlapping IP fragments differently.
Some will overwrite the old portions with the new, and in other
cases the old stuff has precedence. There are many different
probes you can use to determine how the packet was reassembled. I
did not add this capability since I know of no portable way to send
IP fragments (in particular, it is a bitch on Solaris). For more
information on overlapping fragments, you can read their IDS paper
(www.secnet.com).
TCP Options -- These are truly a gold mine in terms of leaking
information. The beauty of these options is that:
1) They are generally optional (duh!) :) so not all hosts implement
them.
2) You know if a host implements them by sending a query with an
option set. The target generally show support of the option by
setting it on the reply.
3) You can stuff a whole bunch of options on one packet to test
everything at once.
Nmap sends these options along with almost every probe packet:
Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;
When you get your response, you take a look at which options were
returned and thus are supported. Some operating systems such as
recent FreeBSD boxes support all of the above, while others, such
as Linux 2.0.X support very few. The latest Linux 2.1.x kernels
do support all of the above. On the other hand, they are more
vulnerable to TCP sequence prediction. Go figure.
Even if several operating systems support the same set of options,
you can sometimes distinguish them by the _values_ of the options.
For example, if you send a small MSS value to a Linux box, it will
generally echo that MSS back to you. Other hosts will give you
different values.
And even if you get the same set of supported options AND the same
values, you can still differentiate via the _order_ that the
options are given, and where padding is applied. For example
Solaris returns 'NNTNWME' which means:
<no op><no op><timestamp><no op><window scale><echoed MSS>
While Linux 2.1.122 returns MENNTNW. Same options, same values,
but different order!
I have not seen any other OS detection tools utilizes TCP options,
but it is very useful.
There are a few other useful options I might probe for at some
point, such as those that support T/TCP and selective
acknowledgements.
Exploit Chronology -- Even with all the tests above, nmap is unable to
distinguish between the TCP stacks of Win95, WinNT, or Win98.
This is rather surprising, especially since Win98 came out about 4
years after Win95. You would think they would have bothered to
improve the stack in some way (like supporting more TCP options)
and so we would be able to detect the change and distinguish the
operating systems. Unfortunately, this is not the case. The NT
stack is apparently the same crappy stack they put into '95. And
they didn't bother to upgrade it for '98.
But do not give up hope, for there is a solution. You can simply
start with early Windows DOS attacks (Ping of Death, Winnuke, etc)
and move up a little further to attacks such as Teardrop and Land.
After each attack, ping them to see whether they have crashed.
When you finally crash them, you will likely have narrowed what
they are running down to one service pack or hotfix.
I have not added this functionality to nmap, although I must admit
it is very tempting :).
SYN Flood Resistance -- Some operating systems will stop accepting new
connections if you send too many forged SYN packets at them
(forging the packets avoids trouble with your kernel resetting the
connections). Many operating systems can only handle 8 packets.
Recent Linux kernels (among other operating systems) allow
various methods such as SYN cookies to prevent this from being a
serious problem. Thus you can learn something about your target
OS by sending 8 packets from a forged source to an open port and
then testing whether you can establish a connection to that port
yourself. This was not implemented in nmap since some people get
upset when you SYN flood them. Even explaining that you were
simply trying to determine what OS they are running might not help
calm them.
NMAP IMPLEMENTATION AND RESULTS
I have created a reference implementation of the OS detection
techniques mentioned above (except those I said were excluded). I
have added this to my Nmap scanner which has the advantage that it
already _knows_ what ports are open and closed for fingerprinting so
you do not have to tell it. It is also portable among Linux, *BSD,
and Solaris 2.51 and 2.6, and some other operating systems.
The new version of nmap reads a file filled with Fingerprint templates
that follow a simple grammar. Here is an example:
FingerPrint IRIX 6.2 - 6.4 # Thanks to Lamont Granquist
TSeq(Class=i800)
T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Lets look at the first line (I'm adding '>' quote markers):
> FingerPrint IRIX 6.2 - 6.3 # Thanks to Lamont Granquist
This simply says that the fingerprint covers IRIX versions 6.2 through
6.3 and the comment states that Lamont Granquist kindly sent me the IP
addresses or fingerprints of the IRIX boxes tested.
> TSeq(Class=i800)
This means that ISN sampling put it in the "i800 class". This means
that each new sequence number is a multiple of 800 greater than the
last one.
> T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
The test is named T1 (for test1, clever eh?). In this test we send a
SYN packet with a bunch of TCP options to an open port. DF=N means
that the "Don't fragment" bit of the response must not be set.
W=C000|EF2A means that the window advertisement we received must
be 0xC000 or EF2A. ACK=S++ means the acknowledgement we receive must
be our initial sequence number plus 1. Flags = AS means the ACK and
SYN flags were sent in the response. Ops = MNWNNT means the options
in the response must be (in this order):
<MSS (not echoed)><NOP><Window scale><NOP><NOP><Timestamp>
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
Test 2 involves a NULL with the same options to an open port. Resp=Y
means we must get a response. Ops= means that there must not be any
options included in the response packet. If we took out '%Ops='
entirely then any options sent would match.
> T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M)
Test 3 is a SYN|FIN|URG|PSH w/options to an open port.
> T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
This is an ACK to an open port. Note that we do not have a Resp=
here. This means that lack of a response (such as the packet being
dropped on the network or an evil firewall) will not disqualify a
match as long as all the other tests match. We do this because
virtually any OS will send a response, so a lack of response is
generally an attribute of the network conditions and not the OS
itself. We put the Resp tag in tests 2 and 3 because some operating
systems _do_ drop those without responding.
> T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed
port. The same options as always are set. Of course this is all
probably obvious given the descriptive names 'T5', 'T6', and 'T7' :).
> PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
This big sucker is the 'port unreachable' message test. You should
recognize the DF=N by now. TOS=0 means that IP type of service field
was 0. The next two fields give the (hex) values of the IP total
length field of the message IP header and the total length given in
the IP header they are echoing back to us. RID=E means the RID value
we got back in the copy of our original UDP packet was expected (ie
the same as we sent). RIPCK=E means they didn't fuck up the checksum
(if they did, it would say RIPCK=F). UCK=E means the UDP checksum is
also correct. Next comes the UDP length which was 0x134 and DAT=E
means they echoed our UDP data correctly. Since most implementations
(including this one) do not send any of our UDP data back, they get
DAT=E by default.
The version of nmap with this functionality is currently in the 6th
private beta cycle. It may be out by the time you read this in
Phrack. Then again, it might not. See http://www.insecure.org/nmap/
for the latest version.
POPULAR SITE SNAPSHOTS
Here is the fun result of all our effort. We can now take random
Internet sites and determine what OS they are using. A lot of these
people have eliminated telnet banners, etc. to keep this information
private. But this is of no use with our new fingerprinter! Also
this is a good way to expose the <your favorite crap OS> users as the
lamers that they are :)!
The command used in these examples was: nmap -sS -p 80 -O -v <host>
Also note that most of these scans were done on 10/18/98. Some of
these folks may have upgraded/changed servers since then.
Note that I do not like every site on here.
# "Hacker" sites or (in a couple cases) sites that think they are
www.l0pht.com => OpenBSD 2.2 - 2.4
www.insecure.org => Linux 2.0.31-34
www.rhino9.ml.org => Windows 95/NT # No comment :)
www.technotronic.com => Linux 2.0.31-34
www.nmrc.org => FreeBSD 2.2.6 - 3.0
www.cultdeadcow.com => OpenBSD 2.2 - 2.4
www.kevinmitnick.com => Linux 2.0.31-34 # Free Kevin!
www.2600.com => FreeBSD 2.2.6 - 3.0 Beta
www.antionline.com => FreeBSD 2.2.6 - 3.0 Beta
www.rootshell.com => Linux 2.0.35 # Changed to OpenBSD after
# they got owned.
# Security vendors, consultants, etc.
www.repsec.com => Linux 2.0.35
www.iss.net => Linux 2.0.31-34
www.checkpoint.com => Solaris 2.5 - 2.51
www.infowar.com => Win95/NT
# Vendor loyalty to their OS
www.li.org => Linux 2.0.35 # Linux International
www.redhat.com => Linux 2.0.31-34 # I wonder what distribution :)
www.debian.org => Linux 2.0.35
www.linux.org => Linux 2.1.122 - 2.1.126
www.sgi.com => IRIX 6.2 - 6.4
www.netbsd.org => NetBSD 1.3X
www.openbsd.org => Solaris 2.6 # Ahem :)
www.freebsd.org => FreeBSD 2.2.6-3.0 Beta
# Ivy league
www.harvard.edu => Solaris 2.6
www.yale.edu => Solaris 2.5 - 2.51
www.caltech.edu => SunOS 4.1.2-4.1.4 # Hello! This is the 90's :)
www.stanford.edu => Solaris 2.6
www.mit.edu => Solaris 2.5 - 2.51 # Coincidence that so many good
# schools seem to like Sun?
# Perhaps it is the 40%
# .edu discount :)
www.berkeley.edu => UNIX OSF1 V 4.0,4.0B,4.0D
www.oxford.edu => Linux 2.0.33-34 # Rock on!
# Lamer sites
www.aol.com => IRIX 6.2 - 6.4 # No wonder they are so insecure :)
www.happyhacker.org => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn?
# Even the most secure OS is
# useless in the hands of an
# incompetent admin.
# Misc
www.lwn.net => Linux 2.0.31-34 # This Linux news site rocks!
www.slashdot.org => Linux 2.1.122 - 2.1.126
www.whitehouse.gov => IRIX 5.3
sunsite.unc.edu => Solaris 2.6
Notes: In their security white paper, Microsoft said about their lax
security: "this assumption has changed over the years as Windows NT
gains popularity largely because of its security features.". Hmm,
from where I stand it doesn't look like Windows is very popular among
the security community :). I only see 2 Windows boxes from the whole
group, and Windows is _easy_ for nmap to distinguish since it is so
broken (standards wise).
And of course, there is one more site we must check. This is the web
site of the ultra-secret Transmeta corporation. Interestingly the
company was funded largely by Paul Allen of Microsoft, but it employs
Linus Torvalds. So do they stick with Paul and run NT or do they side
with the rebels and join the Linux revolution? Let us see:
We use the command:
nmap -sS -F -o transmeta.log -v -O www.transmeta.com/24
This says SYN scan for known ports (from /etc/services), log the
results to 'transmeta.log', be verbose about it, do an OS scan, and
scan the class 'C' where www.transmeta.com resides. Here is the gist
of the results:
neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
www.transmeta.com (206.184.214.11) => Linux 2.0.30
neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
ssl.transmeta.com (206.184.214.15) => Linux unknown version
linux.kernel.org (206.184.214.34) => Linux 2.0.35
www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same
machine as above )
Well, I think this answers our question pretty clearly :).
ACKNOWLEDGEMENTS
The only reason Nmap is currently able to detect so many different
operating systems is that many people on the private beta team went to
a lot of effort to search out new and exciting boxes to fingerprint!
In particular, Jan Koum, van Hauser, Dmess0r, David O'Brien, James
W. Abendschan, Solar Designer, Chris Wilson, Stuart Stock, Mea Culpa,
Lamont Granquist, Dr. Who, Jordan Ritter, Brett Eldridge, and Pluvius
sent in tons of IP addresses of wacky boxes and/or fingerprints of
machines not reachable through the Internet.
Thanks to Richard Stallman for writing GNU Emacs. This article would
not be so well word-wrapped if I was using vi or cat and ^D.
Questions and comments can be sent to fyodor@insecure.org (if that doesn't
work for some reason, use fyodor@insecure.org). Nmap can be obtained
from http://www.insecure.org/nmap .

39
docs/nmap.1
View File

@@ -2,7 +2,7 @@
.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
.\" Instead of manually editing it, you probably should edit the DocBook XML
.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
.TH "NMAP" "1" "07/04/2007" "" "Nmap Reference Guide"
.TH "NMAP" "1" "07/07/2007" "" "Nmap Reference Guide"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -40,9 +40,9 @@ In addition to the interesting ports table, Nmap can provide further information
.PP
A typical Nmap scan is shown in
Example\ 14.1, \(lqA representative Nmap scan\(rq. The only Nmap arguments used in this example are
\fB\-A\fR, to enable OS and version detection,
\fB\-A\fR, to enable OS and version detection, script scanning, and traceroute;
\fB\-T4\fR
for faster execution, and then the two target hostnames.
for faster execution; and then the two target hostnames.
Example\ 14.1.\ A representative Nmap scan.sp
.nf
# nmap \-A \-T4 scanme.nmap.org playground
@@ -118,7 +118,6 @@ SCAN TECHNIQUES:
\-sO: IP protocol scan
\-b <ftp relay host>: FTP bounce scan
\-\-traceroute: Trace hop path to each host
\-\-reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
\-p <port ranges>: Only scan specified ports
Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080
@@ -180,7 +179,7 @@ OUTPUT:
\-\-no\-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
\-6: Enable IPv6 scanning
\-A: Enables OS detection, Version detection, Script scanning and Traceroute
\-A: Enables OS detection and Version detection
\-\-datadir <dirname>: Specify custom Nmap data file location
\-\-send\-eth/\-\-send\-ip: Send using raw ethernet frames or IP packets
\-\-privileged: Assume that the user is fully privileged
@@ -383,7 +382,7 @@ Traceroutes are performed post\-scan using information from the scan results to
Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to illicit ICMP TTL_EXCCEDED messages from intermediate hops between the scanner and the target host. Standard traceroute implementation start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it reaches 0. Doing it backwards lets nmap employ clever caching algorithms to speed up traces over multiple hosts. On average nmap sends 5\-10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) nmap may only have to send a single packet to most hosts.
.TP
\fB\-\-reason\fR (Host and port state reasons)
Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\-sS and -PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\-d\fR) and the results are stored in XML log files even if this option is not specified.
Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\\\-sS and \-PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\\\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\\\-d\fR) and the results are stored in XML log files even if this option is not specified.
.TP
\fB\-n\fR (No DNS resolution)
Tells Nmap to
@@ -664,6 +663,15 @@ and at least one TCP scan type (such as
\fB\-sS\fR,
\fB\-sF\fR, or
\fB\-sT\fR). If no protocol qualifier is given, the port numbers are added to all protocol lists.
Ports can also be specified by name according to what the port is referred to in the
\fInmap\-services\fR. You can even use the wildcards * and ? with the names. For example, to scan ftp and all ports whose names begin with http, use
\fB\-p ftp,http*\fR. Be careful about shell expansions and quote the argument to \-p if unsure.
.sp
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
\fInmap\-services\fR. For example, the following will scan all ports in
\fInmap\-services\fR
equal to or below 1024:
\fB\-p [\-1024]\fR. Be careful with shell expansions and quote the argument to \-p if unsure.
.TP
\fB\-F\fR (Fast (limited port) scan)
Specifies that you only wish to scan for ports listed in the
@@ -681,6 +689,20 @@ options.
By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify
\fB\-r\fR
for sequential port scanning instead.
.TP
\fB\-\-port\-ratio <decimal number between 0 and 1>\fR
Scans all ports in
\fInmap\-services\fR
file with a ratio greater than the number specified as the argument. (new format
\fInmap\-services\fR
only.)
.TP
\fB\-\-top\-ports <integer of 1 or greater>\fR
Scans the N highest\-ratio ports found in
\fInmap\-services\fR
file. (new format
\fInmap\-services\fR
only.)
.SH "SERVICE AND VERSION DETECTION"
.PP
Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its
@@ -706,8 +728,7 @@ Version detection is enabled and controlled with the following options:
.TP
\fB\-sV\fR (Version detection)
Enables version detection, as discussed above. Alternatively, you can use
\fB\-A\fR
to enable both OS detection and version detection.
\fB\-A\fR, which enables version detection among other things.
.TP
\fB\-\-allports\fR (Don't exclude any ports from version detection)
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc. This behavior can be changed by modifying or removing the
@@ -766,7 +787,7 @@ OS detection is enabled and controlled with the following options:
\fB\-O\fR (Enable OS detection)
Enables OS detection, as discussed above. Alternatively, you can use
\fB\-A\fR
to enable both OS detection and version detection. 2nd generation OS detection is tried first. If that fails, Nmap will either print out the host fingerprint and ask you to submit it (if you are certain about what the target host is running), or Nmap will fall back to the 1st generation OS detection system in case its larger database has a match.
to enable OS detection along with other things. 2nd generation OS detection is tried first. If that fails, Nmap will either print out the host fingerprint and ask you to submit it (if you are certain about what the target host is running), or Nmap will fall back to the 1st generation OS detection system in case its larger database has a match.
.TP
\fB\-O2\fR (2nd Generation OS Detection Only)
Enables 2nd generation OS detection, but never falls back to the old (1st generation) system, even if it fails to find any match. This saves time and can reduce the number of packets sent to each target.

371
docs/nmap.deprecated.txt
View File

@@ -1,371 +0,0 @@
.oO Phrack 51 Oo.
Volume Seven, Issue Fifty One
xx of xx
The Art of Port Scanning
by Fyodor (fyodor@insecure.org)
[ Abstract ]
This paper details many of the techniques used to determine what ports (or
similar protocol abstraction) of a host are listening for connections. These
ports represent potential communication channels. Mapping their existence
facilitates the exchange of information with the host, and thus it is quite
useful for anyone wishing to explore their networked environment, including
hackers. Despite what you have heard from the media, the Internet is NOT
all about TCP port 80. Anyone who relies exclusively on the WWW for
information gathering is likely to gain the same level of proficiency as your
average AOLer, who does the same. This paper is also meant to serve as an
introduction to and ancillary documentation for a coding project I have been
working on. It is a full featured, robust port scanner which (I hope) solves
some of the problems I have encountered when dealing with other scanners and
when working to scan massive networks. The tool, nmap, supports the following:
- vanilla TCP connect() scanning,
- TCP SYN (half open) scanning,
- TCP FIN (stealth) scanning,
- TCP ftp proxy (bounce attack) scanning
- SYN/FIN scanning using IP fragments (bypasses packet filters),
- UDP recvfrom() scanning,
- UDP raw ICMP port unreachable scanning,
- ICMP scanning (ping-sweep), and
- reverse-ident scanning.
The freely distributable source code is appended to this paper.
[ Introduction ]
Scanning, as a method for discovering exploitable communication channels, has
been around for ages. The idea is to probe as many listeners as possible, and
keep track of the ones which are receptive or useful to your particular need.
Much of the field of advertising is based on this paradigm, and the "to current
resident" brute force style of bulk mail is an almost perfect parallel to what
we will discuss. Just stick a message in every mailbox and wait for the
responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this
tremendous global telecommunications network, all reachable through codes on
our telephone. Millions of numbers are reachable locally, yet we may only
be interested in 0.5% of these numbers, perhaps those that answer with a
carrier.
The logical solution to finding those numbers that interest us is to try them
all. Thus the field of "wardialing" arose. Excellent programs like Toneloc
were developed to facilitate the probing of entire exchanges and more. The
basic idea is simple. If you dial a number and your modem gives you a CONNECT,
you record it. Otherwise the computer hangs up and tirelessly dials the next
one.
While wardialing is still useful, we are now finding that many of the computers
we wish to communicate with are connected through networks such as the Internet
rather than analog phone dialups. Scanning these machines involves the same
brute force technique. We send a blizzard of packets for various protocols,
and we deduce which services are listening from the responses we receive (or
don't receive).
[ Techniques ]
Over time, a number of techniques have been developed for surveying the
protocols and ports on which a target machine is listening. They all offer
different benefits and problems. Here is a line up of the most common:
- TCP connect() scanning : This is the most basic form of tcp scanning. The
connect() system call provided by your operating system is used to open a
connection to every interesting port on the machine. If the port is listening,
connect() will succeed, otherwise the port isn't reachable. One strong
advantage to this technique is that you don't need any special privileges. Any
user on most UNIX boxes is free to use this call. Another advantage is speed.
While making a separate connect() call for every targeted port in a linear
fashion would take ages over a slow connection, you can hasten the scan by
using many sockets in parallel. Using non-blocking I/O allows you to set a low
time-out period and watch all the sockets at once. This is the fastest
scanning method supported by nmap, and is available with the -t (TCP) option.
The big downside is that this sort of scan is easily detectable and filterable.
The target hosts logs will show a bunch of connection and error messages for
the services which take the connection and then have it immediately shutdown.
- TCP SYN scanning : This technique is often referred to as "half-open"
scanning, because you don't open a full TCP connection. You send a SYN packet,
as if you are going to open a real connection and wait for a response. A
SYN|ACK indicates the port is listening. A RST is indicative of a non-
listener. If a SYN|ACK is received, you immediately send a RST to tear down
the connection (actually the kernel does this for us). The primary advantage
to this scanning technique is that fewer sites will log it. Unfortunately you
need root privileges to build these custom SYN packets. SYN scanning is the -s
option of nmap.
- TCP FIN scanning : There are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for SYNs to an unallowed port,
and programs like synlogger and courtney are available to detect these scans.
FIN packets, on the other hand, may be able to pass through unmolested. This
scanning technique was featured in detail by Uriel Maimon in Phrack 49, article
15. The idea is that closed ports tend to reply to your FIN packet with the
proper RST. Open ports, on the other hand, tend to ignore the packet in
question. This is a bug in TCP implementations and so it isn't 100% reliable
(some systems, notably Micro$oft boxes, seem to be immune). It works well on
most other systems I've tried. FIN scanning is the -U (Uriel) option of nmap.
- Fragmentation scanning : This is not a new scanning method in and of itself,
but a modification of other techniques. Instead of just sending the probe
packet, you break it into a couple of small IP fragments. You are splitting
up the TCP header over several packets to make it harder for packet filters
and so forth to detect what you are doing. Be careful with this! Some
programs have trouble handling these tiny packets. My favorite sniffer
segmentation faulted immediately upon receiving the first 36-byte fragment.
After that comes a 24 byte one! While this method won't get by packet filters
and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG
option in Linux), a lot of networks can't afford the performance hit this
causes. This feature is rather unique to scanners (at least I haven't seen
any others that do this). Thanks to daemon9 for suggesting it. The -f
instructs the specified SYN or FIN scan to use tiny fragmented packets.
- TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq
post, the ident protocol (rfc1413) allows for the disclosure of the username of
the owner of any process connected via TCP, even if that process didn't
initiate the connection. So you can, for example, connect to the http port
and then use identd to find out whether the server is running as root. This
can only be done with a full TCP connection to the target port (ie the -t
option). nmap's -i option queries identd for the owner of all listen()ing
ports.
- FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is
support for "proxy" ftp connections. In other words, I should be able to
connect from evil.com to the FTP server-PI (protocol interpreter) of target.com
to establish the control communication connection. Then I should be able to
request that the server-PI initiate an active server-DTP (data transfer
process) to send a file ANYWHERE on the internet! Presumably to a User-DTP,
although the rfc specifically states that asking one server to send a file to
another is OK. Now this may have worked well in 1985, when the rfc was
written. But nowadays, we can't have people hijacking ftp servers and
requesting that data be spit out to arbitrary points on the internet. As
*Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually
untraceable mail and news, hammer on servers at various sites, fill up disks,
try to hop firewalls, and generally be annoying and hard to track down at the
same time." What we will exploit this for is to (surprise, surprise) scan TCP
ports from a "proxy" ftp server. Thus you could connect to an ftp server
behind a firwall, and then scan ports that are more likely to be blocked (139
is a good one). If the ftp server allows reading from and writing to a
directory (such as /incoming), you can send arbitrary data to ports that you do
find open.
For port scanning, our technique is to use the PORT command to declare that
our passive "User-DTP" is listening on the target box at a certain port number.
Then we try to LIST the current directory, and the result is sent over the
Server-DTP channel. If our target host is listening on the specified port, the
transfer will be successful (generating a 150 and a 226 response). Otherwise
we will get "425 Can't build data connection: Connection refused." Then we
issue another PORT command to try the next port on the target host. The
advantages to this approach are obvious (harder to trace, potential to bypass
firewalls). The main disadvantages are that it is slow, and that some FTP
servers have finally got a clue and disabled the proxy "feature". For what it
is worth, here is a list of benners from sites where it does/doesn't work:
*Bounce attacks worked:*
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
220 xxx.xxx.xxx.edu FTP server ready.
220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
220 lem FTP server (SunOS 4.1) ready.
220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
220 elios FTP server (SunOS 4.1) ready
*Bounce attack failed:*
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
220 ftp Microsoft FTP Service (Version 3.0).
220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
The 'x's are partly there to protect those guilty of running a flawed server,
but mostly just to make the lines fit in 80 columns. Same thing with the
ellipse points. The bounce attack is avalable with the -b <proxy_server>
option of nmap. proxy_server can be specified in standard URL format,
username:password@server:port , with everything but server being optional.
- UDP ICMP port unreachable scanning : This scanning method varies from the
above in that we are using the UDP protocol instead of TCP. While this
protocol is simpler, scanning it is actually significantly more difficult.
This is because open ports don't have to send an acknowledgement in response to
our probe, and closed ports aren't even required to send an error packet.
Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a
packet to a closed UDP port. Thus you can find out if a port is NOT open, and
by exclusion determine which ports which are. Neither UDP packets, nor the
ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also
implement retransmission of packets that appear to be lost (or you will get a
bunch of false positives). Also, this scanning technique is slow because of
compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit
ICMP error message rate. For example, the Linux kernel (in net/ipv4/icmp.h)
limits destination unreachable message generation to 80 per 4 seconds, with a
1/4 second penalty if that is exceeded. At some point I will add a better
algorithm to nmap for detecting this. Also, you will need to be root for
access to the raw ICMP socket necessary for reading the port unreachable. The
-u (UDP) option of nmap implements this scanning method for root users.
Some people think UDP scanning is lame and pointless. I usually remind them of
the recent Solaris rcpbind hole. Rcpbind can be found hiding on an
undocumented UDP port somewhere above 32770. So it doesn't matter that 111 is
blocked by the firewall. But can you find which of the more than 30,000 high
ports it is listening on? With a UDP scanner you can!
- UDP recvfrom() and write() scanning : While non-root users can't read
port unreachable errors directly, Linux is cool enough to inform the user
indirectly when they have been received. For example a second write()
call to a closed port will usually fail. A lot of scanners such as netcat
and Pluvius' pscan.c do this. I have also noticed that recvfrom() on
non-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if
the ICMP error hasn't been received, and ECONNREFUSED ("Connection refused",
errno 111) if it has. This is the technique used for determining open ports
when non-root users use -u (UDP). Root users can also use the -l (lamer
UDP scan) options to force this, but it is a really dumb idea.
- ICMP echo scanning : This isn't really port scanning, since ICMP doesn't have
a port abstraction. But it is sometimes useful to determine what hosts in a
network are up by pinging them all. the -P option does this. Also you might
want to adjust the PING_TIMEOUT #define if you are scanning a large
network. nmap supports a host/bitmask notation to make this sort of thing
easier. For example 'nmap -P cert.org/24 152.148.0.0/16' would scan CERT's
class C network and whatever class B entity 152.148.* represents. Host/26 is
useful for 6-bit subnets within an organization.
[ Features ]
Prior to writing nmap, I spent a lot of time with other scanners exploring the
Internet and various private networks (note the avoidance of the "intranet"
buzzword). I have used many of the top scanners available today, including
strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by
Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by
Wietse Venema. These are all excellent scanners! In fact, I ended up hacking
most of them to support the best features of the others. Finally I decided
to write a whole new scanner, rather than rely on hacked versions of a dozen
different scanners in my /usr/local/sbin. While I wrote all the code, nmap
uses a lot of good ideas from its predecessors. I also incorporated some new
stuff like fragmentation scanning and options which were on my "wish list" for
other scanners. Here are some of the (IMHO) useful features of nmap:
- dynamic delay time calculations: Some scanners require that you supply a
delay time between sending packets. Well how should I know what to use?
Sure, I can ping them, but that is a pain, and plus the response time of many
hosts changes dramatically when they are being flooded with requests. nmap
tries to determine the best delay time for you. It also tries to keep track
of packet retransmissions, etc. so that it can modify this delay time during
the course of the scan. For root users, the primary technique for finding an
initial delay is to time the internal "ping" function. For non-root users, it
times an attempted connect() to a closed port on the target. It can also pick
a reasonable default value. Again, people who want to specify a delay
themselves can do so with -w (wait), but you shouldn't have to.
- retransmission: Some scanners just send out all the query packets, and
collect the responses. But this can lead to false positives or negatives in
the case where packets are dropped. This is especially important for
"negative" style scans like UDP and FIN, where what you are looking for is a
port that does NOT respond. In most cases, nmap implements a configurable
number of retransmissions for ports that don't respond.
- parallel port scanning: Some scanners simply scan ports linearly, one at a
time, until they do all 65535. This actually works for TCP on a very fast
local network, but the speed of this is not at all acceptable on a wide area
network like the Internet. nmap uses non-blocking i/o and parallel scanning
in all TCP and UDP modes. The number of scans in parallel is configurable
with the -M (Max sockets) option. On a very fast network you will actually
decrease performance if you do more than 18 or so. On slow networks, high
values increase performance dramatically.
- Flexible port specification: I don't always want to just scan all 65535
ports. Also, the scanners which only allow you to scan ports 1 - N sometimes
fall short of my need. The -p option allows you to specify an arbitrary
number of ports and ranges for scanning. For example, '-p 21-25,80,113,
60000-' does what you would expect (a trailing hyphen means up to 65536, a
leading hyphen means 1 through). You can also use the -F (fast) option, which
scans all the ports registered in your /etc/services (a la strobe).
- Flexible target specification: I often want to scan more then one host,
and I certainly don't want to list every single host on a large network to
scan. Everything that isn't an option (or option argument) in nmap is
treated as a target host. As mentioned before, you can optionally append
/mask to a hostname or IP address in order to scan all hosts with the same
initial <mask> bits of the 32 bit IP address.
- detection of down hosts: Some scanners allow you to scan large networks, but
they waste a huge amount of time scanning 65535 ports of a dead host! By
default, nmap pings each host to make sure it is up before wasting time on it.
It is also capable of bailing on hosts which seem down based on strange port
scanning errors. It is also meant to be tolerant of people who accidently scan
network addresses, broadcast addresses, etc.
- detection of your IP address: For some reason, a lot of scanners ask you to
type in your IP address as one of the parameters. Jeez, I don't want to have
to 'ifconfig' and figure out my current address every time I scan. Of course,
this is better then the scanners I've seen which require recompilation every
time you change your address! nmap first tries to detect your address during
the ping stage. It uses the address that the echo response is received on, as
that is the interface it should almost always be routed through. If it can't
do this (like if you don't have host pinging enabled), nmap tries to detect
your primary interface and uses that address. You can also use -S to specify
it directly, but you shouldn't have to (unless you want to make it look like
someone ELSE is SYN or FIN scanning a host.
Some other, more minor options:
-v (verbose): This is highly recommended for interactive use. Among other
useful messages, you will see ports come up as they are found, rather than
having to wait for the sorted summary list.
-r (randomize): This will randomize the order in which the target host's
ports are scanned.
-q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
It also eliminates all other arguments, so you won't look too suspicious in
'w' or 'ps' listings.
-h for an options summary.
Also look for http://www.insecure.org/nmap/, which is the web site I plan to
put future versions and more information on. In fact, you would be well
advised to check there right now.
[ Greets ]
Of course this paper would not be complete without a shout out to all the
people who made it possible.
* Congratulations to the people at Phrack for getting this thing going again!
* Greets to the whole dc-stuff crew.
* Greets to the STUPH, Turntec, L0pht, TACD, the Guild, cDc, and all the other
groups who help keep the scene alive.
* Shout out to _eci for disclosing the coolest Windows bug in recent history.
* Thanks to the Data Haven Project (dhp.com) admins for providing such great
service for $10/month.
* And a special shout out goes to all my friends. You know who
you are and some of you (wisely) stay out of the spotlight, so I'll keep you
anonymous ... except of course for Ken and Jay, and Avenger, Grog, Cash
Monies, Ethernet Kid, Zos, JuICe, Mother Prednisone, and Karen.
And finally, we get to ...
[ The code ]
This should compile fine on any Linux box with 'gcc -O6 -o nmap nmap.c -lm'.
It is distrubuted under the terms of the GNU GENERAL PUBLIC LICENSE. If you
have problems or comments, feel free to mail me (fyodor@insecure.org).

2
docs/nmap.usage.txt
View File

@@ -89,7 +89,7 @@ OUTPUT:
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection, Version detection, Script scanning and Traceroute
-A: Enables OS detection and Version detection, Script scanning and Traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged

449
docs/nmap_doc.html
View File

@@ -1,449 +0,0 @@
<HTML>
<HEAD>
<TITLE>Nmap: The Art of Port Scanning</TITLE>
</HEAD>
<BODY BGCOLOR="#2A0D45" TEXT="#ffffff" LINK="#ff0000" ALINK="#00ff00" VLINK="#ff0000">
<H1><CENTER>The Art of Port Scanning</CENTER></H1>
<CENTER><H1>by Fyodor <A HREF="mailto:fyodor@insecure.org">&lt;fyodor@insecure.org&gt;</A></H1></CENTER>
<CENTER>(Last significant update: Sat Sep 6 03:24:53 GMT 1997)</CENTER>
<BR><BR>
<H1>Warning, the interface to nmap has changed a bit and so not all the flags and options mentioned in this paper are still accurate. The authoritative documentation is now the man page (<A HREF="nmap_manpage.html">html version</A>). This article still contains a lot of information on port scanning though and so I recommend that nmap users read it.</H1>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Abstract</TH></TR></TABLE>
<P>This paper details many of the techniques used to determine what ports (or
similar protocol abstraction) of a host are listening for connections. These
ports represent potential communication channels. Mapping their existence
facilitates the exchange of information with the host, and thus it is quite
useful for anyone wishing to explore their networked environment, including
hackers. Despite what you have heard from the media, the Internet is NOT
all about TCP port 80. Anyone who relies exclusively on the WWW for
information gathering is likely to gain the same level of proficiency as your
average AOLer, who does the same. This paper is also meant to serve as an
introduction to and ancillary documentation for a coding project I have been
working on. It is a full featured, robust port scanner which (I hope) solves
some of the problems I have encountered when dealing with other scanners and
when working to scan massive networks. The tool, nmap, supports the following:
<BR><BR>
<UL>
<LI><A HREF="#connect">Vanilla TCP connect() scanning</A>,
<LI><A HREF="#syn">TCP SYN (half open) scanning</A>,
<LI><A HREF="#fin">TCP FIN (stealth) scanning</A>,
<LI><A HREF="#bounce">TCP ftp proxy (bounce attack) scanning</A>,
<LI><A HREF="#frag">SYN/FIN scanning using IP fragments (bypasses packet filters)</A>,
<LI><A HREF="#recvfrom">UDP recvfrom() scanning</A>,
<LI><A HREF="#port_unreach">UDP raw ICMP port unreachable scanning</A>,
<LI><A HREF="#icmp">ICMP scanning (ping-sweep)</A>, and
<LI><A HREF="#ident">Reverse-ident scanning</A>.
</UL>
<BR><BR>
The freely distributable source code is available at <A HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap/</A>
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH
ALIGN="CENTER">Introduction</TH></TR></TABLE>
<P>Scanning, as a method for discovering exploitable communication channels, has
been around for ages. The idea is to probe as many listeners as possible, and
keep track of the ones that are receptive or useful to your particular need.
Much of the field of advertising is based on this paradigm, and the "to current
resident" brute force style of bulk mail is an almost perfect parallel to what
we will discuss. Just stick a message in every mailbox and wait for the
responses to trickle back.
<P>Scanning entered the h/p world along with the phone systems. Here
we have this tremendous global telecommunications network, all
reachable through codes on our telephone. Millions of numbers are
reachable locally, yet we may only be interested in 0.5% of these
numbers, perhaps those that answer with a carrier.
<P>The logical solution to finding those numbers that interest us is
to try them all. Thus the field of "wardialing" arose. Excellent
programs like Toneloc were developed to facilitate the probing of
entire exchanges and more. The basic idea is simple. If you dial a
number and your modem gives you a CONNECT, you record it. Otherwise
the computer hangs up and tirelessly dials the next one.
<P>While wardialing is still useful, we are now finding that many of
the computers we wish to communicate with are connected through
networks such as the Internet rather than analog phone dialups.
Scanning these machines involves the same brute force technique. We
send a blizzard of packets for various protocols, and we deduce which
services are listening from the responses we receive (or don't
receive).
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Techniques</TH></TR></TABLE>
<P>Over time, a number of techniques have been developed for surveying the
protocols and ports on which a target machine is listening. They all offer
different benefits and problems. Here is a line up of the most common:<BR><BR>
<UL>
<LI><A NAME="connect">TCP connect() scanning : This is the most basic
form of TCP scanning. The connect() system call provided by your
operating system is used to open a connection to every interesting
port on the machine. If the port is listening, connect() will
succeed, otherwise the port isn't reachable. One strong advantage to
this technique is that you don't need any special privileges. Any
user on most UNIX boxes is free to use this call. Another advantage
is speed. While making a separate connect() call for every targeted
port in a linear fashion would take ages over a slow connection, you
can hasten the scan by using many sockets in parallel. Using
non-blocking I/O allows you to set a low time-out period and watch all
the sockets at once. This is the fastest scanning method supported by
nmap, and is available with the -t (TCP) option. The big downside is
that this sort of scan is easily detectable and filterable. The
target hosts logs will show a bunch of connection and error messages
for the services which take the connection and then have it
immediately shutdown.<BR><BR>
<LI><A NAME="syn">TCP SYN scanning : This technique is often referred
to as "half-open" scanning, because you don't open a full TCP
connection. You send a SYN packet, as if you are going to open a real
connection and wait for a response. A SYN|ACK indicates the port is
listening. A RST is indicative of a non- listener. If a SYN|ACK is
received, you immediately send a RST to tear down the connection
(actually the kernel does this for us). The primary advantage to this
scanning technique is that fewer sites will log it. Unfortunately you
need root privileges to build these custom SYN packets. SYN scanning
is the -s option of nmap.<BR><BR>
<LI><A NAME="fin">TCP FIN scanning : There are times when even SYN
scanning isn't clandestine enough. Some firewalls and packet filters
watch for SYNs to restricted ports, and programs like synlogger and
Courtney are available to detect these scans. FIN packets, on the
other hand, may be able to pass through unmolested. This scanning
technique was featured in detail by Uriel Maimon in Phrack 49, article
15. The idea is that closed ports tend to reply to your FIN packet
with the proper RST. Open ports, on the other hand, tend to ignore
the packet in question. As Alan Cox has pointed out, this is required
TCP behavior. However, some systems (notably Micro$oft boxes), are
broken in this regard. They send RST's regardless of the port state,
and thus they aren't vulnerable to this type of scan. It works well
on most other systems I've tried. Actually, it is often useful to
discriminate between a *NIX and NT box, and this can be used to do
that. FIN scanning is the -U (Uriel) option of nmap.<BR><BR>
<LI><A NAME="frag">Fragmentation scanning : This is not a new scanning
method in and of itself, but a modification of other techniques.
Instead of just sending the probe packet, you break it into a couple
of small IP fragments. You are splitting up the TCP header over
several packets to make it harder for packet filters and so forth to
detect what you are doing. Be careful with this! Some programs have
trouble handling these tiny packets. My favorite sniffer segmentation
faulted immediately upon receiving the first 36-byte fragment. After
that comes a 24 byte one! While this method won't get by packet
filters and firewalls that queue all IP fragments (like the
CONFIG_IP_ALWAYS_DEFRAG option in Linux), a lot of networks can't
afford the performance hit this causes. This feature is rather unique
to scanners (at least I haven't seen any others that do this). Thanks
to daemon9 for suggesting it. The -f instructs the specified SYN or
FIN scan to use tiny fragmented packets.<BR><BR>
<LI><A NAME="ident">TCP reverse ident scanning : As noted by Dave
Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc1413) allows
for the disclosure of the username of the owner of any process
connected via TCP, even if that process didn't initiate the
connection. So you can, for example, connect to the http port and
then use identd to find out whether the server is running as root.
This can only be done with a full TCP connection to the target port
(i.e. the -t option). nmap's -i option queries identd for the owner
of all listen()ing ports.<BR><BR>
<LI><A NAME="bounce">FTP bounce attack : An interesting "feature" of
the ftp protocol (RFC 959) is support for "proxy" ftp connections. In
other words, I should be able to connect from evil.com to the FTP
server-PI (protocol interpreter) of target.com to establish the
control communication connection. Then I should be able to request
that the server-PI initiate an active server-DTP (data transfer
process) to send a file ANYWHERE on the internet! Presumably to a
User-DTP, although the RFC specifically states that asking one server
to send a file to another is OK. Now this may have worked well in
1985 when the RFC was just written. But nowadays, we can't have
people hijacking ftp servers and requesting that data be spit out to
arbitrary points on the internet. As *Hobbit* wrote back in 1995,
this protocol flaw "can be used to post virtually untraceable mail and
news, hammer on servers at various sites, fill up disks, try to hop
firewalls, and generally be annoying and hard to track down at the
same time." What we will exploit this for is to (surprise, surprise)
scan TCP ports from a "proxy" ftp server. Thus you could connect to
an ftp server behind a firewall, and then scan ports that are more
likely to be blocked (139 is a good one). If the ftp server allows
reading from and writing to a directory (such as /incoming), you can
send arbitrary data to ports that you do find open.
<P>For port scanning, our technique is to use the PORT command to declare that
our passive "User-DTP" is listening on the target box at a certain port number.
Then we try to LIST the current directory, and the result is sent over the
Server-DTP channel. If our target host is listening on the specified port, the
transfer will be successful (generating a 150 and a 226 response). Otherwise
we will get "425 Can't build data connection: Connection refused." Then we
issue another PORT command to try the next port on the target host. The
advantages to this approach are obvious (harder to trace, potential to bypass
firewalls). The main disadvantages are that it is slow, and that some FTP
servers have finally got a clue and disabled the proxy "feature". For what it
is worth, here is a list of banners from sites where it does/doesn't work:
<P>*Bounce attacks worked:*<BR><BR>
<PRE>
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
220 xxx.xxx.xxx.edu FTP server ready.
220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
220 lem FTP server (SunOS 4.1) ready.
220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
220 elios FTP server (SunOS 4.1) ready
</PRE>
<P>*Bounce attack failed:*<BR><BR>
<PRE>
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
220 ftp Microsoft FTP Service (Version 3.0).
220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
</PRE>
The 'x's are partly there to protect those guilty of running a flawed server,
but mostly just to make the lines fit in 80 columns. Same thing with the
ellipse points. The bounce attack is available with the -b <proxy_server>
option of nmap. proxy_server can be specified in standard URL format,
username:password@server:port , with everything but server being optional.<BR><BR>
<LI><A NAME="port_unreach">UDP ICMP port unreachable scanning : This
scanning method varies from the above in that we are using the UDP
protocol instead of TCP. While this protocol is simpler, scanning it
is actually significantly more difficult. This is because open ports
don't have to send an acknowledgement in response to our probe, and
closed ports aren't even required to send an error packet.
Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you
send a packet to a closed UDP port. Thus you can find out if a port
is NOT open, and by exclusion determine which ports which are.
Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so
UDP scanners of this sort must also implement retransmission of
packets that appear to be lost (or you will get a bunch of false
positives). Also, this scanning technique is slow because of
compensation for machines that took RFC 1812 section 4.3.2.8 to heart
and limit ICMP error message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable message generation to
80 per 4 seconds, with a 1/4 second penalty if that is exceeded. At
some point I will add a better algorithm to nmap for detecting this.
Also, you will need to be root for access to the raw ICMP socket
necessary for reading the port unreachable. The -u (UDP) option of
nmap implements this scanning method for root users.
<P>Some people think UDP scanning is lame and pointless. I usually
remind them of the recent Solaris rcpbind hole. Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall. But can you find
which of the more than 30,000 high ports it is listening on? With a
UDP scanner you can!<BR><BR>
<LI><A NAME="recvfrom">UDP recvfrom() and write() scanning : While
non-root users can't read port unreachable errors directly, Linux is
cool enough to inform the user indirectly when they have been
received. For example a second write() call to a closed port will
usually fail. A lot of scanners such as netcat and Pluvius' pscan.c
does this. I have also noticed that recvfrom() on non-blocking UDP
sockets usually return EAGAIN ("Try Again", errno 13) if the ICMP
error hasn't been received, and ECONNREFUSED ("Connection refused",
errno 111) if it has. This is the technique used for determining open
ports when non-root users use -u (UDP). Root users can also use the
-l (lamer UDP scan) options to force this, but it is a really dumb
idea.<BR><BR>
<LI><A NAME="icmp">ICMP echo scanning : This isn't really port
scanning, since ICMP doesn't have a port abstraction. But it is
sometimes useful to determine what hosts in a network are up by
pinging them all. the -P option does this. ICMP scanning is now in
parallel, so it can be quite fast. To speed things up even more, you
can increase the number of pings in parallel with the '-L <num>'
option. It can also be helpful to tweek the ping timeout value with
'-T <num_seconds>'. nmap supports a host/bitmask notation to make
this sort of thing easier. For example 'nmap -P cert.org/24
152.148.0.0/16' would scan CERT's class C network and whatever class B
entity 152.148.* represents. Host/26 is useful for 6-bit subnets
within an organization. Nmap now also offers a more powerful form.
You can now do things like '150.12,17,71-79.7.*' and it will do what
you expect. For each of the four values, you can either put a single
number, a range (with '-'), a comma-separated list of numbers and
ranges, or a '*' which is just a short cut for 0-255. By default,
likely network/broadcast addresses like .0 and .255 are not scanned,
but the '-A' option allows you to do this if you wish.
</UL>
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Features</TH></TR></TABLE>
<P>Prior to writing nmap, I spent a lot of time with other scanners
exploring the Internet and various private networks (note the
avoidance of the "intranet" buzzword). I have used many of the top
scanners available today, including strobe by Julian Assange, netcat
by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan by
Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema.
These are all excellent scanners! In fact, I ended up hacking most of
them to support the best features of the others. Finally I decided to
write a whole new scanner, rather than rely on hacked versions of a
dozen different scanners in my /usr/local/sbin. While I wrote all the
code, nmap uses a lot of good ideas from its predecessors. I also
incorporated some new stuff like fragmentation scanning and options
that were on my "wish list" for other scanners. Here are some of the
(IMHO) useful features of nmap:<BR><BR>
<UL>
<LI>dynamic delay time calculations: Some scanners require that you
supply a delay time between sending packets. Well how should I know
what to use? Sure, I can ping them, but that is a pain, and plus the
response time of many hosts changes dramatically when they are being
flooded with requests. nmap tries to determine the best delay time
for you. It also tries to keep track of packet retransmissions,
etc. so that it can modify this delay time during the course of the
scan. For root users, the primary technique for finding an initial
delay is to time the internal "ping" function. For non-root users, it
times an attempted connect() to a closed port on the target. It can
also pick a reasonable default value. Again, people who want to
specify a delay themselves can do so with -w (wait), but you shouldn't
have to.<BR><BR>
<LI>retransmission: Some scanners just send out all the query packets,
and collect the responses. But this can lead to false positives or
negatives in the case where packets are dropped. This is especially
important for "negative" style scans like UDP and FIN, where what you
are looking for is a port that does NOT respond. In most cases, nmap
implements a configurable number of retransmissions for ports that
don't respond.<BR><BR>
<LI>parallel port scanning: Some scanners simply scan ports linearly,
one at a time, until they do all 65535. This actually works for TCP
on a very fast local network, but the speed of this is not at all
acceptable on a wide area network like the Internet. nmap uses
non-blocking i/o and parallel scanning in all TCP and UDP modes. The
number of scans in parallel is configurable with the -M (Max sockets)
option. On a very fast network you will actually decrease performance
if you do more than 18 or so. On slow networks, high values increase
performance dramatically.<BR><BR>
<LI>Flexible port specification: I don't always want to just scan all
65535 ports. Also, the scanners which only allow you to scan ports 1
- N sometimes fall short of my need. The -p option allows you to
specify an arbitrary number of ports and ranges for scanning. For
example, '-p 21-25,80,113, 60000-' does what you would expect (a
trailing hyphen means up to 65536, a leading hyphen means 1 through).
You can also use the -F (fast) option, which scans all the ports
registered in your /etc/services (a la strobe).<BR><BR>
<LI>Flexible target specification: I often want to scan more then one
host, and I certainly don't want to list every single host on a large
network to scan. Everything that isn't an option (or option argument)
in nmap is treated as a target host. As mentioned before, you can
optionally append /mask to a hostname or IP address in order to scan
all hosts with the same initial <mask> bits of the 32 bit IP
address. You can use the same powerful syntax as the port
specifications to specify targets like '150.12.17.71-79.7.*'. '*' is
just a shortcut for 0-255, remember to escape it from your shell if
used.<BR><BR>
<LI>detection of down hosts: Some scanners allow you to scan large
networks, but they waste a huge amount of time scanning 65535 ports of
a dead host! By default, nmap pings each host to make sure it is up
before wasting time on it. It also does thin in parallel, to speed
things up. You can change the parrallel ping lookahead with '-L' and
the ping timeout with '-T'. You can turn pinging off completely with
the '-D' command line option. This is useful for scanning networks
like microsoft.com where ICMP echo requests can't get through. Nmap
is also capable of bailing on hosts that seem down based on strange
port scanning errors. It is also meant to be tolerant of people who
accidentally scan network addresses, broadcast addresses, etc.<BR><BR>
<LI>detection of your IP address: For some reason, a lot of scanners
ask you to type in your IP address as one of the parameters. Jeez, I
don't want to have to 'ifconfig' and figure out my current address
every time I scan. Of course, this is better then the scanners I've
seen which require recompilation every time you change your address!
nmap first tries to detect your address during the ping stage. It
uses the address that the echo response is received on, as that is the
interface it should almost always be routed through. If it can't do
this (like if you don't have host pinging enabled), nmap tries to
detect your primary interface and uses that address. You can also use
-S to specify it directly, but you shouldn't have to (unless you want
to make it look like someone ELSE is SYN or FIN scanning a
host.<BR><BR>
</UL>
Some other, more minor options:<BR>
<PRE>
-v (verbose): This is highly recommended for interactive use. Among other
useful messages, you will see ports come up as they are found, rather than
having to wait for the sorted summary list.
-r (randomize): This will randomize the order in which the target host's
ports are scanned.
-q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
It also eliminates all other arguments, so you won't look too suspicious in
'w' or 'ps' listings.
-h for an options summary.
-R show and resolve all hosts, even down ones.
</PRE>
Also look for <A
HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap</A>,
which is the web site I plan to put future versions and more
information on. In fact, you would be well advised to check there
right now. (If that isn't where you are reading this).
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Example
Usage</TH></TR></TABLE>
<BR><BR>
To launch a stealth scan of the entire class 'B' networks 166.66.0.0 and
166.67.0.0 for the popularly exploitable imapd daemon:<BR>
<pre>
# nmap -Up 143 166.66.0.0/16 166.67.0.0/16
</pre>
To do a standard tcp scan on the reserved ports of host
&lt;target&gt;:<BR>
<pre>
&gt; nmap target
</pre>
To check the class 'C' network on which warez.com sits for popular
services (via fragmented SIN scan):<BR>
<pre>
# nmap -fsp 21,22,23,25,80,110 warez.com/24
</pre>
To scan the same network for all the services in your /etc/services
via (very fast) tcp scan:<BR>
<pre>
&gt; nmap -F warez.com/24
</pre>
To scan secret.pathetic.net using the ftp bounce attack off of
ftp.pathetic.net:<BR>
<pre>
&gt; nmap -Db ftp.pathetic.net secret.pathetic.net
</pre>
To find hosts that are up in the the adjacent class C's 193.14.12,
.13, .14, .15, ... , .30:<BR>
<pre>
&gt; nmap -P '193.14.[12-30].*'
</pre>
If you don't want to have to quote it to avoid shell interpretation,
this does the same thing:<BR>
<pre>
&gt; nmap -P 193.14.12-30.0-255
</pre>
</BODY>
</HTML>

950
docs/nmap_french.1
View File

@@ -1,950 +0,0 @@
.\" nmap version 3.00, August 2002
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOM
nmap \- Outil d'exploration r<>seau et analyseur de s<>curit<69>
.SH SYNOPSIS
.B nmap
[Type(s) de scan] [Options] <h<>te ou r<>seau #1 ... [#N]>
.SH DESCRIPTION
.I Nmap
a <EFBFBD>t<EFBFBD> con<EFBFBD>u pour que les administrateurs syst<EFBFBD>mes et les curieux
puissent analyser de grands r<EFBFBD>seaux pour d<EFBFBD>terminer les h<EFBFBD>tes actifs et les
services offerts.
.I nmap
supporte un grand nombre de techniques d'analyse\ : UDP, TCP
connect(), TCP SYN (mi ouvert), ftp proxy (attaque par rebond),
Reverse-ident, ICMP (balayage de ping), FIN, balayage de ACK, Xmas Tree, balayage
de SYN, Protocoles IP, et Null scan. Voir la section
.I Types de scans
pour plus de d<>tails. Nmap offre <20>galement des caract<63>ristiques avanc<6E>es
comme la d<>tection du syst<73>me d'exploitation distant via l'empreinte
TCP/IP, l'analyse furtive, le d<>lai dynamique et les calculs de retransmission,
l'analyse parall<6C>le, d<>tection de h<>tes inactifs via
des pings parall<6C>les, l'analyse avec leurres, la d<>tection des ports filtr<74>s,
analyse directe (sans portmapper) des RCP, l'analyse avec fragmentation,
et une notation puissante pour d<>signer les h<>tes et les ports.
.PP
Des efforts significatifs ont <20>t<EFBFBD> consacr<63>s pour que nmap soit utilisable
par des utilisateurs non-root. Malheureusement, la plupart des interfaces
noyaux critiques (comme les raw sockets) requi<75>rent les privil<69>ges root.
Nmap devrait donc <20>tre lanc<6E> en tant que root autant que possible
(mais pas en setuid root, <20>videmment).
.PP
Le r<>sultat de l'ex<65>cution de nmap est habituellement une liste
de ports int<6E>ressants sur les machines analys<79>es. Nmap donne pour
chaque port le nom du service, le num<75>ro, l'<27>tat et le protocole.
L'<27>tat peut <20>tre <20>\ open\ <EFBFBD>, <20>\ filtered\ <EFBFBD> ou <20>\ unfiltered\ <EFBFBD>.
<EFBFBD>\ Open\ <EFBFBD> signifie que la machine cible accepte les connexions sur ce port.
<EFBFBD>\ Filtered\ <EFBFBD> signifie qu'un pare-feu, un filtre ou un autre obstacle r<>seau
prot<EFBFBD>ge le port et emp<6D>che nmap de d<>tecter si le port est ouvert.
<EFBFBD>\ Unfiltered\ <EFBFBD> signifie que le port est ferm<72> et qu'aucun pare-feu n'a
interf<EFBFBD>r<EFBFBD> avec nmap.
Les ports <20>\ Unfiltered\ <EFBFBD> sont les plus courants et ne sont affich<63>s
que lorsque la majorit<69> des ports analys<79>s sont dans l'<27>tat <20>\ filtered\ <EFBFBD>.
.PP
En fonction des options utilis<69>es, nmap peut aussi rapporter les caract<63>ristiques
suivantes du syst<73>me d'exploitation distant\ :
type de syst<73>me d'exploitation, s<>quencement TCP, noms des utilisateurs
qui ont lanc<6E> les programmes qui <20>coutent sur chaque port, le nom DNS,
et d'autres choses encore.
.SH OPTIONS
Les options ayant du sens ensemble peuvent g<>n<EFBFBD>ralement <20>tre combin<69>es.
Certaines options sont sp<73>cifiques <20> certains modes d'analyses.
.I nmap
essaye de d<EFBFBD>tecter et de pr<EFBFBD>venir l'utilisateur
en cas de combinaisons d'options d<>mentes ou non support<72>es.
.Sp
Si vous <20>tes impatient, vous pouvez passer directement
<EFBFBD> la section des
.I exemples
<EFBFBD> la fin, qui illustre l'usage courant. Vous pouvez aussi lancer
.B nmap -h
pour un bref rappel de toutes les options.
.TP
.B TYPES DE SCANS
.TP
.B \-sS
TCP SYN scan\ : Cette technique est souvent appel<65>e scan
<EFBFBD>\ mi ouvert\ <EFBFBD>, parce qu'on ouvre une connexion TCP incompl<70>te.
On envoie un paquet SYN, comme pour une v<>ritable ouverture de connexion
et on attend une r<>ponse. Un SYN ou ACK indique
que le port est sous <20>coute, en revanche un RST signifie que personne n'<27>coute
sur ce port.
Si un SYN ou ACK est re<72>u, un RST est imm<6D>diatement envoy<6F> pour interrompre
la connexion.
Le principal avantage de cette technique est que peu de sites l'archiveront.
dans leurs logs.
Malheureusement vous avez besoin des privil<69>ges root pour construire
ces paquets SYN sur mesure. C'est le scan par d<>faut pour les utilisateurs
qui ont les privil<69>ges root.
.TP
.B \-sT
TCP connect() scan\ : C'est la forme la plus simple de scan TCP.
L'appel syst<73>me connect() fournit par votre syst<73>me d'exploitation
est utilis<69> pour ouvrir une connexion sur tous les ports int<6E>ressants
de la cible. Si le port est sur <20>coute,
connect() r<>ussira, sinon le port est injoignable.
Le principal avantage de cette technique est qu'elle ne n<>cessite pas
de privil<69>ges particuliers. Presque tous les utilisateurs de toutes les machines Unix
sont libres d'utiliser cet appel syst<73>me.
.Sp
Ce type de scan est facilement d<>tectable par l'h<>te cible
puisque les logs de la cible montreront un ensemble de connexions
et de messages d'erreurs pour les services qui ont accept<70> la connexion
qui a <20>t<EFBFBD> imm<6D>diatement coup<75>e.
C'est le scan par d<>faut pour les utilisateurs normaux (non root).
.TP
.B \-sF \-sX \-sN
Stealth FIN, Xmas Tree, ou Null scan modes\ : Parfois m<EFBFBD>me
un SYN scan n'est pas suffisamment discret.
Certains pare-feux et filtreurs de paquets regardent les
SYNs vers les ports interdits, et des programmes comme Synlogger et
Courtney peuvent d<>tecter ces scans. En revanche, ces scans avanc<6E>s
devrait pourvoir passer sans probl<62>mes.
.Sp
L'id<69>e est qu'un port ferm<72> est requis pour
r<EFBFBD>pondre au paquet de test par un RST, alors
que les ports ouverts doivent ignorer les paquets en question
(voir RFC 793 pp 64). Le FIN scan utilise
un paquet FIN nu comme testeur, alors que le scan Xmas tree
active les drapeaux URG et PUSH du paquet FIN. Le scan Null, d<>sactive tous
les drapeaux. Malheureusement Microsoft (comme d'habitude)
a d<>cid<69> d'ignorer compl<70>tement le standard et de faire les choses <20> sa fa<66>on.
C'est pourquoi ce type de scan ne fonctionne pas contre les syst<73>mes sous
Windows95/NT. Le c<>t<EFBFBD> positif est que c'est un bon moyen de distinguer deux
plates-formes.
Si le scan trouve des ports ouverts, vous savez que la machine cible n'est
pas sous Windows. Si un -sF,-sX, ou -sN scan montre tous les ports
ferm<EFBFBD>s, et qu'un scan SYN (-sS) montre tous les ports ouverts, la machine cible
fonctionne probablement sous
Windows. Ceci est moins utile depuis que nmap a son propre d<>tecteur de syst<73>me
d'exploitation int<6E>gr<67>. D'autres syst<73>mes ont le m<>me probl<62>me que Windows\ :
Cisco, BSDI, HP/UX, MVS, et IRIX.
La plupart envoient des resets depuis les ports ouverts au lieu d'ignorer
le paquet.
.TP
.B \-sP
Ping scanning\ : Parfois vous voulez juste savoir quels sont les h<>tes
actifs d'un r<>seau.
Nmap peut le faire pour vous en envoyant des paquets d'<27>cho ICMP <20> chaque adresse IP du r<>seau sp<73>cifi<66>.
Les h<>tes qui r<>pondent sont actifs. Malheureusement, certains sites comme
microsoft.com, bloquent les paquets d'<27>cho.
Toutefois nmap peut aussi envoyer un paquet TCP ack au port 80 (par d<>faut).
Si vous recevez un RST en retour, la machine est active. Une troisi<73>me
technique consiste <20> envoyer un paquet SYN et d'attendre un RST ou un SYN/ACK.
Pour les utilisateurs non-root, la m<>thode connect() est utilis<69>e.
.Sp
Par d<>faut (pour les utilisateurs root), nmap utilise la technique
ICMP et ACK en parall<6C>le. Vous pouvez changer l'option
.B \-P
d<EFBFBD>crite plus tard.
.Sp
Remarquez que le ping est fait par d<>faut de toutes fa<66>ons
et seuls les h<>tes qui r<>pondent sont analys<79>s.
N'utilisez cette option que si vous voulez faire un balayage de
ping
.B sans
faire d'analyse de ports.
.TP
.B \-sU
UDP scans\ : Cette m<>thode est utilis<69>e pour d<>terminer les ports UDP
(User Datagram Protocol, RFC 768) qui sont ouverts sur l'h<>te
Cette technique consiste <20> envoyer un paquet udp de 0 octet <20> chaque
port de la machine cible. Si on re<72>oit un message ICMP <20>\ port unreachable\ <EFBFBD>,
alors le port est ferm<72>. Autrement nous supposons qu'il est ouvert.
.Sp
Certaines personne pensent que l'analyse UDP est inutile.
J'ai pour habitude de leur rappeler le trou r<>cent dans rcpbind sous Solaris.
Rpcbind peut dissimuler un port UDP non document<6E> quelque part au dessus
de 32\ 770. Comme d<>couvrir un tel port sans scanner UDP\ ?
Il y a aussi le programme
cDc Back Orifice backdoor qui cache un port UDP configurable
sur les machines Windows. Sans m<>me mentionner tous les services courants
qui utilisent UDP tels que snmp, tftp, NFS, etc.
.Sp
Malheureusement l'analyse UDP peut <20>tre particuli<6C>rement longue puisque la plupart
des h<>tes impl<70>mente une suggestion de la RFC 1812 (section
4.3.2.8) pour limiter le d<>bit des messages d'erreurs ICMP. Par exemple,
le noyau Linux (dans net/ipv4/icmp.h) limite la g<>n<EFBFBD>ration de
message <20>\ destination unreachable\ <EFBFBD> <20> 80 pour 4 secondes, avec
une p<>nalit<69> de 1/4 secondes si ce nombre est d<>pass<73>.
Solaris a des limites encore plus strictes (<28> peu pr<70>s 2 messages par
seconde) et l'analyse n<>cessite encore plus de temps.
.I Nmap
d<EFBFBD>tecte cette limite de d<>bit et ralentit plut<75>t que d'inonder inutilement
le r<>seau avec des paquets qui seront ignor<6F>s par la machine cible.
.Sp
Comme d'habitude, Microsoft a ignor<6F> la suggestion RFC
et n'a pas impl<70>ment<6E> de limitation de taux dans les machines
Win95 et NT. C'est pourquoi nous pouvons analyser
les 65K ports d'une machine Windows
.B tr<EFBFBD>s
rapidement. Wahoo !
.TP
.B \-sO
IP protocol scans\ : Cette m<>thode est utilis<69>e
pour d<>terminer les protocoles IP support<72>s par l'h<>te.
La technique consiste <20> envoyer des paquets IP bruts sans ent<6E>te de protocole
<EFBFBD> chaque protocole sp<73>cifi<66> sur la machine cible.
Si nous recevons un message ICMP <20>\ protocol unreachable\ <EFBFBD>,
alors le protocole n'est pas utilis<69>. Autrement nous supposons qu'il est
ouvert. Remarquez que certains h<>tes (AIX, HP-UX, Digital UNIX)
et les pare-feux peuvent ne pas renvoyer les
messages <20>\ protocol unreachable\ <EFBFBD>, faisant appara<72>tre ouverts
tous les protocoles.
.Sp
Comme cette technique est tr<74>s similaire <20> l'analyse des ports UDP, la
limitation du d<>bit ICMP peut aussi appara<72>tre.
Mais comme le champ protocole d'IP n'a que 8 bits, il y a au plus 256
protocoles, donc la dur<75>e restera raisonnable.
.TP
.B \-sI <zombie host[:probeport]>
scan paresseux : cette m<>thode de scan avanc<6E>e autorise un scan TCP
v<EFBFBD>ritablement aveugle de la cible (aucun paquet ne sera envoy<6F> <20> la cible
depuis votre v<>ritable adresse IP). <20> la place, une attaque unilat<61>rale
exploite la pr<70>diction de la s<>quence d'identificateur de fragmentation IP
de l'h<>te zombie pour glaner des informations sur les ports ouverts de la cible.
Les syst<73>mes de d<>tections d'intrusion indiqueront que le scan provient de la
machine zombie sp<73>cifi<66>e (qui doit <20>tre active et v<>rifier un certain nombre de
crit<EFBFBD>res). J'envisage de donner plus d'explication <20> http://www.insecure.org/nmap/nmap_documentation.html
dans un futur proche.
.TP
.Sp
En plus d'<27>tre extraordinairement furtive (gr<67>ce <20> sa nature aveugle), ce scan
permet de s'affranchir des relations de confiance entre machines
fond<EFBFBD>es sur l'IP. La liste de ports montre les ports ouverts
.I tels que les voit l'h<>te zombie.
Aussi, vous pouvez essayer de scanner une cible en utilisant diff<66>rents zombies
<EFBFBD> qui elle fait confiance (via les r<>gles de filtrage des routeurs/paquets).
<EFBFBD>videmment cette information est cruciale pour orienter l'attaque. Autrement
votre test de p<>n<EFBFBD>tration va consommer des ressources consid<69>rables
appartenant au syst<73>me interm<72>diaire, pour s'apercevoir en fin de compte
qu'il n'y a pas de relation de confiance entre l'h<>te cible
et l'IP de la machine zombie.
.Sp
Vous pouvez ajouter un deux-point suivi par le num<EFBFBD>ro de port si vous
voulez tester un port particulier sur l'h<>te zombie pour les changement IPID.
Autrement Nmap utilisera le port qu'il utilise par d<>faut pour les pings TCP.
.TP
.B \-sA
ACK scan\ : C'est une technique avanc<6E>e qui est utilis<69> pour d<>couvrir
les r<>gles des pare-feux et pour savoir si on a affaire <20> un pare-feu ou un simple
filtreur de paquets qui bloquent les paquets SYN entrant.
.Sp
Ce type d'analyse envoie un paquet ACK (avec un num<75>ro
d'acquittement/s<>quence al<61>atoire) aux ports sp<73>cifi<66>s.
Si un RST vient en retour, les ports sont class<73>s comme
non filtr<74>s. Si rien ne revient (ou alors un message ICMP
<EFBFBD>\ unreachable\ <EFBFBD>), les ports sont class<73>s comme filtr<74>s . Remarquez
que
.I nmap
n'affiche pas les ports non filtr<74>s.
Aussi, si
.B aucun
port n'est affich<63> dans la sortie, c'est souvent un signe que tous
les tests ont fonctionn<6E> (et retourn<72> RSTs). Ce scan ne montrera <20>videment
jamais de port ouvert.
.TP
.B \-sW
Window scan\ : C'est une analyse avanc<6E>e tr<74>s similaire au
ACK scan, sauf qu'il peut parfois d<>tecter aussi bien des
ports ouverts que filtr<74>s/non filtr<74>s gr<67>ce <20> une anomalie
dans la taille de la fen<65>tre TCP rapport<72>e par certains syst<73>mes.
Parmi les syst<73>mes vuln<6C>rables se trouvent certaines versions de
AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, et
VxWorks. Voir les archives de la liste de diffusion nmap-hackers pour une liste
exhaustive.
.TP
.B \-sR
RPC scan. Cette m<EFBFBD>thode fonctionne en combinaison
avec diverses m<>thodes d'analyse de port de nmap.
Il prend tous les ports TCP/UDP ouverts et les inonde de
commandes SunRPC NULL pour d<>terminer ceux qui sont
des ports RPC, et si c'est le cas, le programme et son num<75>ro de version
qui les servent.
Vous pouvez obtenir la m<>me information
que 'rpcinfo -p' m<>me si le portmapper cible est derri<72>re un
pare-feu (ou prot<6F>g<EFBFBD> par un wrapper TCP). Les leurres ne fonctionnent pour le
moment pas avec les scans RCP, et je dois ajouter le support pour les leurres
dans les scans UPD RCP.
.TP
.B \-sL
scan-liste. Cette m<>thode g<>n<EFBFBD>re une liste d'IP/nom sans les pinger ou les
scanner. La r<>solution de nom DNS sera r<>alis<69>e sauf si vous utilisez -n.
.TP
.B \-b <ftp relay host>
attaque par rebond FTP\ : Une caract<63>ristique int<6E>ressante du
protocole ftp (RFC 959) est le support des connexions \fBproxy\fR.
En d'autres termes, je dois <20>tre capable de me connecter depuis
mechant.com au serveur FTP de cible.com et demander que le serveur envoie
un fichier N'IMPORTE O<> sur Internet. <20>a fonctionnait bien
en 1985 quand la RFC a <20>t<EFBFBD> <20>crite. Mais dans l'Internet d'aujourd'hui
nous ne pouvons pas nous permettre d'avoir des pirates qui d<>tournent
des serveurs ftp et envoient des donn<6E>es n'importe o<> dans Internet.
J'avais <20>crit en 1995 que ce d<>faut du protocole <20>\ peut <20>tre utilis<69> pour
envoyer des courriers et nouvelles intracables,
matraquer des serveurs de sites, saturer les disques,
essayer de contourner les pare-feux et g<>n<EFBFBD>ralement <20>tre difficile <20> rep<65>rer\ <EFBFBD>.
On peut aussi l'exploiter pour faire un scan
des ports TCP depuis un serveur ftp <20>\ proxy\ <EFBFBD>. Ainsi, vous pouvez vous
connecter <20> un serveur ftp derri<72>re un pare-feu et scanner les ports
sans <20>tre bloqu<71> (139 est un bon nombre). Si le serveur ftp
autorise la lecture et l'<27>criture dans certains r<>pertoires
(tel que /incoming), vous pouvez envoyez des donn<6E>es arbitraires
aux ports que vous avez trouv<75> ouvert (nmap ne le fera toutefois pas pour vous)
.Sp
L'argument pass<73> <20> l'option \fB-b\fR est l'h<>te que vous voulez utiliser comme
proxy, dans la notation URL standard. Le format est\ :
.I username:password@server:port.
Tout sauf
.I server
est optionnel. Pour d<>terminer les serveurs qui sont
vuln<EFBFBD>rables <20> cette attaque, vous pouvez voir mon article dans
.I Phrack
51. Une version mise <20> jour est disponible <20> l'URL
http://www.insecure.org/nmap.
.TP
.B OPTIONS G<EFBFBD>N<EFBFBD>RALES
Aucune n'est n<>cessaire, mais certaines peuvent <20>tre tr<74>s utiles.
.TP
.B \-P0
Ne pas essayer de ping sur les h<>tes avant de les analyser.
Cela permet l'analyse des r<>seaux qui ne permettent pas les requ<71>tes
ou les r<>ponses ICMP <20> travers leurs pare-feux.
Microsoft.com en est un exemple, et vous devez
toujours utiliser
.B \-P0
ou
.B \-PT80
pour faire une analyse de port sur microsoft.com.
.TP
.B \-PT
Utilise TCP "ping" pour d<>terminer les h<>tes actifs. Au lieu
d'envoyer une requ<71>te d'<27>cho ICMP et d'attendre une r<>ponse, nous
envoyons des paquets TCP ACK dans le r<>seau cible
(ou contre une machine) et attendons des r<>ponses pour conclure.
Les h<>tes devraient r<>pondre par un
RST. Cette option pr<70>serve l'efficacit<69> des scan
des h<>tes qui sont actifs mais autorise l'analyse des
h<EFBFBD>tes/r<>seaux qui bloquent les paquets de ping.
Pour les utilisateurs non root,
nous utilisons connect(). Pour sp<73>cifier le port de destination
du test utilisez -PT<port number>. Le port par d<>faut est
80, car ce port n'est pas souvent filtr<74>.
.TP
.B \-PS
Cette option utilise des paquets SYN (demande de connexion) <20> la place
des paquets ACK pour les utilisateurs ROOT. Les h<>tes actifs devrait r<>pondre
par un RST (ou, rarement par un SYN | ACK).
.TP
.B \-PI
Cette option utilise un v<>ritable paquet ping (requ<71>te d'<27>cho ICMP).
Il recherche les h<>tes actifs et aussi regarde les adresses
de diffusion des sous-r<>seaux. Il y a des adresses IP
qui sont joignable de l'ext<78>rieur et qui sont traduites
en une diffusion de paquet entrant dans un r<>seau.
<EFBFBD>a devrait <20>tre supprim<69>, si d<>couvert, car <20>a permet un grand nombre
d'attaques de d<>ni de service.
.TP
.B \-PP
utilise un paquet ICMP de requ<71>te d'estampille temporelle (code 13) pour
d<EFBFBD>terminer les h<>tes qui <20>coutent.
.TP
.B \-PM
Fait la m<>me chose que
.B \-PI
et
.B \-PP
sauf qu'il utilise une requ<71>te de masque de sous-r<>seau (ICMP code 17).
.TP
.B \-PB
C'est le ping par d<>faut. Il utilise les balayages ACK (
.B \-PT
) et ICMP (
.B \-PI
) en parall<6C>le. De cette mani<6E>re, vous pouvez passer les pare-feux qui ne filtrent
que l'un des deux types de paquets.
.TP
.B \-O
Cette option active l'identification de l'h<>te distant via l'empreinte
TCP/IP. Autrement dit, nmap utilise un ensemble de techniques
pour d<>tecter les subtilit<69>s dans la pile r<>seau du syst<73>me d'exploitation
de l'ordinateur que vous <20>tes en train d'analyser. Il utilise ces informations
pour cr<63>er une <20>\ empreinte\ <EFBFBD> qui est compar<61>e avec sa base de donn<6E>es
d'empreintes connues (le fichier nmap-os-fingerprints) pour retrouver le type
de syst<73>me que vous <20>tes en train d'analyser.
.Sp
Si Nmap est incapable de deviner le syst<73>me d'exploitation de la machine,
et que les conditions sont bonnes (par exemple, au moins un port est ouvert)
Nmap fournira une URL que vous pourrez utiliser pour soumettre si vous
connaissez avec certitude le nom du syst<73>me d'exploitation <20> qui appartient
cette nouvelle empreinte.
Vous contribuerez ainsi <20> augmenter le nombre de syst<73>mes d'exploitations
d<EFBFBD>tectable par nmap et la la pr<70>cision de la d<>tection. Si vous laissez
une adresse IP dans le formulaire, la machine pourra <20>tre analys<79>e lorsque
nous ajouterons l'empreinte (pour valider que <20>a marche).
.Sp
L'option \-O active aussi plusieurs autres tests. L'un d'entre eux est la mesure
de <20>\ uptime\ <EFBFBD> (dur<75>e <20>coul<75>e depuis le dernier red<65>marrage du syst<73>me), qui utilise l'estampille TCP (RFC 1323) pour deviner la date du
dernier red<65>marrage de la machine. Ceci n'est rapport<72> que pour les machines
qui fournissent cette information.
.Sp
Un autre test activ<EFBFBD> par \-O est la classification de la pr<EFBFBD>diction
de la s<>quence TCP. C'est une mesure qui d<>crit approximativement la difficult<6C>
d'<27>tablir une connexion TCP forg<72>e contre l'h<>te distant. C'est utile
pour exploiter les relations de confiances fond<6E>es sur l'IP source
(rlogin, firewall filters, etc) ou pour cacher la source d'une attaque.
La valeur r<>elle de la difficult<6C> est calcul<75>e sur un <20>chantillon et peut
fluctuer. Il est g<>n<EFBFBD>ralement plus appropri<72> d'utiliser une classification
par nom tel que <20>\ worthy challenge\ <EFBFBD> ou <20>\ trivial joke\ <EFBFBD>. Ceci n'est
rapport<EFBFBD> dans la sortie normale qu'avec l'option -v.
.Sp
Si le mode verbeux (\-v) est activ<69> en m<>me temps que \-O,
la g<>n<EFBFBD>ration de s<>quence IPID est aussi rapport<72>e.
La plupart des machines appartiennent <20> la classe incr<63>mentale,
ce qui signifie qu'elle incr<63>mente le champ ID dans l'ent<6E>te
IP pour chaque paquet envoy<6F>. Ce qui les rend vuln<6C>rables
<EFBFBD> la collecte d'information avanc<6E>e et aux attaques par
usurpation.
.TP
.B \-I
Active l'analyse TCP reverse ident. Dave Goldsmith
dans un message <20> Bugtraq en 1996, a fait remarquer que le protocole
ident (rfc 1413) autorise la d<>couverte du nom d'utilisateur qui
poss<EFBFBD>de un processus connect<63> via TCP, m<>me si le processus n'est pas <20>
l'instigateur de la connexion. Vous pouvez ainsi vous connecter au port
http et utiliser identd pour d<>couvrir si le serveur tourne sous root.
Ceci ne peut <20>tre fait qu'avec une connexion TCP compl<70>te sur le port cible
(i.e. l'option d'analyse -sT). Quand
.B \-I
est utilis<69>, l'identd de l'h<>te distant est interrog<6F> pour chaque port
ouvert trouv<75>. <20>videmment <20>a ne fonctionne pas si l'h<>te n'utilise pas identd.
.TP
.B \-f
Cette option oblige les analyses FIN, XMAS, ou NULL
<EFBFBD> utiliser de petit paquets IP fragment<6E>s. L'id<69>e est de partager
l'ent<6E>te TCP en plusieurs paquets pour rendre leurs d<>tections plus difficile
par les filtres et les syst<73>mes de d<>tection d'intrusion, et les autres
enquiquineurs qui tentent de d<>tecter ce que vous <20>tes en train de faire.
Faites attention avec ceci, certains programmes ont des difficult<6C>s avec ces
petits paquets. Mon sniffer favori plante imm<6D>diatement lorsqu'il re<72>oit le
premier fragment de 36 octets.
Cette option est inefficace contre les filtreurs de paquets et les pare-feux
qui r<>assemblent les fragments IP
(comme l'option CONFIG_IP_ALWAYS_DEFRAG dans le noyau Linux),
certains r<>seaux ne peuvent pas supporter cette perte de performance
et ne r<>assemblent pas les paquets.
.Sp
Remarquez que je n'ai pas encore fait fonctionner cette option sur tous les
syst<EFBFBD>mes. <20>a marche parfaitement sur les machines Linux, FreeBSD et OpenBSD
et certaines personnes m'ont rapport<72> leurs succ<63>s avec d'autres saveurs
d'Unix.
.TP
.B \-v
Mode verbeux. C'est une option hautement recommand<6E>e qui fournit beaucoup
d'informations sur ce que vous <20>tes en train de faire. Vous pouvez l'utiliser
deux fois pour un effet plus important. Utiliser
.B \-d
une paire de fois si vous voulez vraiment devenir fou avec le d<>filement de
l'<27>cran\ !
.TP
.B \-h
Cette option affiche un bref r<>capitulatif des options de nmap.
Comme vous l'avez sans doute remarqu<71>, cette page de manuel n'est pas vraiment
un <20>\ bref r<>capitulatif\ <EFBFBD>. :)
.TP
.B \-oN <logfilename>
Enregistre les r<>sultats de vos analyses dans un
format
.B lisible par un humain
dans le fichier sp<73>cifi<66> en argument.
.TP
.B \-oX <logfilename>
Enregistre le r<>sultat de vos analyses dans un format
.B XML
dans le fichier sp<73>cifi<66> en argument. Ceci permet <20> des programmes
d'interpr<70>ter facilement les r<>sultats de nmap.
Vous pouvez donner l'argument '\fB-\fR' (sans les guillemets) pour envoyer la sortie sur la sortie standard
(pour les pipelines shells, etc).
Dans ce cas la sortie normale sera supprim<69>e.
Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
encore envoy<6F>s sur la sortie d'erreur standard).
Notez aussi que \fB-v\fR peut afficher des informations suppl<70>mentaires.
La d<>finition de type de document (DTD) d<>finissant la structure de la sortie
XML est disponible <20> http://www.insecure.org/nmap/data/nmap.dtd .
.TP
.B \-oG <logfilename>
Enregistre les r<>sultats de vos analyses dans une forme adapt<70>e pour
.B grep.
Ce format simple fournit toutes les informations sur une ligne. C'est le
m<EFBFBD>canisme pr<70>f<EFBFBD>r<EFBFBD> des programmes qui interagissent avec nmap, mais d<>sormais nous
recommandons plut<75>t la sortie XML (-oX). Ce format simple ne contient pas autant d'informations
que les autres formats. Vous pouvez donner l'argument <20>\fB-\fR<EFBFBD> (sans les guillemets) pour envoyer la sortie sur la sortie standard
(pour les pipelines shells, etc).
Dans ce cas la sortie normale sera supprim<69>e.
Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
encore envoy<6F>s sur la sortie d'erreur standard).
Notez aussi que \fB-v\fR peut afficher des informations suppl<70>mentaires.
.TP
.B \-oA <logfilename>
indique <20> nmap d'enregistrer dans tous les formats majeurs (normal, grep et
XML). Vous fournissez le pr<70>fixe du nom de fichier et les sorties auront
respectivement les suffixes .nmap, .gnmap et .xml .
.TP
.B \-oS <logfilename>
enregistre les r<>sultats de vos analyses en format
.B script kiddie
(NdT\ : C'est un langage dans lequel certaines lettres sont remplac<EFBFBD>es par des chiffres/symboles
typiquement exemple A devient 4, E devient 3, etc. Cette langue est utilis<EFBFBD>e par
les <EFBFBD>\ cowboyz\ <EFBFBD> d'Internet.
Cette population folklorique amuse beaucoup les autres internautes, au point qu'il existe une option pour eux dans nmap)
V0u$ poUV3z dOnn3r l'4rgUm3nt '\fB-\fR' (s4ns l3$ guIll3m3ts) poUr 3nvoy3r l4 sOrti3 sUr l4 $orti3 $t4nd4rd.
.TP
.B \--resume <logfilename>
L'analyse d'un r<>seau qui a <20>t<EFBFBD> annul<75>e par un Ctrl-C, probl<62>me de r<>seau, etc.
peut <20>tre reprise en utilisant cette option.
logfilename doit <20>tre soit un log normal (-oN) soit
un log lisible par une machine (-oM) d'une analyse avort<72>e.
Aucune autre option ne peut <20>tre donn<6E>e (ce sont obligatoirement les m<>mes que
celles du scan avort<72>).
Nmap d<>marrera sur la machine apr<70>s la derni<6E>re machine qui a <20>t<EFBFBD> analys<79>e avec succ<63>s dans le
fichier de log.
.TP
.B \--append_output
indique <20> Nmap d'<27>crire <20> la fin des fichiers de sortie au lieu de les <20>craser.
.TP
.B \-iL <inputfilename>
Lit les sp<73>cifications de la cible depuis le fichier sp<73>cifi<66>
plut<EFBFBD>t que depuis la ligne de commande. Le fichier doit contenir une liste
d'h<>tes, d'expressions de r<>seaux s<>par<61>es par des espaces, tabulations ou retour chariots.
Utilisez le tiret
pour lire depuis stdin (comme la fin d'un pipe).
Voyez la section \fIsp<EFBFBD>cification de cible\fR
pour plus d'information sur les expressions que vous pouvez mettre dans le fichier.
.TP
.B \-iR
Cette option indique <20> Nmap de g<>n<EFBFBD>rer ses propres h<>tes
<EFBFBD> analyser par tirage al<61>atoire :). <20>a ne finit jamais.
<EFBFBD>a peut <20>tre utile pour un <20>chantillon d'Internet pour estimer diverses choses.
Si vous vous ennuyez, essayez
.I nmap \-sS \-iR \-p 80
pour rechercher des serveurs web <20> regarder.
.TP
.B \-p <port ranges>
Cette option sp<73>cifie les ports que vous voulez essayer.
Par exemple '-p 23' n'essayera que le port 23 of de l'h<>te
cible. '\-p 20-30,139,60000-' analysera les ports entre 20 et 30, le port
139, et tous les ports sup<75>rieurs <20> 60000. Le comportement par d<>faut est d'analyser tous
les ports de 1 <20> 1024 ainsi que tous les ports list<73>s dans les fichiers de services fournis avec nmap.
Pour l'analyse par IP (-sO), ceci sp<73>cifie le num<75>ro de protocole que vous voulez analyser
.Sp
Lorsque vous scannez les ports TCP et UPD vous pouvez sp<73>cifier un protocole
particulier en pr<70>fixant les num<75>ros de ports par <20>\ T\ <EFBFBD>: ou <20>\ U:\ <EFBFBD>.
L'effet du sp<73>cificateur dure jusqu'<27> ce que vous en sp<73>cifiez un autre.
Par exemple, l'argument <20>\ -p U:53,111,137,T:21-25,80,139,8080\ <EFBFBD>
scannera les ports UDP 53, 111 et 137 ainsi que les ports TCP mentionn<6E>s.
Remarquez que pour scanner UDP et TCP, vous devez sp<73>cifier -sU et au moins une
analyse TCP (telle que -sS, -sF ou -sT). Si aucune sp<73>cification de
protocole n'est indiqu<71>e, les num<75>ros de ports sont ajout<75>s <20> tous les
protocoles.
.TP
.B \-F Fast scan mode.
Sp<EFBFBD>cifie que vous ne voulez analyser que les ports list<73>s
dans le fichier des services livr<76> avec nmap (ou le fichier des protocoles pour
-sO).
C'est <20>videmment plus rapide que d'analyser les 65535 ports d'un h<>te.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
r<EFBFBD>alise un scan avec leurres. Du point de vue de l'h<>te distant, les h<>tes
leurres appara<72>tront comme s'ils analysaient aussi le r<>seau cible. Ainsi,
les syst<73>mes de d<>tection d'intrusion ne pourront pas savoir parmi l'ensemble
des IP qui semblent les scanner quelle est l'IP qui effectue r<>ellement
l'analyse et quelles IP ne sont en r<>alit<69> que d'innocent leurres.
Bien que ceci puisse <20>tre contr<74> par
path tracing, response-dropping, et d'autres m<>canismes actifs,
c'est g<>n<EFBFBD>ralement une technique efficace pour dissimuler son adresse IP.
.Sp
S<EFBFBD>parez chaque h<>te-leurre par des virgules, et vous pouvez optionnellement
utiliser '\fBME\fR' (Moi) comme l'un des leurres pour repr<70>senter
la position que vous voulez utiliser pour votre adresse.
Si vous utilisez '\fBME\fR' au del<65> de la 6<>me position, la plupart des d<>tecteurs de scan
(m<>me l'excellent scanlogd de Solar Designer) seront incapables de voir votre adresse IP.
Si vous n'utilisez pas '\fBME\fR', nmap choisira une position al<61>atoire.
.Sp
Remarquez que les h<>tes leurres doivent <20>tre actifs
ou vous risquez accidentellement de faire une inondation SYN sur vos cibles.
Il est aussi presque facile de d<>terminer qui est en train de scanner si seul une
seule machine est active sur le r<>seau. Vous pouvez vouloir utiliser des adresses IP
<EFBFBD> la place des noms (ainsi les r<>seaux leurres ne vous verront pas dans les logs du serveurs de nom).
.Sp
Remarquez <20>galement que quelques d<>tecteurs (stupides) de scan bloqueront
les h<>tes qui tentent des scans de ports. Aussi vous pouvez par inadvertance
bloquer l'acc<63>s des machines leurres <20> la machine cible.
Ceci peut provoquer de grave probl<62>mes aux machines cibles si le leurre s'av<61>re <20>tre
sa passerelle internet ou m<>me <20>\ localhost\ <EFBFBD>. Il faut donc utiliser prudemment cette option.
La vraie morale de cette histoire est que les d<>tecteurs de scan ne doivent pas prendre de
mesures contre les machines qui semblent les analyser, car il se peut que ce soit des leurres\ !
.Sp
Les leurres sont utilis<69>s pour le scan initial (en utilisant ICMP,
SYN, ACK, ou autre chose) et pendant la v<>ritable phase de scan. Les leurres sont aussi
utilis<EFBFBD>s pendant la d<>tection de l'h<>te distant (
.B \-O
).
.Sp
Il ne faut pas oublier que d'utiliser un trop grand nombre de leurres
peut ralentir
le scan et m<>me le rendre impr<70>cis. De plus certains
fournisseurs d'acc<63>s <20> Internet (FAI) filtreront vos paquets usurp<72>s, bien que la plupart
n'applique aucune restriction sur les paquets usurp<72>s.
.TP
.B \-S <adresse_ip>
Dans certaines circonstances,
.I nmap
est incapable de d<>terminer l'adresse source.
.I Nmap
vous avertira si c'est le cas). Dans cette situation, utilisez
\-S avec votre adresse IP (ou l'interface depuis laquelle vous voulez envoyer les paquets).
.Sp
Une autre utilisation possible de ce drapeau est d'usurper le scan pour faire croire
aux cibles que
.B quelqu'un d'autre les scanne.
Imaginez une entreprise qui se croit r<>guli<6C>rement scann<6E>e par un concurrent\ !
Ce n'est pas l'utilisation premi<6D>re ni le but principal de ce drapeau.
Je pense que c'est juste une possibilit<69> int<6E>ressante pour les personnes qui sont au courant
avant qu'elles n'en accusent d'autres de les scanner.
.B \-e
est g<>n<EFBFBD>ralement requis pour ce type d'utilisation.
.TP
.B \-e <interface>
indique l'interface r<>seau <20> utiliser pour envoyer et recevoir les paquets.
\fBNmap\fR devrait <20>tre capable de d<>tecter ceci mais il vous pr<70>viendra s'il n'y parvient pas.
.TP
.B \-g <portnumber>
Sp<EFBFBD>cifie le num<75>ro de port source dans le scan.
Beaucoup de pare-feux et de filtreur de paquets na<6E>fs
feront une exception dans leurs r<>gles pour autoriser le passage des paquets
DNS (53) ou FTP-DATA (20) pour <20>tablir une connexion.
<EFBFBD>videmment <20>a r<>duit compl<70>tement les avantages de s<>curit<69> d'un pare-feu
puisque les intrus n'ont qu'<27> se d<>guiser en FTP ou DNS en modifiant leur
port source. <20>videmment pour un scan UDP vous devriez utiliser
53 en premier et pour les scans TCP vous devriez utiliser
20 avant 53.
Remarquer que ce n'est qu'une requ<71>te -- nmap ne le fera que s'il y parvient.
Par exemple, vous ne pouvez pas faire des analyse en parall<6C>le avec un seul port.
Aussi \fBnmap\fR changera le port source m<>me si vous utilisez \fB-g\fR.
.Sp
Sachez qu'il y a une petite p<>nalit<69> de performance sur certains scans si vous utilisez
cette option, parce que j'enregistre parfois des informations utiles dans le num<75>ro de port
source.
.TP
.B \--data_length <nombre>
Normalement nmap envoie des paquets minimalistes qui ne contiennent que l'en-t<>te.
Ainsi, les paquets TCP font 40 octets et les requ<71>tes d'<27>cho ICMP, 28 octets.
Cette option indique <20> Nmap d'ajouter le nombre sp<73>cifi<66> d'octets initialis<69>s <20> 0
<EFBFBD> la plupart des paquets qu'il envoie. La d<>tection de syst<73>me d'exploitation
(-O) n'est pas affect<63>e, mais la plupart des paquets de ping et de scan de port
le sont. <20>a ralentit les choses, mais <20>a peut <20>tre un peu moins voyant.
.TP
.B \-n
Dit <20> Nmap de ne
.B JAMAIS
faire de r<>solution DNS inverse sur une adresse IP active. Comme DNS est
souvent lent,
<EFBFBD>a peut aider <20> acc<63>l<EFBFBD>rer les choses.
.TP
.B \-R
Dit <20> Nmap de
.B TOUJOURS
faire la r<>solution DNS inverse des adresses IP cibles. Normalement
ceci n'est fait que pour les machines vivantes.
.TP
.B \-r
Dit <20> Nmap
.B DE NE PAS
changer al<61>atoirement l'ordre dans lequel les ports seront analys<79>s.
.TP
.B \-\-randomize_hosts
Dit <20> nmap de m<>langer chaque groupe comprenant jusqu'<27> 2048 h<>tes avant de les analyser.
Ceci rend les scans moins <20>vidents <20> de nombreux syst<73>mes de surveillance r<>seau,
particuli<EFBFBD>rement quand vous le combinez avec des options
pour ralentir le timing (voir ci-dessous).
.TP
.B \-M <max sockets>
Sp<EFBFBD>cifie le nombre maximum de sockets qui seront utilis<69>s en parall<6C>le
pour le scan TCP connect() (celui par d<>faut). C'est utile pour
ralentir l<>g<EFBFBD>rement le scan et <20>viter de crasher les machines cibles. Une autre
approche consiste <20> utiliser \fB-sS\fR, qui est g<>n<EFBFBD>ralement plus facile <20> g<>rer
pour les machines.
.TP
.B OPTIONS TIMING
g<EFBFBD>n<EFBFBD>ralement nmap parvient <20> s'ajuster correctement
aux caract<63>ristiques du r<>seau et <20> analyser aussi vite que possible
tout en minimisant la probabilit<69> d'<27>tre d<>tect<63>.
Cependant, il y a des cas o<> les timings par d<>faut
de Nmap ne correspondent pas <20> vos objectifs. Les options suivantes
permettent un contr<74>le fin des timings\ :
.TP
.B -T <Paranoid | Sneaky | Polite | Normal | Aggressive | Insane>
Ce sont les diff<66>rentes politiques de timing pour communiquer de
mani<EFBFBD>re pratique vos priorit<69>s <20> nmap.
.B Paranoid
analyse
.B tr<EFBFBD>s lentement
dans l'espoir d'<27>viter d'<27>tre rep<65>r<EFBFBD> par les syst<73>me de d<>tection d'intrusion.
Il s<>rialise tous les scans (pas de scan parall<6C>le) et attend au moins
5 minutes entre les envois de paquets.
.B Sneaky
c'est la m<EFBFBD>me chose, sauf qu'il attend 15 secondes entre les envois de paquets.
.B Polite
essaye de minimiser la charge sur le r<>seau et de r<>duire la probabilit<69> de
crasher des machines. Il s<>rialises les test et attend
.B au moins
0,4 secondes entre chaque.
.B Normal
c'est le comportement par d<>faut de Nmap, qui essaye de s'ex<65>cuter aussi
vite que possible sans surcharger le r<>seau ou oublier des
h<EFBFBD>tes/ports.
.B Aggressive
ajoute un d<>compte de 5 minutes par h<>te et n'attends jamais les r<>ponses
individuelles plus de 1.25 secondes.
.B Insane
ne convient qu'aux r<EFBFBD>seaux ultra-rapides o<EFBFBD> vous ne risquez par de perdre
d'informations. Il ajoute un d<>compte de 75
secondes et n'attend les r<>ponses individuelles que pendant
0,3 secondes. Il permet de balayer tr<74>s rapidement les r<>seaux.
Vous pouvez aussi r<>f<EFBFBD>rencer ces modes par num<75>ro (0-5).
Par exemple, '-T 0' donne le mode Paranoid et '-T 5' le mode Insane.
.Sp
Ces modes timings NE devrait PAS <20>tre utiliser en combinaison avec les contr<74>les
de bas niveau donn<6E>s ci-dessous.
.TP
.B --host_timeout <millisecondes>
Sp<EFBFBD>cifie la dur<75>e que \fBnmap\fR est autoris<69>e <20> consacrer
<EFBFBD> l'analyse d'un h<>te unique avant d'abandonner cette IP.
Par d<>faut il n'y a pas de temps limite pour un h<>te.
.TP
.B --max_rtt_timeout <millisecondes>
Sp<EFBFBD>cifie la dur<75>e maximale que \fBnmap\fR peut laisser s'<27>couler en attendant
une r<>ponse <20> ses tests avant de retransmettre ou de laisser tomber.
La valeur par d<>faut est 9\ 000.
.TP
.B --min_rtt_timeout <millisecondes>
Quand les h<>tes cibles commencent <20> <20>tablir un mod<6F>le de r<>ponse tr<74>s
rapidement, \fBnmap\fR diminuera la dur<75>e accord<72>e par test.
Ceci augmente la vitesse du scan, mais peut conduire <20> la perte de paquets
quand une r<>ponse prend plus de temps que d'habitude.
Avec ce param<61>tre vous pouvez garantir que \fBnmap\fR attende au moins
une certaine dur<75>e avant de laisser tomber un test.
.TP
.B --initial_rtt_timeout <millisecondes>
Sp<EFBFBD>cifie le d<>compte du test initial. Ce n'est g<>n<EFBFBD>ralement utile
que lors de l'analyse d'h<>te derri<72>re un pare-feu avec -P0.
Normalement \fBnmap\fR obtient de bonnes estimations <20> partir
du ping et des premiers tests. Le mode par d<>faut est 6\ 000.
.TP
.B --max_parallelism <nombre>
Sp<EFBFBD>cifie le nombre maximum de scans que \fBnmap\fR est autoris<69> <20> mener en parall<6C>le.
Positionner ceci <20> 1 signifie que \fBnmap\fR n'essayera jamais de
scanner plus d'un port <20> la fois. Ce nombre affecte aussi les autres scans
parall<EFBFBD>le comme le balayage de ping, RPC scan, etc.
.TP
.B --scan_delay <millisecondes>
Sp<EFBFBD>cifie la dur<75>e
.B minimum
que \fBnmap\fR doit laisser s'<27>couler entre ses envois. C'est utile pour r<>duire la
charge du r<>seau ou pour ralentir le d<>bit du scan afin de ne pas atteindre
le seuil de d<>clenchement des syst<73>mes de d<>tection d'intrusion.
.SH SP<EFBFBD>CIFICATION DE CIBLE
Tout ce qui n'est pas une option ou un argument d'option
est trait<69> par nmap comme une sp<73>cification d'h<>te.
Le cas le plus simple et une liste de nom d'h<>tes ou d'adresse IP sur la ligne
de commande.
Si vous voulez analyser un sous r<>seau d'adresses IP vous pouvez ajouter
.B '/mask'
au nom d'h<>tes
.B mask
doit <EFBFBD>tre compris entre 0 (scanner tout internet) et 32 (scanner un seul
h<EFBFBD>te). Utiliser /24 pour analyser des adresses de classe 'C'
et /16 pour la classe 'B'.
.Sp
\fBNmap\fR utilise une notation puissante pour sp<73>cifier une adresse IP
en utilisant des listes/intervalles pour chaque <20>l<EFBFBD>ment.
Ainsi vous pouvez analyser tout un r<>seau de classe B
192.168.*.* en sp<73>cifiant '192.168.*.*' ou '192.168.0-255.0-255' ou
m<EFBFBD>me '192.168.1-50,51-255.1,2,3,4,5-255'. Et bien s<>r, vous pouvez utiliser
la notation mask : '192.168.0.0/16'. Elles sont toutes <20>quivalentes
Si vous utilisez des ast<73>risques ('*'), souvenez-vous que la plupart des
shells n<>cessitent que vous les pr<70>c<EFBFBD>diez par des anti-slash ou que vous les
prot<EFBFBD>giez par des guillemets.
.Sp
Une autre chose int<6E>ressante <20> faire et de d<>couper Internet\ :
au lieu de scanner les h<>tes dans une classe 'B',
scanner '*.*.5.6-7' pour analyser toutes les adresses IP se terminant
par .5.6 ou .5.7. Pour plus d'informations sur la sp<73>cification
des h<>tes <20> analyser, voyez la section
.I exemples.
.SH EXEMPLES
Voici quelques exemples d'utilisation de \fBnmap\fR du plus simple au plus compliqu<71>.
Remarquez que les noms et adresses sont utilis<69>es pour rendre les choses
plus concr<63>tes. <20> leur place vous devriez substituer les noms et adresses
de
.B votre propre r<EFBFBD>seau.
Je ne pense pas que l'analyse de ports d'autres r<>seaux soit ill<6C>gale, ni
que l'analyse de ports doit <20>tre consid<69>r<EFBFBD>e par les autres comme une attaque.
J'ai analys<79> des centaines de milliers de machines et je n'ai re<72>u
qu'une seule plainte. Mais je ne suis pas juriste et certaines personnes pourraient
<EFBFBD>tre ennuy<75>es par les tests de
.I nmap.
Aussi demandez pr<EFBFBD>alablement la permission ou utilisez \fBnmap\fR
<EFBFBD> vos risques et p<>rils.
.Sp
.B nmap -v cible.exemple.com
.Sp
Cette option analyse tous les ports TCP r<>serv<72>s sur la machine
cible.exemple.com . Le \-v signifie d'activer le mode verbeux.
.Sp
.B nmap -sS -O cible.exemple.com/24
.Sp
Envoie un scan SYN furtif contre chaque machine active parmi
les 255 machines de classe 'C' qui sont sur cible.exemple.com.
Il essaye aussi de d<>terminer quel syst<73>me d'exploitation fonctionne sur
chaque h<>te. Ceci n<>cessite les privil<69>ges root en raison du scan SYN et
de la d<>tection de syst<73>me d'exploitation.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Envoie un scan Xmas tree <20> la premi<6D>re moiti<74>
de chacun des 255 sous-r<>seaux de l'espace d'adresse de classe B
198.116. Nous sommes en train de tester si les syst<73>mes font fonctionner sshd,
DNS, pop3d, imapd, ou port 4564. Remarquez que les scan Xmas
ne fonctionnent pas contre les machines Microsoft en raison de leur pile TCP
d<EFBFBD>ficiente. Le m<>me probl<62>me se produit aussi avec les machines
CISCO, IRIX, HP/UX, et BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Plut<EFBFBD>t que de se concentrer sur une plage sp<73>cifique d'IP,
il est parfois int<6E>ressant de d<>couper l'ensemble d'Internet et
d'analyser un petit <20>chantillon de chaque tranche. Cette commande
trouve tous les serveurs web sur des machines dont l'adresse IP
se termine par .2.3, .2.4 ou .2.5 .
Si vous <20>tes root, vous pouvez aussi ajouter \fB-sS\fR.
Vous trouverez plus de machine int<6E>ressantes en commen<65>ant <20> 127, aussi
vous utiliserez '127-222' <20> la place de la premi<6D>re ast<73>risque
car cette section poss<73>de une plus grande densit<69> de machine int<6E>ressantes.
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fait un transfert DNS pour d<>couvrir les h<>tes de company.com
et utiliser leurs adresses IP pour alimenter
\fInmap\fR.
Les commandes ci-dessus sont pour mon ordinateur GNU/Linux.
Vous pouvez avoir besoin d'autres commandes/options pour d'autres syst<73>mes d'exploitations.
.SH BOGUES
Bogues\ ? Quels bogues\ ? Envoyez-moi tout ce que vous trouverez.
Les patchs sont les bienvenus. Souvenez-vous
que vous pouvez aussi envoyer les empreintes de nouveaux syst<73>mes
d'exploitation pour enrichir la base de donn<6E>es.
Si une empreinte appropri<72>e est trouv<75>e, Nmap
affichera l'URL <20> laquelle vous pourrez l'envoyer.
.SH AUTEUR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH DISTRIBUTION
La derni<6E>re version de
.I nmap
peut <20>tre obtenu depuis
.I http://www.insecure.org/nmap/
.Sp
.I nmap
est (C) 1995-2001 par Insecure.Com LLC
.Sp
.I libpcap
est aussi distribu<62>e avec nmap. Il est copyright<68> par
Van Jacobson, Craig Leres et Steven McCanne, tous du
Lawrence Berkeley National Laboratory, University of
California, Berkeley, CA. La version distribu<62>e avec nmap
peut <20>tre modifi<66>e, les sources d'origine sont disponibles
<EFBFBD> ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Ce programme est un logiciel libre, vous pouvez
le redistribuer et/ou le modifier sous les termes de la
GNU General Public License telle que publi<6C>e par
par la Free Software Foundation\ ;
Version 2. Ceci garantit votre droit d'utiliser, modifier
et redistribuer Nmap sous certaines conditions.
Si cette licence est inacceptable pour vous, Insecure.Org
pourrait <20>ventuellement vendre d'autres licences.
(contacter \fBfyodor@dhp.com\fR).
.Sp
Les sources sont fournies avec ce logiciel
car nous croyons que les utilisateurs ont le droit de savoir exactement ce que
fait un programme avant de le lancer. Ceci vous permet aussi d'auditer le
logiciel pour rechercher des trous de s<>curit<69>
(aucun n'a <20>t<EFBFBD> trouv<75> jusqu'<27> pr<70>sent).
.Sp
Le code source vous permet aussi de porter Nmap vers de nouvelles plates-formes,
corriger des bogues et ajouter de nouvelles caract<63>ristiques.
Vous <20>tes vivement encourag<61> <20> envoyer vos modifications
<EFBFBD> \fBfyodor@insecure.org\fR pour une <20>ventuelle incorporation dans
la distribution principale. En envoyant ces modifications <20>
Fyodor ou <20> quelqu'un de la liste de diffusion de d<>veloppement
de insecure.org, il est suppos<6F> que vous offrez <20>
Fyodor le droit illimit<69> et non exclusif de r<>utiliser,
modifier et relicencier le code. C'est important parce que l'impossibilit<69>
de relicencier le code a provoqu<71> des probl<62>mes d<>vastateurs dans d'autres
projets de logiciel libre (comme KDE et NASM).
Nmap sera toujours disponible en Open Source.
Si vous d<>sirez sp<73>cifier des conditions particuli<6C>res de licence pour vos
contributions, dites-le nous simplement quand vous nous les envoyez.
.Sp
Ce programme est distribu<62> dans l'espoir d'<27>tre utile, mais
.B SANS AUCUNE GARANTIE
m<EFBFBD>me la garantie implicite relative <20> la
.B QUALIT<EFBFBD> MARCHANDE
ou
.B D'APTITUDE <EFBFBD> UNE UTILISATION PARTICULI<EFBFBD>RE.
Voir la licence GPL (c'est le fichier COPYING de la
distribution \fInmap\fR.
.Sp
Remarque\ : Nmap a d<>j<EFBFBD> fait planter certaines
applications, des piles TCP/IP et m<>me des syst<73>mes d'exploitations mal <20>crits.
Par cons<6E>quent
.B Nmap ne devrait jamais <EFBFBD>tre utilis<EFBFBD> contre des syst<EFBFBD>mes qui ont une mission
critique <20> moins que vous ne soyez pr<70>t <20> souffrir d'une <20>ventuelle
interruption de service. Nous reconnaissons ici que \fbnmap\fR
peut crasher vos syst<73>mes et r<>seaux mais nous ne sommes pas responsables
des d<>g<EFBFBD>ts que Nmap pourrait provoquer.
.Sp
En raison du l<>ger risque de crashs et parce que quelques personnes
mal intentionn<6E>es utilisent nmap pour les reconnaissances pr<70>liminaires <20> une
attaque, certains administrateurs deviennent furieux et se plaignent quand leurs
syst<EFBFBD>mes sont scann<6E>s. C'est pourquoi il est plus sage de demander la permission
avant de lancer l'analyse d'un r<>seau.
.Sp
Nmap ne devrait jamais <20>tre lanc<6E> avec des privil<69>ges (par exemple suid root)
pour des raisons de s<>curit<69>.
.Sp
Toutes les versions de Nmap post<73>rieures <20> la 2.0 sont compatibles
an 2000. Il n'y a aucune raison de penser que les versions ant<6E>rieures ont des
probl<EFBFBD>mes, mais nous ne les avons pas test<73>es.
.SH TRADUCTION
S<EFBFBD>bastien Blanchet, 2002 <sebastien.blanchet AT free.fr>
.SH RELECTURE
G<EFBFBD>rard Delafond

991
docs/nmap_german.1
View File

@@ -1,991 +0,0 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NAME
nmap - Auswertungstool fuer Netzwerke und Security Scanner
.SH SYNTAX
.B nmap
[Scan-Typ(en)] [Optionen] <Host oder Netz #1 ... [#N]>
.SH BESCHREIBUNG
.I Nmap
wurde entwickelt, um Systemadministratoren und kuriosen Individuen die
Moeglichkeit zu geben, ansprechbare Systeme und die durch sie bereitgestellten
Dienste in grossen Netzwerken zu identifizieren.
.I nmap
unterstuetzt eine Vielzahl verschiedener Scanning-Techniken, wie zum Beispiel
UDP, TCP connect(), TCP SYN (half open), FTP-Proxy (bounce attack),
Reverse-ident, ICMP (Ping-Suchlauf), FIN, ACK-Suchlauf, Xmas-Tree,
SYN-Suchlauf, IP-Protocol und Null-Scan.
Siehe Absatz
.I Scan-Typen
fuer mehr Informationen. Ebenso ermoeglicht nmap eine Vielzahl von
zusaetzlichen Moeglichkeiten, wie das Erkennen von Betriebssystemen mittels
TCP/IP-Fingerprinting, Stealth-Scanning, dynamische Verzoegerungen und
Uebertragungswiederholungs-Berechnungen, paralleles Scanning, Entdecken
abgeschalteter Systeme mittels parallelem Scanning, Decoy-Scanning, entdecken
von Port-Filtering, direktes RPC-Scanning (ohne Portmapper), fragmentiertes
Scanning sowie flexible Ziel und Port Spezifizierung.
.PP
Ein Grossteil der Arbeit wurde in die Moeglichkeiten fuer non-root Benutzer
investiert. Leider benoetigen viele exotische Techniken (z.B. die Kernel-nahen
raw sockets) root-Privilegien. Aus diesem Grund sollte nmap stets als root
genutzt werden, sofern dies moeglich ist (natuerlich kein setuid root).
.PP
Das Resultat eines nmap-Durchlaufs ist normalerweise eine Liste saemtlicher
interessanter Ports der gescannten Geraete (falls vorhanden). Sofern eine
Zuweisung stattfinden kann, benennt nmap die well-known Ports direkt mit ihrem
Service-Namen, Portnummer, Status und Protokoll. Der Status ist
entweder 'open', 'filtered' oder 'unfiltered'. Open (dt. offen) bedeutet, dass
das Zielsystem auf diesem Port Verbindungen anzunehmen in der Lage ist.
Filtered (dt. gefiltert) weist darauf hin, dass ein dediziertes
Firewall-System, TCP/IP-Filter oder Netzwerk-Element die Arbeit von nmap
behindert und somit keine verlaesslichen Rueckschluesse gemacht werden
koennen. Unfiltered (dt. ungefiltert) heisst, dass nmap den Port kennt, jedoch
beim Zugriff keinerlei Filter-Mechanismen ausgemacht werden konnten. Der
ungefilterte Status wird in den meisten aller Faelle vorhanden sein, weshalb
ein solcher nur immer dann ausgwiesen wird, wenn die meisten der gescannten
Ports gefiltert (engl. filtered) sind.
.PP
Jenachdem, welche Optionen angewandt wurden, ist nmap in der Lage Auskunft
ueber die folgenden Charakteristiken des Zielsystems zu geben: Genutztes
Betriebssystem, TCP-Sequenznummern, Benutzername der an die Ports gebundene
Software, DNS-Name, ob es sich um ein Smurf-System handelt und viele mehr.
.SH OPTIONEN
Das Zusammenspiel verschiedener Optionen ist immer dann moeglich, wenn dies
auch Sinn macht. Einige Parameter koennen nur in Verbindung mit spezifischen
Scan-Methoden genutzt werden.
.I nmap
versucht unlogische und nicht unterstuetzte Kombinationen von Parametern
abzufangen und den Benutzer entsprechend zu warnen.
.Sp
Falls Sie ungeduldig sind, koennen Sie den Abschnitt
.I Beispiele
ueberspringen. Darin werden typische Befehlseingaben gezeigt. Ebenso kann
.B nmap -h
ausgefuehrt werden, um eine kurze Optionsreferenz ausgeben zu lassen.
.TP
.B SCAN-TYPEN
.TP
.B -sS
TCP SYN-Scan: Diese Technik wird oft als "halb-offen" (engl. "half-open")
bezeichnet, da keine volle TCP-Verbindung zustande kommt. Der Scanner schickt
ein TCP-Datagramm mit gesetzter SYN-Flagge an das Zielsystem, so wie dies im
Rahmen des Drei-Wege-Handschlags von TCP normalerweise auch der Fall ist. Nun
wird auf eine positive Rueckmeldung des Zielsystems gewartet. Kommt ein Paket
mit gesetzter SYN/ACK-Flagge zurueck, so wird der Zielport als im Status
LISTENING (dt. abhoerend) identifiziert. Im Gegenzug deutet ein RST-Datangramm
auf einen geschlossenen Port (engl. closed) hin. Wird ein SYN/ACK-Datagramm
entgegengenommen, schickt nmap (bzw. der Betriebssystem-Kernel) automatisch
ein RST zurueck, um den Verbindungsaufbau zu abzubrechen. Der primaere Vorteil
dieser Vorgehensweise ist, dass viele Systeme solcherlei Zugriffe nicht
protokollieren (Die meisten Applikationen interessieren sich nur fuer
vollstaendig etablierte Verbindungen). Leider setzt diese Scan-Technik
root-Privilegien voraus, da eine Generierung verhaeltnismaessig exotischer
Paket-Sequenzen von Noeten ist. Dies ist die standardmaessige Scan-Methode
fuer priviligierte Benutzer.
.TP
.B -sT
TCP connect()-Scan: Dies ist die klassische Form des TCP-Portscannings. Der
connect()-System-Call, der das Betriebssystem zur Verfuegung stellt, wird
immer dann genutzt, wenn eine Verbindung zum Port eines Zielsystems
hergestellt werden soll. Befindet sich der Zielport im Status LISTENING, so
wird der connect()-Zugriff erfolgreich ausfallen. Der entscheidende Vorteil
dieser Methode ist, dass keine erweiterten Rechte zur Durchfuehrung
erforderlich sind. Jeder Benutzer der meisten UNIX-Systeme ist in der Lage
solcherlei Zugriffe durchzufuehren.
.Sp
Diese Scan-Technik ist einfach zu entdecken und wird mit groesster
Wahrscheinlichkeit in den Protokoll-Dateien des Zielsystems auftauchen. Dies
ist der standardmaessig aktivierte Scan-Typ fuer unprivilegierte Anwender.
.TP
.B -sF -sX -sN
Stealth FIN-, Xmas-Tree- oder Null-Scan-Modis: Es gibt Momente, wo SYN-Scans
nicht heimlich genug ausfallen. Einige Firewall-Systeme (z.B. Packet-Filter)
sind in der Lage verdaechtige SYN-Aktivitaeten zu erkennen; ebenso koennen
Programme wie Synlogger oder Courtney die SYN-Portscans als solche ausweisen.
Diese erweiterten Scan-Techniken koennen somit in manchen Faellen ungehindert
die gewuenschten Resultate liefern.
.Sp
Die Idee ist, dass geschlossene Ports auf solcherlei Zugriffe mit einem
RST-Datagramm antworten muessten, waehrend ansprechbare Ports die Anfragen
ignorieren sollten (siehe RFC 793, S. 64). Der FIN-Scan nutzt ein
TCP-Datagramm mit gesetzter FIN-Flagge, waehrend der Xmas-Tree-Scan die
TCP-Flaggen FIN, URG und PSH aktiviert. Der Null-Scan schaltet alle optionalen
Flags ab. Leider ignoriert einmal mehr Microsoft die gaengigen Standards und
reagiert auf die exotischen Scan-Techniken ganz unerwartet. Dies bedeutet,
dass diese Scanning-Methoden nicht gegen Windows 9x, ME, NT, 2000 und XP
funktionieren. Auf der anderen Seite ist dies natuerlich hervorragend, wenn es
um das Identifizieren der TCP/IP-Implementierung von Microsoft geht: Findet
einer dieser Scans einen offenen Port, so kann davon ausgegangen werden, dass
es sich beim Zielsystem nicht um ein Windows handelt - Im Gegenzug deuten
unrealistisch viele offene Ports auf eine Windows-Maschine hin. Es gilt sich
jedoch noch die Meinung einer klassischen Scan-Methode (z.B. SYN) einzuholen.
Es gibt noch einige andere Betriebssysteme, die sich aehnlich demjenigen von
Microsoft verhalten. Dies sind zum Beispiel Cisco, BSDI, HP/UX, MVS und IRIX.
All diese retournieren ein Reset, auch wenn es sich um einen ansprechbaren
Port handelt. Mittlerweile ist diese knifflige Unterscheidungs-Arbeit mittels
exotischer Scanning-Techniken eher weniger wichtig, da nmap eine erweiterte
Methode fuer das Erkennen des eingesetzten Betriebssystems mitbringt.
.TP
.B -sP
Ping-Scanning: Manchmal ist es lediglich gefragt, welche Hosts in einem
Netzwerk aktiv sind. nmap kann diese Frage beantworten, indem eine ICMP echo
request-Anfrage an jede IP-Adresse im spezifizierten Netzwerk geschickt wird.
Hosts, die mit einer ICMP echo reply antworten, koennen als aktiv ausgewiesen
werden. Viele gewissenhafte Firewall- und Systemadministratoren filtern bzw.
verwerfen unnoetigen ICMP-Verkehr. nmap greift sodann auf eine andere Technik
zurueck. Es wird ein TCP-Datagramm mit gesetzter ACK-Flagge an einen
potentiell offenen Port des Zielsystems geschickt (standardmaessig TCP-Port
80). Wird ein RST zurueckgeschickt, so ist das Zielsystem vorhanden und
ansprechbar. Eine dritte Technik greift auf ein SYN-Datagramm zurueck, das auf
ein RST oder SYN/ACK wartet. Alle non-root Benutzer fuehren einen
connect()-Zugriff durch.
.Sp
Standardmaessig (bei root-Benutzern) fuehrt nmap beides - ICMP- und
ACK-Technik - parallel durch. Dies kann durch das Heranziehen der spaeter noch
detaillierter beschriebenen Option
.B -P
geaendert werden.
.Sp
Wichtig ist zu wissen, dass der Ping-Zugriff standardmaessig stets erfolgt.
Abhaengig der Erreichbarkeit eines Systems wird ein solches dann gescannt.
Benutzen Sie diese Option lediglich dann, wenn es um das Durchfuehren eines
Ping-Suchlaufs (
.B ohne
Portscan) geht.
.TP
.B -sU
UDP-Scans: Diese Methode wird stets dann herangezogen, wenn es um das
Identifizieren der offenen UDP-Ports (siehe RFC 768) eines Systems geht. Diese
Technik basiert darauf, dass ein UDP-Datagramm mit 0 Byte an Nutzdaten an
jeden Port des Zielsystems geschickt wird. Erhalten wir eine ICMP port
unreachable-Nachricht, so ist der Zielport geschlossen. Andererseits handelt
es sich um einen offenen Port.
.Sp
Einige Leute denken, dass UDP-Scanning sinnlos ist. Ich moechte in diesem
Zusammenhang auf die Luecke in Solaris' rpcbind hinweisen. rpcbind kann an
einem undokumentierten UDP-Port ueber 32770 gefunden werden. Bei diesem
Angriff und der vorangehenden Auswertung ist es sodann zu einem hohen Grad
irrelevant, ob Port 111 durch eine Firewall blockiert wird oder nicht. Ebenso
existiert das populaere, von cDc entwickelte Backdoor namens Back Orifice, das
durch einen frei waehlbaren UDP-Port Windows-Maschinen kontrollieren laesst.
Und nicht zu vergessen die vielen potentiell verwundbaren Dienste, die auf UDP
zurueckgreifen: SNMP, TFTP, NFS, etc.
.Sp
Traurigerweise ist UDP-Scanning in den meisten Faellen schmerzhaft langsam,
seitdem viele Betriebssystem-Entwickler der Empfehlung von RFC 1812 (Absatz
4.3.2.8) nachgekommen sind, die Anzahl ausgehender ICMP-Fehlernachrichten zu
limitieren. Zum Beispiel definiert der Linux-Kernel (in net/ipv4/icmp.h) die
Anzahl ausgehender ICMP destination unreachable-Fehlermeldungen auf 80 fuer 4
Sekunden, mit einer 1/4 Sekunde Zusatz fuer jeden Uebertritt. Solaris weist
einiges striktere Limitierungen auf (2 Nachrichten pro Sekunde), weshalb ein
UDP-Portscan gegen ein Solaris-System sehr lange dauert.
.I nmap
ist in der Lage solcherlei Limitierungen zu erkennen und mit einem dynamischen
Verlangsamen der Geschwindigkeit zu reagieren. Dies verhindert das Verstopfen
des Netzwerks mit unnoetigen Paketen, die sowieso vom Zielsystem ignoriert
werden wuerden.
.Sp
Einmal mehr typisch, ignoriert Microsoft die Empfehlungen des RFCs, weshalb
eine Einschraenkung ausgehender ICMP-Fehlermeldungen gaenzlich bei der
TCP/IP-Implementierung auf Windows 9x und NT fehlt. Das scannen saemtlicher
UDP-Ports auf einer Windows-Maschine ist somit kein groesseres Problem.
.TP
.B -sO
IP protocol-Scans: Diese Methode kommt dann zum Tragen, wenn herausgefunden
werden will, welche IP-Protokolle vom Zielsystem unterstuetzt werden. Diese
Technik basiert darauf, dass fuer jedes IP-Protokoll ein RAW IP-Paket mit
fehlendem Protokoll-Header an das Zielsystem geschickt wird. Erhalten wir eine
ICMP protocol unreachable-Fehlermeldung, so koennen wir davon ausgehen, dass
das besagte Protokoll nicht unterstuetzt wird. Faellt das Resultat anders aus,
kann mit einer Protokoll-Unterstuetzung gerechnet werden. Es ist wichtig zu
bemerken, dass einige Betriebssysteme (z.B. AIX, HP-UX und Digital UNIX) und
Firewall-Loesungen auf das Versenden der ICMP protocol
unreachable-Fehlermeldungen gaenzlich verzichten. Das Resultat eines solchen
Verhaltens ist die durch nmap generierte Ausgabe, dass saemtliche Protokolle
"offen" sind.
.Sp
Aufgrund dessen, dass diese Scan-Methode in ihren Grundzuegen auf den
Prinzipien des UDP-Portscannings aufbaut, spielt die Rate der potentiell
generierten ICMP-Fehlermeldungen eine beachtliche Wichtigkeit. Da das
IP-Protokoll Feld nur 8 Bits hat, muessen lediglich 256 Protokolle gescannt
werden, was sich in einem angemessenen Zeitrahmen erledigen laesst.
.TP
.B -sI <Zombie-Host[:Zielport]>
Idlescan: Diese erweiterte Scan-Technik ermoeglicht ein blindes Scannen der
TCP-Port eines Ziels (dies bedeutet, dass keinerlei Pakete mit der richtigen
IP-Absenderadresse verschickt werden). Stattdessen wird eine einzigartige
Attacke angewandt, die die Berechenbarkeit der IP Fragmentation ID eines
Zombie-Hosts ausnutzt. Intrusion Detection-Systeme werden den Scan-Versuch
dem spezifizierte Zombie-System zuschreiben (welches ansprechbar sein und
bestimmte Kriterien erfuellen muss). Ich habe eine Publikation zu diesem
Thema verfasst, die sich unter http://www.insecure.org/nmap/idlescan.html
findet.
.Sp
Neben der vollkommenen Sicherheit, nicht direkt erkannt werden zu koennen,
ermoeglicht dieser Scan-Typ das Erkennen von IP-basierenden
Vertrauensbeziehungen zwischen Geraeten. Das Port-Listing zeigt die offenen
Ports
.I aus der Sicht des Zombie-Systems.
Es ist sodann Moeglich das effektive Zielsystem durch verschiedene Zombies
scannen zu lassen, die eine bestehende Vertrauensbeziehung haben (via Router-
oder Packetfilter-Regeln). Ganz offensichtlich ist dies eine gewichtige
Information, wenn es um das Priorisieren von Angriffszielen geht. Andererseits
muessten Penetration Tester zuerst muehsam ein System kompromittieren, bis
verlaesslich gesagt werden kann, ob ueberhaupt die erforderliche
Vertrauensbeziehung besteht.
.Sp
Durch einen Doppelpunkt laesst sich die Portnummer des Zombiesystems
definieren. Ohne diese Angabe waehlt nmap den Standardport, der auch bei
TCP-Pings Verwendung findet (TCP-Port 80).
.TP
.B -sA
ACK-Scan: Auf diese erweiterte Scan-Technik wird normalerweise immer dann
zurueckgegriffen, wenn es um das Identifizieren eines Firewall-Regelwerks
geht. Zusaetzlich kann diese Methode eine Determinierung des Vorhandenseins
einer Stateful Inspection, die eingehende SYN-Pakete blockt, ermoeglichen.
.Sp
Dieser Scan-Typ schickt ein ACK-Paket (mit zufaellig gewaehlten
Bestaetigungs-/Sequenznummern) an den spezifizierten Zielport. Kommt ein RST
zurueck, wird der besagte Port als "unfiltered" (dt. ungefiltert) eingestuft.
Erhalten wir keine Rueckantwort (oder kommt ein ICMP unreachable zurueck), so
weist nmap den Port als "filtered" (dt. gefiltert) aus. Wichtig ist, dass
.I nmap
normalerweise keine "unfiltered" ausgibt. So sind
.B keine
Ports in der Ausgabe ein Indiz dafuer, dass alle Zugriffe durchgekommen sind
(und ein RST verursacht haben). Dieser Scan wird die Ports nie in einem
"open" (dt. offenen) Status zeigen.
.TP
.B -sW
Window-Scan: Diese erweiterte Scan-Technik ist dem ACK-Scan sehr aehnlich.
Ausser, dass hiermit manchmal auch offene, ungefilterte und gefilterte Ports
durch eine Anomalie in der durch die Betriebssysteme gewaehlten TCP window
size entdeckt werden koennen. Systeme, die gegen diese Attacke verwundbar sind,
sind einige Versionen von AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX,
OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.x, Ultrix, VAX and VxWorks. Siehe das Archiv
der nmap-Hackers Mailingliste fuer eine vollstaendige Auflistung.
.TP
.B -sR
RPC-Scan: Diese Methode arbeitet in Kombination mit den meisten moeglichen
Scan-Typen von nmap zusammen. Jeder als offen identifizierte TCP- und UDP-Port
wird mit einer Vielzahl von SunRPC-Nullkommandos ueberflutet, um eine
Identifizierung von RPC-Ports vorzunehmen. Falls ein solcher gefunden wurde,
wird der Programmname und die Version ausgelesen, sofern diese Information zur
Verfuegung gestellt wird. Diese Vorgehensweise ist ebenso mit dem Heranziehen
von 'rpcinfo -p' moeglich; besonders dann, wenn des Zielsystems Portmapper
hinter einer restriktiven Firewall steht oder durch einen TCP-Wrapper
geschuetzt wird. Decoy-Scans arbeiten zur Zeit nicht mit RPC-Scans zusammen.
Irgendwann wird vielleicht Decoy-Scanning im Zusammenhang mit UDP-RPC-Scans
moeglich sein.
.TP
.B -sL
List-Scan: Diese simple Methode generiert eine Liste aller IP-Adressen und
Hostnamen, ohne die Zielsysteme direkt anzusprechen (Ping oder Portscan).
Eine Namensaufloesung ueber DNS findet stets statt, sofern dies nicht durch
das Heranziehen von -n unterbunden wird.
.TP
.B -b <FTP-Relay Host>
FTP-Bounce Attacke: Ein interessantes "Feature" des File Transport Protocols
(RFC 959) ist die Unterstuetzung von "Proxy"-FTP-Verbindungen. Mit anderen
Worten ist es moeglich, sich von boese.com auf ziel.com zu verbinden und
eine Datei ueberall hin zu schicken. Nun, dies hat wohl ausgezeichnet
funktioniert, als 1985 das besagte RFC geschrieben wurde. In der heutigen
Zeit ist es nicht mehr ohne weiteres Moeglich, sich auf fremde FTP-Server zu
verbinden und nach Belieben Dateien zu versenden. *Hobbit* schrieb 1995
folgendes zu dieser Schwachstelle: "[This protocol flaw] can be used to post
virtually untraceable mail and news, hammer on servers at various sites, fill
up disks, try to hop firewalls, and generally be annoying and hard to track
down at the same time." Bei dieser Scanning-Methode wird ein als Proxy
fungierender FTP-Server genutzt, um die offenen Ports eines Zielsystems
ausfindig zu machen. Beispielsweise kann dadurch zu einem hinter einer
Firewall positionierten FTP-Server verbunden werden, um danach interne, durch
das Firewall-Element gegen externe Zugriffe geschuetzte Ports (z.B. die
NetBIOS-Ports) anzusprechen. Falls auf dem FTP-Server ein Verzeichnis
existiert, bei dem sowohl Lese- als auch Schreibrechte vorhanden sind (z.B.
/incoming), kann eine semi-manuelle Uebergabe von Daten an die Zielports
durchgefuehrt werden (nmap nimmt einem diese Arbeit nicht ab).
.Sp
Das mit der Option '-b' uebergebene Argument, spezifiziert den als Proxy
gewollten Host, wobei die standard URL-Notation gilt. Das Format lautet
.I Benutzername:Passwort@Server:Port.
Alles, ausser
.I Server
ist optional. Wie eine Determinierung der gegen diese Zugriffsform verwundbare
Server vorgenommen werden kann, kann in meinem Artikel in
.I Phrack
51 nachgelesen werden. Eine aktualisierte Version ist auf der
.I nmap
Webseite (http://www.insecure.org/nmap) verfuegbar.
.TP
.B GENERELLE OPTIONEN
Keine der folgenden Optionen ist erforderlich. Einige von ihnen koennen jedoch
nuetzlich sein.
.TP
.B -P0
Verhindert das Pingen eines Hosts, bevor er gescannt wird. Dies ermoeglicht
das Scannen von Netzwerken, die keine ICMP echo requests (oder responses)
aufgrund einer restriktiv konfigurierten Firewall zulassen. microsoft.com ist
ein Beispiel fuer ein solches Netzwerk, in dem diese Funktion stets genutzt
werden sollte. Gebrauchen Sie
.B -P0
oder
.B -PT80
wenn ein Portscan gegen microsoft.com durchgefuehrt werden soll.
.TP
.B -PT
Benutzt einen TCP-Ping, um die Erreichbarkeit eines Hosts zu verifizieren.
Anstatt ICMP echo request-Abfragen zu verschicken und auf die entsprechenden
ICMP echo reply-Rueckantworten zu warten, wird auf ein TCP-Datagramm mit
gesetzter ACK-Flagge gesetzt. Ansprechbare Systeme sollten mit einem RST
antworten. Diese Funktion ist immer dann anzuwenden, wenn Systeme oder
Netzwerke gescannt werden sollen, die keine Erreichbarkeitsueberpruefung
mittels ICMP zulassen und trotzdem zuerst die Erreichbarkeit identifiziert
werden soll. Bei non-root Benutzern wird connect() angewandt. Um den Zielport
des Zugriffs zu spezifizieren, kann -PT<Portnummer> herangezogen werden. Der
Standardport ist einmal mehr TCP/80 (HTTP), da dieser eher selten durch einen
Filter gedeckt wird.
.TP
.B -PS
Diese Option benutzt fuer root-Benutzer SYN (Verbindungsanforderungen) anstatt
ACK-Pakete. Ansprechbare Hosts sollten mit einem RST (oder in seltenen Faellen
mit einem SYN/ACK) antworten. Das Setzen des Zielports kann auf die selbe Art
wie beim zuvor erlaeuterten -PT umgesetzt werden.
.TP
.B -PI
Diese Option nutzt einen klassischen Ping (ICMP echo request), um die
Erreichbarkeit von Systemen und Broadcast-Adressen von Subnetzen zu
identifizieren. Letztere sind extern erreichbare IP-Adressen, die eine
Umwandlung zu einem internen Broadcast des Subnetzes durchfuehren. Solcherlei
sollten verhindert werden, denn sie sind Voraussetzung fuer eine Reihe von
Denial of Service-Attacken (Smurf ist die bekannteste Variante).
.TP
.B -PP
Benutzt eine ICMP timestamp-Anfrage (Typ 13, Code 0), um ansprechbare Hosts zu
finden.
.TP
.B -PM
Das Gleiche wie
.B -PI
und
.B -PP
, ausser, dass eine ICMP address mask request (Typ 17, Code 0) zum Tragen kommt.
.TP
.B -PB
Dies ist der standardmaessig gewaehlte Ping-Typus. Er benutzt beide Techniken,
ACK (
.B -PT
) und ICMP echo requests (
.B -PI
), die jeweils parallel durchgefuehrt werden. Auf diese Weise koennen
Firewall-Elemente ausgetrickst werden, die eine der beiden Protokolle (nicht
beide) filtern. Der Zielport fuer den TCP-Zugriff kann auf die gleiche Weise
gesetzt werden, wie im zuvor erklaerten -PT.
.TP
.B -O
Diese Option aktiviert das Identifizieren des am Zielsystem eingesetzten
Betriebssystems anhand des TCP/IP-Fingerabdrucks (engl. TCP/IP fingerprint).
Es wird eine Anzahl spezifischer Tests umgesetzt, die das typische Verhalten
der jeweiligen TCP/IP-Implementierungen erkennen koennen sollen. Die
gegebenen Informationen stellen quasi einen 'Fingerabdruck' dar, der mit der
Datenbank der bekannten Betriebssystem-Fingerabdrucke (die
nmap-os-fingerprints Datei) verglichen wird.
.Sp
Falls nmap nicht in der Lage ist, eine mehr oder weniger eindeutige
Identifikation des am Zielsystem eingesetzten Betriebssystems vorzunehmen und
die gegebenen Bedingungen gut sind (mindestens ein ansprechbarer Port), gibt
nmap eine URL aus, bei der neu gefundene Fingerprints eingesendet werden
koennen. Dies setzt natuerlich voraus, dass Sie sich eindeutig im Klaren
darueber sind, um was fuer ein Betriebssystem es sich handelt. Durch diesen
Schritt koennen Sie aktiv an der Erweiterung der Datenbank mithelfen, wodurch
sie attraktiver fuer saemtliche Benutzer wird. Falls Sie beim Einsenden des
neuen Fingerabdrucks die IP-Adresse des Zielsystems mitangeben, muessen Sie
damit rechnen, dass es von uns zu Ueberpruefungszwecken gescannt wird.
.Sp
Die Option -O aktiviert ebenso einige weitere Tests. Einer dieser ist das
Messen der "Uptime". Hierzu wird das Timestamp-Feature von TCP genutzt (RFC
1323), um erkennen zu koennen, wann das Zielsystem das letzte mal neu
gestartet wurde. Diese Funktionalitaet wird natuerlich nur dann genutzt werden
koennen, wenn das Zielsystem diese Information auch entsprechend bereitstellt.
.Sp
Ein anderer Check, der durch die Option -O aktiviert wird, ist die
Klassifizierung der Berechenbarkeit der TCP-Sequenznummer des Zielsystems.
Das Ergebnis dieses Tests sagt aus, wie schwer es ist, eine bestehende
Verbindung des Zielsystems zu uebernehmen. Dies ist dann nuetzlich, wenn
auf IP-Adressen basierende Vertrauensbeziehungen (z.B. rlogin und
Firewall-Filter) missbraucht oder die Quelle eines Angriffs versteckt werden
sollen. Die mitgelieferte Difficulty-Number ist statistisch berechnet und kann
jeweils leicht abweichen. Zusaetzlich wird in knappen Worten (z.B. "worthy
challenge" or "trivial joke") der Zustand beschrieben. All dies wird nur dann
ausgegeben, wenn der Parameter -v mitangegeben wurde.
.Sp
Wenn die Option -O zusammen mit dem Verbose-Modus (-v) genutzt wird, wird
ebenso die Sequenz-Generierung der IPID ausgewiesen. Die meisten Geraete
werden als "incremental" klassifiziert, was bedeutet, dass sie fuer jedes
verschickte Paket eine Inkrementierung des ID-Felds im IP-Header vornehmen.
Ein solches Verhalten macht sie verwundbar gegen eine Reihe verschiedener
Auswertungs- und Spoofing-Attacken.
.TP
.B -6
Diese Option aktiviert die IPv6-Unterstuetzung. Saemtliche Ziele muessen mit
IPv6 zurecht kommen, sofern diese Option genutzt werden soll. Das
Spezifizieren der Ziele kann ganz normal ueber den DNS-Namen (AAAA record)
oder IPv6-Adresse (z.B. 3ffe:501:4819:2000:210:f3ff:fe03:4d0) geschehen.
Momentan sind TCP connect()- und Ping-Scans von nmap unterstuetzt. Falls UDP-
oder andere Scan-Typen genutzt werden sollen, lohnt sich ein Blick auf
http://nmap6.sourceforge.net/ .
.TP
.B -I
Hiermit wird das TCP reverse ident-Scanning aktiviert. Wie Dave Goldsmith in
einem Bugtraq-Posting aus dem Jahre 1996 publiziert hat, ermoeglicht das
ident-Protokoll (RFC 1413) das Identifizieren des Besitzers eines
TCP-Dienstes. So kann zum Beispiel eine Verbindung zum HTTP-Port des
Zielsystems hergestellt werden, um danach mittels ident herauszufinden, ob
der Webserver als root laeuft. Dies kann nur mit der Hilfe eines full-connect
TCP-Portscans (-sT) geschehen. Wenn
.B -I
aktiviert wird, wird der identd des Zielsystems fuer jeden als offen
identifizierten Port abgefragt. Logischerweise funktioniert diese ganze
Prozedur nicht, wenn das Zielsystem keinen identd aktiv hat.
.TP
.B -f
Diese Option erreicht, dass der durchgefuehrte SYN-, FIN-, Xmas- oder
Null-Scan mit fragmentierten IP-Paketen arbeitet. Die Idee ist, dass der
TCP-Header ueber mehrere Pakete verteilt werden soll, wodurch eine
Inspizierung durch Firewall- oder Intrusion Detection-Systeme erschwert wird.
Bei dieser Funktion ist Vorsicht geboten, denn viele der verbreiteten
Netzwerkanwendungen kommen mit derlei Datenverkehr nicht klar. Beispielsweise
erhielt ich bei meinem liebsten Sniffer ein segemtation fault, nachdem das
erste 36-byte Fragment eingelesen wurde. Danach kam gar ein 24-byte Paket!
Waehrend diese Methode keinen Erfolg bei Elementen verspricht, die eine
Warteschlange fuer IP-Fragmente haben (wie dies mittels der Option
CONFIG_IP_ALWAYS_DEFRAG unter Linux normalerweise der Fall ist), koennen
andere Umgebungen den enormen Aufwand fuer eine solche Analyse nicht tragen,
verzichten darauf und koennen deshalb ausgetrickst werden.
.Sp
Es bleibt zu bemerken, dass diese Option nicht auf allen Betriebssystemen
einwandfrei genutzt werden kann. Es arbeitet ohne Zwischenfaelle auf meinem
Linux, FreeBSD und OpenBSD; einige Leute berichten gar, dass es auch auf
anderen *NIX funktioniert.
.TP
.B -v
Verbose-Modus: Diese, eine sehr zu empfehlende Option, ermoeglicht eine
erweiterte Ausgabe von Informationen. Eine doppelte Nutzung ergibt einen
doppelt so grossen Effekt. Ebenso kann
.B -d
einige Male aktiviert werden, falls Sie wirklich vor einem ueberlasteten
Bildschirm verrueckt werden wollen!
.TP
.B -h
Diese handliche Funktion zeigt eine Kurzreferenz der nmap-Parameter. Wie Sie
vielleicht gemerkt haben, handelt es sich bei dieser man-Page nicht unbedingt
um eine 'handliche Kurzreferenz' :)
.TP
.B -oN <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans in einem normalen, fuer
.B Menschen lesbaren
Format in eine durch ein Argument spezifizierte Datei.
.TP
.B -oX <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans als
.B XML
in die durch ein Argument spezifizierte Datei. Dadurch koennen andere
Programme unkompliziert die durch nmap generierten Informationen auswerten und
verarbeiten. Durch das Argument '-' (ohne Anfuehrungszeichen) kann die
Ausgabe auf stdout (fuer Pipeline-Verarbeitung, etc.) umgeleitet werden. In
diesem Fall wird die normale Bildschirmausgabe unterdrueckt. Achtung vor
Fehlermeldungen (diese werden nach wie vor nach stderr geschickt). Ebenso ist
wichtig, dass '-v' in den meisten Faellen einige zusaetzliche Informationen
gewaehrleisten koennen wird. Die Dokumententypendefinition (engl. Document
Type Definition, abk. DTD), die fuer die XML-Ausgabe genutzt wird, steht unter
http://www.insecure.org/nmap/data/nmap.dtd bereit.
.TP
.B -oG <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans in eine
.B grepbare
Form in eine durch ein Argument spezifizierte Datei. Dadurch wird ein simples
Format angestrebt, welches alle Informationen auf einer Zeile ausgibt, weshalb
ganz einfach ein grep fuer Ports, OS-Informationen oder IP-Adressen umgesetzt
werden kann. Dieses einfache Format stellt meistens nicht so viele
Informationen bereit, wie dies bei anderen Ausgabevarianten der Fall ist.
Diese Form war die urspruenglich, fuer die Verarbeitung durch externe Programme
vorgehesene Dokumentierungs-Ausgabe. Mittlerweile ist jedoch XML empfohlen
(-oX). Einmal mehr kann die Angabe von '-' (ohne Anfuehrungszeichen) eine
Ausgabe auf stdout erzwingen (fuer Pipeline-Verarbeitung, etc.). Auch hier
wird die normale Ausgabe unterdrueckt. Ebenso werden Fehlermeldungen wie
ueblich auf stderr ausgegeben. Und '-v' wird in den meisten Faellen einige
zusaetzliche Informationen gewaehrleisten koennen.
.TP
.B -oA <Basisdateiname>
Dies veranlasst nmap in der Form ALLER wichtigen Formate (normal, grepbar und
XML) zu protokollieren. Sie geben den Dateinamen an, wobei nmap die
Erweiterungen in Form von basis.nmap, basis.gnmap und basis.xml automatisch
anfuegen wird.
.TP
.B -oS <Protokoll-Dateiname>
Dies protokolliert die Resultate der Scans in einem fuer
.B s|<ripT kiDd|3
lesbaren Format in eine durch ein Argument spezifizierte Datei. Durch die
Angabe des Arguments '-' (ohne Anfuehrungszeichen) kann die Ausgabe auf
stdout umgeleitet werden.
.TP
.B --resume <Protokoll-Dateiname>
Ein Netzwerk-Scan, der durch das Druecken von Control-C unterbrochen wurde,
kann durch diese Option reaktiviert werden. Der Protokoll-Dateiname muss
entweder eine normale (-oN) oder durch Maschinen verarbeitbare (-oM)
Scan-Protokoll-Datei sein. Die Angabe abweichender oder zusaetzlicher Optionen
ist nicht moeglich - Sie werden vom abgebrochenen Scan uebernommen. nmap wird
mit der zuletzt in der Protokoll-Datei erfolgreich gescannt vermerkten
Maschine starten.
.TP
.B --append_output
Weist nmap an, die Scan-Resultate an die spezifizierten Protokoll-Datei
anzuhaengen, anstatt die besagten Dateien zu ueberschreiben.
.TP
.B -iL <Eingabe-Dateiname>
Liest die Ziel-Spezifizierung ZUERST von der angegebenen Datei ein, und erst
danach von der Kommandozeileneingabe. Die Datei sollte eine Liste von Hosts
oder Netzwerken enthalten, die jeweils durch ein Leer-, Tabulator- oder
Neuezeile-Zeichen getrennt sind. Benutzen Sie einen Bindestrich (-) als
.I Eingabe-Dateiname
, falls Sie wollen, dass nmap die Zielspezifizierungen von stdin liest (wie
im Zusammenhang mit einer Pipe). Siehe den Absatz
.I Ziel-Definition
fuer zusaetzliche Informationen zu der gueltigen Ausdrucksweise.
.TP
.B -iR
Diese Option weist nmap an, zufaellig generierte Hosts zu scannen :). Dies hat
kein Ende. Eine solche Funktion ist zum Beispiel fuer eine statistische
Auswertung innerhalb des Internets nuetzlich. Falls Sie einmal wirklich sehr
gelangweilt sein sollten, so versuchen Sie
.I nmap -sS -iR -p 80
um Webserver-Systeme zu finden.
.TP
.B -p <Port-Bereich>
Diese Option spezifiziert, welche Ports gescannt werden sollen. Zum Beispiel
wird '-p 23' lediglich einen Zugriff auf den Port 23 (Telnet) der Zielsysteme
durchfuehren. '-p 20-30,139,60000-' scannt die Ports zwischen 20 und 30,
Port 139 und alle Ports groesser als 60000. Standardmaessig werden saemtliche
well-known Ports zwischen 1 und 1024 sowie alle in der services-Datei von nmap
gelisteten Dienste gescannt. Fuer einen IP-Protokoll-Scan (-sO) kann mit
dieser Option die zu scannende Protokoll-Nummer (0-255) angegeben werden.
.Sp
Werden gleichzeitig TCP- und UDP-Ports gescannt, so kann das jeweilige
Protokoll durch ein vorangestelltes "T:" oder "U:" angewaehlt werden. Die
mitgegebenen Ports gelten so lange fuer das spezifizierte
Uebertragungsprotokoll, bis ein anderes angegeben wird. Zum Beispiel werden
mit dem Argument "-p U:53,111,137,T:21-25,80,139,8080" die UDP-Ports 53, 111
und 137 sowie die TCP-Ports 21 bis 25, 80, 139 und 8080 gescannt. Wichtig ist,
dass bei einem gleichzeitigen TCP- und UDP-Scan neben der Angabe von -sU
mindestens eine TCP-Scan-Variante mitangegeben werden muss (zum Beispiel -sS,
-sF oder -sT). Wird bei der Wahl der Zielports auf das spezifizieren eines
Protokolls verzichtet, bezieht sich die Option auf saemtliche
Uebertragungsprotokolle.
.TP
.B -F
Schneller Scan-Modus (engl. Fast scan mode): Dies gibt an, dass Sie lediglich
die in der services-Datei von nmap gelisteten Dienste scannen wollen (oder bei
-sO die Protokolle der protocols-Datei). Selbstverstaendlich ist dies viel
schneller, als saemtliche 65535 Ports eines Hosts zu ueberpruefen.
.TP
.B -D <Decoy1 [,Decoy2][,ME],...>
Veranlasst einen sogenannten Decoy-Scan (dt. Lockvolgel). Bei diesem sieht es
so aus, als wuerde eine Reihe zusaetzlicher Hosts die Zielumgebung scannen.
Ein Intrusion Detection-System wird zwischen 5 und 10 Portscans verschiedener
IP-Adressen protokollieren, wobei ohne weiteres nicht genau festgestellt
werden kann, welches System den Scan wirklich durchfuehrt. Waehrend diese
Methode durch Router Path Traceing, Response-Dropping und andere "aktive"
Mechanismen niedergeschlagen werden kann, ist es doch eine extrem effektive
Technik, um die eigene IP-Adresse zu verstecken.
.Sp
Die jeweiligen Lockvoegel koennen durch ein Komma getrennt werden. Optional
kann durch die Angabe von 'ME' (dt. mich) die eigene Position in der
Zugriffsreihenfolge gewaehlt werden. Falls 'ME' in die sechste oder noch eine
spaetere Position gesetzt wird, sind einige Portscan-Detektoren (z.B. Solar
Designers scanlogd) nicht in der Lage, die richtige IP-Adresse anzuzeigen.
Falls Sie 'ME' nicht mitangeben, wird nmap eine zufaellige Position bestimmen.
.Sp
Achtung, die als Decoys angegebenen Hosts sollten vom Zielsystem erreichbar
sein. Andernfalls ist es durchaus moeglich, dass dieses durch einen SYN-Flood
in die Knie gezwungen wird. Zudem ist es relativ einfach zu erkennen, welches
System den Scan durchfuehrt, wenn nur dieses eine System wirklich im Netzwerk
aktiv ist. Es lohnt sich IP-Adressen anstatt Hostnamen bei der Spezifizierung
der Lockvogel-Systeme anzugeben (so ist keine Namensaufloesung noetig und die
Protokoll-Eintraege in den Nameservern bleibt aus).
.Sp
Ebenso weisen einige (dumme) "Portscan-Detektoren" Firewalling-Funktionalitaet
auf, und sie unterbinden die Verbindungsmoeglichkeit jeglichen Systems, das
einen Portscan durchfuehrt. So kann es durchaus sein, dass die
Verbindungsmoeglichkeit des Zielsystems zu den Lockvoegeln verhindert wird.
Dies ist dann problematisch, wenn es sich um ein wichtiges System, wie zum
Beispiel das Standard-Gateway, handelt. Also, es gilt vorsichtig im Umgang
mit dieser Option zu sein. Die Moral dieser Geschichte ist, dass
Portscan-Detektoren mit automatisierter Strike-Back Funktionalitaet keine gute
Idee sind - Hinter jedem Portscan koennte sich ein Lockvogel verbergen!
.Sp
Die Lockvoegel werden im initialen Ping-Scan (ICMP, SYN oder ACK) und waehrend
der eigentlichen Portscan-Phase verwendet. Ebenso finden sie beim Durchfuehren
einer Betriebssystem-Erkennung (
.B -O
) Verwendung.
.Sp
Es bleibt zu sagen, dass zu viele Lockvoegel einen Scan verlangsamen und
ineffizienter machen koennen. Ebenso filtern einige ISPs gespoofte Pakete
heraus, obwohl dies zur Zeit die wenigsten machen.
.TP
.B -S <IP-Adresse>
Unter bestimmten Umstaenden ist
.I nmap
nicht in der Lage, Ihre Quell-IP-Adresse zu identifizieren (
.I nmap
wird Ihnen dies mitteilen). In einer solchen Situation kann mit der Hilfe der
Option -S die IP-Adresse (der gewuenschten Schnittstelle) festgelegt werden.
.Sp
Eine andere Moeglichkeit dieser Option ist die Quelle des Scans zu spoofen, so
dass das Zielsystem glaubt, dass
.B jemand anderes
die Zugriffe durchfuehrt. Stellen Sie sich vor, dass eine Firma ploetzlich von
ihrem Konkurrenten einen Scan verzeichnet! Dies ist nicht der Hauptnutzen
dieser Option. Ich denke lediglich, dass diese Theorie einen guten Grund
bereitstellt, nicht sofort jeden als Scanner zu beschimpfen, nur weil es
scheint, dass von ihm ein Scan gestartet wurde.
.TP
.B -e <Schnittstelle>
Weist nmap an, ueber welche Schnittstelle die Daten verschickt und empfangen
werden sollen. nmap sollte in der Lage sein diesen Umstand von sich aus zu
erkennen. Falls dem nicht so ist, kann diese Option herangezogen werden.
.TP
.B -g <Portnummer>
Definiert den Quellport fuer die Scans. Einige naive
Firewall-Implementierungen machen bei DNS (53) und FTP-DATA (20) eine Ausnahme
und lassen solcherlei Verbindung entgegen der Bestimmungen im Regelwerk zu.
Obschon dieser Umstand ganz einfach durch Angreifer ausgenutzt werden kann, um
sich als FTP- oder DNS-System maskierend einen Vorteil zu verschaffen. Fuer
einen UDP-Scan sollte 53 als erstes ausprobiert werden. Bei einem TCP-Scan
bieten sich 20 und 53 an. Achtung, es handelt sich bei dieser Option lediglich
um eine Anfrage, die nicht zwingend in jeder Situation von nmap umgesetzt
werden will und kann. Zum Beispiel ist eine ISN-Analyse nicht von System:Port
zu System:Port moeglich, so dass nmap eine dynamische Portzuweisung
durchfuehrt, auch wenn anderes durch -g angegeben wurde.
.Sp
Seien Sie gewarnt, dass diese Option bei einigen Scan-Varianten
Performance-Einbussen mit sich bringt.
.TP
.B --data_length <Anzahl>
Normalerweise verschickt nmap moeglichst kleine Pakete, die lediglich aus dem
Header bestehen. So weisen TCP-Datagramme im Normalfall eine Laenge von 40 und
ICMP echo request-Anfragen 28 Bytes auf. Diese Option weist nmap an, die
verschickten Pakete um Null-Bytes zu verlaengern. Pakete zur Erkennung des
Betriebssystens (-O) sind nicht betroffen. Ganz im Gegensatz zu
Ping-Zugriffen und Portscan-Paketen. Dies verlangsamt natuerlich die Zugriffe
unter Umstaenden - Aber ebenso kann es die Unauffaelligkeit des Scans
erhoehen.
.TP
.B -n
Sagt nmap, dass
.B NIE
reverse DNS-Aufloesungen von als aktiv identifizierten IP-Adressen
durchgefuehrt werden sollen. Da DNS oft langsam ist, kann diese Option die
Zugriffe beschleunigen.
.TP
.B -R
Sagt nmap, dass
.B IMMER
reverse DNS-Aufloesungen von als Ziel spezifizierten IP-Adressen durchgefuehrt
werden sollen. Dies wird im Normalfall nur immer dann durchgefuehrt, wenn ein
Zielsystem als aktiv identifiziert werden konnte.
.TP
.B -r
Sagt nmap, dass
.B KEINE
zufaellige Wahl beim Scannen der Ports gewuenscht ist.
.TP
.B --ttl <time to live>
Setzt den "Time to live" Wert im IPv4 Header.
.TP
.B --randomize_hosts (dt. zufaellige Reihenfolge der Hosts)
Sagt nmap, dass bei einer Gruppe von bis zu 2048 Zielen eine zufaellige
Reihenfolge gewaehlt werden soll, bevor sie gescannt werden. Dies kann den
Scanvorgang fuer viele Netzwerk-Monitoring-Systeme schwieriger zu entdecken
machen; ganz besonders dann, wenn langsame Timing-Optionen angewandt werden
(siehe unten).
.TP
.B -M <Maximale Sockets>
Setzt die maximale Anzahl der Sockets bei einem parallel durchgefuehrten TCP
connect()-Scan fest. Dies ist zum Beispiel in Situationen nuetzlich, wenn der
Scanvorgang kuenstlich verlangsamt werden soll, damit das Zielsystem nicht
unter der Last der Zugriffe zusammenbricht. Eine andere Herangehensweise ist
durch -sS gegeben, die durch die Geraete oft einfacher zu handhaben ist.
.TP
.B TIMING-OPTIONEN
Normalerweise macht nmap hervorragende Arbeit, um waehrend eines Scans das
Maximum an Performance herauszuholen, ohne Fehlermeldungen zu Hosts oder Ports
zu provozieren. Trotzdem kann es Situationen geben, in denen das Timing von
nmap nicht dem von Ihnen gewuenschten entspricht. Die folgenden Optionen
ermoeglichen eine feine Skalierbarkeit der Kontrolle bezueglich des
Scan-Timings:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Diese vordefinierten Timing-Richtlinien erlauben Ihnen nmap Ihre Prioritaeten
mitzuteilen. Der
.B Paranoid
-Modus scannt
.B sehr
langsam, in der Hoffnung, nicht von Intrusion Detection-Systemen entdeckt zu
werden. Die Scans werden in Serie geschaltet (kein paralleles Scanning) und im
Normalfall wird bis zu 5 Minuten zwischen dem Versand der Pakete gewartet.
.B Sneaky
(dt. schleichend) ist aehnlich, ausser, dass lediglich 15 Sekunden zwischen
dem Paket-Versand gewartet wird.
.B Polite
(dt. hoeflich) wird dann relevant, wenn die Netzwerkbelastung niedrig gehalten
werden will. Zum Beispiel, um Abstuerze von Systemen zu vermeiden. Die
Zugriffe werden wiederum in Serie geschaltet und zwischen den Zugriffen wird
.B mindestens
0.4 Sekunden gewartet.
.B Normal
spiegelt das normale Verhalten von nmap wieder, was einen Kompromiss zwischen
maximaler Geschwindigkeit bei absoluter Zuverlaessigkeit darstellt.
.B Aggressive
(dt. aggressiv) fuegt eine Wartezeit von 5 Minuten zwischen den einzelnen
Hosts hinzu. Es wird jedoch nie laenger als 1.25 Sekunden auf Antworten
gewartet.
.B Insane
(dt. geisteskrank) ist lediglich in sehr schnellen Netzwerken moeglich. Oder
ueberall dort, wo auf die Zuverlaessigkeit des Resultat nicht sonderlich viel
gegeben wird. Zwischen den einzelnen Systemen wird 75 und zwischen den
Zugriffen 0.3 Sekunden gewartet. Dies lohnt sich zum Beispiel fuer einen
schnellen Netzwerk-Suchlauf :). Die einzelnen Modi koennen ebenso durch eine
Nummer (0-5) referenziert werden. Zum Beispiel gibt '-T 0' den
Paranoid-Modus an und '-T 5' steht fuer Insane.
.Sp
Diese spezifischen Timing-Modi sollten NICHT zusammen mit den nun folgend
vorgestellten Timing-Optionen verwendet werden.
.TP
.B --host_timeout <Millisekunden>
Spezifiziert den Zeitraum, der nmap gegeben wird, um ein einzelnes System zu
scannen, bevor sich einer neuen IP-Adresse gewidmet wird. Der Standardwert hat
kein Timeout fuer Hosts.
.TP
.B --max_rtt_timeout <Millisekunden>
Spezifiziert den Zeitraum, der nmap gegeben wird, um eine Antwort zu warten,
bevor eine Uebertragunswiederholung eingeleitet wird oder das Timeout in Kraft
tritt. Der Standardwert ist auf 9000 gesetzt.
.TP
.B --min_rtt_timeout <Millisekunden>
Antwortet ein Host sehr schnell auf unsere Anfragen, wird nmap das Zeitlimit
fuer zukuenftige Zugriffe auf das besagte Zielsystem verkleinern. Dies bringt
einen Geschwindigkeitsvorteil mit sich, wobei jedoch auch Pakete verloren
gehen koennen, falls ploetzlich ein Antworten in der vorhergesehenen
Zeitspanne nicht mehr moeglich sein sollte. Mit dieser Option kann nmap
angewiesen werden, dass immer mindestens ein bestimmter Zeitwert gewartet
werden soll, bevor der Vorgang abgebrochen wird.
.TP
.B --initial_rtt_timeout <Millisekunden>
Spezifiziert das Timetout fuer den initialen Zugriff. Dies ist normalerweise
nur dann sinnvoll, wenn durch Firewall-Systeme geschuetzte Hosts mit der
Option -P0 gescannt werden sollen. Normalerweise ist nmap in der Lage den
RTT-Wert anhand des Ping-Zugriffs und der ersten Auswertungen optimal
festzulegen. Der Standardwert lautet 6000.
.TP
.B --max_parallelism <Anzahl>
Spezifiziert die maximale Anzahl parallel von nmap durchfuehrbaren Zugriffe.
Das Setzen dieser Option heisst fuer nmap, dass nie mehr als 1 Port auf einmal
gescannt werden soll. Ebenso sind andere Scan-Typen betroffen, die
normalerweise parallel durchgefuehrt werden koennen (z.B. Ping-Suchlauf,
RPC-Scan, etc.).
.TP
.B --min_parallelism <Anzahl>
Weist nmap an, beim Scan eine gewisse Anzahl von Ports parallel zu scannen.
Dies kann unter Umstaenden den Auswertungs-Vorgang von Firewall-Systemen
beschleunigen. Aber seien Sie vorsichtig: Die Resultate werden umso
unzuverlaessiger, desto hoeher die Anzahl paralleler Zugriffe gesetzt wird.
.TP
.B --scan_delay <Millisekunden>
Spezifiziert das
.B Minimum
der Zeit, die nmap zwischen den jeweiligen Zugriffen warten muss. Dies ist
sehr nuetzlich, um das Datenaufkommen in Netzwerken zu reduzieren oder durch
den langsameren Scanvorgang vor IDS-Tresholds verborgen zu bleiben.
.TP
.B --packet_trace
Sagt nmap, dass saemtliche verschickten und empfangenen Pakete in einem
tcpdump-aehnlichen Format dargestellt werden sollen. Dies ist ganz besonders
fuer Debugging nuetzlich. Ausserdem kann so viel ueber die Funktionsweise
gelernt werden.
.SH ZIEL-SPEZIFIKATION
Alles, das nmap nicht als Option mitgegeben wird (oder ein Argument einer
Option darstellt) wird als Ziel-Spezifikation angesehen. Die einfachste Form
dessen, ist das Auflisten von einzelnen Hostnamen oder IP-Adressen in der
Kommandozeile. Falls Sie ein Subnetz scannen wollen, so koennen Sie
.B '/Maske'
am Hostnamen oder der IP-Adresse anfuegen. Die
.B Maske
muss einen Wert zwischen 0 (das ganze Internet scannen) und 32 (den einzelnen
Host scannen) aufweisen. Benutzen Sie /24 fuer das Scannen eines Klasse
C-Netzwerks und /16 fuer ein Klasse B-Netzwerk.
.Sp
nmap greift zudem auf eine sehr maechtige Notation zurueck, die eine sehr
komfortable Spezifikation von IP-Adressbereichen zulaesst. So kann das Klasse
B-Netzwerk 192.168.*.* mit der Angabe von '192.168.*.*'
oder '192.168.0-255.0-255' oder '192.168.1-50,51-255.1,2,3,4,5-255' gescannt
werden. Und selbstverstaendlich ist auch die verbreitete Netzmasken-Notation
zulaessig: '192.168.0.0/16'. All diese Eingaben fuehren zum gleichen Ziel.
Falls Sie das Asteriks-Zeichen (dt. Stern, '*') benutzen wollen, denken Sie
daran, dass einige Shells das Escapen mittels Backslashes oder das
Auskommentieren mittels Gaensefuesschen verlangen.
.Sp
Eine andere Moeglichkeit ist genau durch das umgekehrte Herangehen gegeben.
Anstatt ein ganzes Klasse B-Netzwerk zu scannen, kann mit der Angabe
von '*.*.5.6-7' jede IP-Adresse gescannt werden, die auf .5.6 oder .5.7 endet.
Fuer zusaetzliche Informationen, konsultieren Sie den Abschnitt
.I Beispiele
.SH BEISPIELE
Hier folgen nun einige Beispiele fuer das Nutzen von nmap. Diese reichen von
einfachen ueber normale bis hin zu komplexen Ansaetzen. Es werden existente
IP-Adressen und Domainnamen verwendet, um die Beispiele konkreter zu
gestalten. Anstatt ihrer Stelle sollten Sie Adressen und Namen
.B Ihres eigenen Netzwerks
benutzen. Ich bin der Meinung, dass Portscanning fremder Netzwerke nicht
illegal ist; ebenso sollten Portscans nicht als Angriffe gewertet werden. Ich
habe tausende Maschinen gescannt und bisher erst eine Rueckmeldung erfahren.
Jedoch bin ich kein Anwalt und einige (langweilige) Leute koennten durch
mittels
.I nmap
generierter Zugriffe nervoes werden. Holen Sie sich zuerst eine Erlaubnis fuer
Ihre Aktivitaeten ein oder tragen Sie die Risiken selbst.
.Sp
.B nmap -v ziel.beispiel.com
.Sp
Diese Option scannt alle reservierten TCP-Ports am Zielsystem mit dem Namen
ziel.beispiel.com. Das -v aktiviert den Verbose-Modus.
.Sp
.B nmap -sS -O ziel.beispiel.com/24
.Sp
Hier wird ein stealth SYN-Scan gegen jede der 255 Maschinen des Klasse
C-Netzwerks von ziel.beispiel.com gestartet. Ebenso wird versucht das
Betriebssystem der aktiven Systeme zu ermitteln. Dieser Vorgang erfordert
root-Privilegien aufgrund des SYN-Scans und der Betriebssystemerkennung.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Startet einen Xmas-Tree-Scan auf die erste Haelfte der 255 moeglichen 8
Bit Subnetze des Klasse B-Adressraums von 198.116. Wir ueberpruefen, ob am
Zielsystem SSHD, DNS, POP3D, IMAPD oder der Port 4564 aktiv ist. Wichtig ist,
dass Xmas-Scans nicht gegen Microsoft-Geraete funktionieren, da einige
Abweichungen bei der Implementierung des TCP-Stacks gemacht wurden. Das gleiche
gilt fuer Cisco-, IRIX-, HP/UX- und BSDI-Maschinen.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Manchmal ist es nicht erforderlich einen IP-Adressbereich zu scannen. So kann
es durchaus sein, dass in einer Situation das Absuchen spezieller Geraete
noetig wird. Dieses Kommando findet saemtliche Webserver, die eine IP-Adresse
aufweisen, die auf .2.3, .2.4 oder .2.5 endet. Falls Sie root sind, so kommt
eventuell ein Hinzufuegen von -sS in Frage. Ebenso koennten mehr interessante
Systeme gefunden werden, wenn bei 127 gestartet wird (IMHO). In diesem Fall
koennen die durch die Sterne gegebenen Platzhalter durch '127-222' ersetzt
werden.
.Sp
.B host -l firma.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fuehrt einen DNS-Zonetransfer durch, um saemtliche Hosts von firma.com zu
finden. Die Ausgabe der IP-Adressen wird sodann fuer die weitere Verarbeitung
zu
.I nmap
umgeleitet. Die dokumentierte Kommandofolge funktioniert nur auf Geraeten mit
GNU/Linux. Vielleicht muessen Sie auf anderen Betriebssystemen andere Kommandos
und Optionen heranziehen.
.SH FEHLER
Fehler? Was fuer Fehler? Senden Sie sie mir, falls sie solche finden.
Entsprechende Patches waeren auch gleich nett :) Denken Sie ausserdem daran,
neue OS-Fingerabdruecke einzusenden, damit die Datenbank wachsen kann. nmap
gibt eine URL zur Uebermittlung des unbekannten Fingerabdrucks aus.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH UEBERSETZUNG
.Sp
Marc Ruef
.I <marc.ruef@computec.ch>
.Sp
http://www.computec.ch
.Sp
Wettingen, Oktober 2002
.SH DISTRIBUTION
Die neueste Version von
.I nmap
kann jeweils von
.I http://www.insecure.org/nmap/
bezogen werden.
.Sp
.I nmap
is (C) 1995-2002 by Insecure.Com LLC
.Sp
Dieses Programm gilt als freie Software; Sie koennen sie unter den
Lizenzbestimmungen der GNU General Public License, wie sie von der Free
Software Foundation in der Version 2 publiziert wurde, weitergeben und/oder
veraendern. Dies weist Ihnen das Recht zu, die Software unter den gegebenen
Bestimmungen zu nutzen, modifizieren und weiterzugeben. Falls Sie diese
Lizenzbestimmungen nicht akzeptieren wollen, ist Insecure.Org unter Umstaenden
in der Lage, eine alternative Lizenzbestimmung auszuhandeln (kontaktieren Sie
fyodor@insecure.org).
.Sp
Der Quelltext dieser Software wird aus diesem Grund zur Verfuegung gestellt,
weil wir glauben, dass die Benutzer ein Recht darauf haben zu wissen, was die
von ihnen eingesetzten Programme machen. Dies ermoeglicht zudem das
Ueberpruefen der Software auf etwaige Sicherheitsschwachstellen (bisher wurden
keine gefunden).
.Sp
Der Quelltext ermoeglicht zudem das Portieren von nmap auf neue Plattformen,
das Beheben von Fehlern und Hinzufuegen neuer Funktionalitaeten. Ich darf Sie
bitten entsprechende Aenderungen an fyodor@insecure.org zu schicken, um eine
etwaige Zusammenarbeit zu besprechen. Durch das Senden von Neuerungen an
Fyodor oder einem der Mitglieder der Entwickler-Meilingliste erlauben Sie die
unlimitierte, nicht-exklusive Weiterverwendung, Modifizierung und
Relizensierung. Dies ist insofern wichtig, da einige andere Free Software
Projekte (zum Beispiel KDE und NASM) sich mit unnoetigen Lizenzproblemen
konfrontiert sahen. nmap wird stets als open-source zur Verfuegung stehen.
Falls Sie sich an andere Lizenzbestimmungen halten moechten, so vermerken Sie
dies doch bitte beim Einsenden Ihres Materials.
.Sp
Dieses Programm wurde in der Hoffnung entwickelt, dass es nuetzlich ist;
jedoch
.B OHNE JEGLICHE GARANTIE.
Siehe die GNU General Public License fuer zusaetzliche Informationen (sie ist
in der Datei namens COPYING, die mit
.I nmap
mitgeliefert wird, enthalten).
.Sp
Es muss zusaetzlich erwaehnt werden, dass nmap in der Lage ist, schlecht
geschriebene Anwendungen, TCP/IP-Stacks und Betriebssysteme abstuerzen zu
lassen.
.B nmap sollte nie auf mission-critical Systeme angewandt werden
, ausser, wenn ein entsprechender Ausfall (engl. downtime) verkraftet werden
kann. Wir bestaetigen hiermit, dass nmap unter Umstaenden Systeme und Netzwerke
negativ beeinflussen kann. Wir tragen keine Verantwortung fuer Probleme, die
beim Nutzen von nmap entstehen koennen.
.Sp
Aufgrund dessen, dass das Risiko eines Absturzes besteht und einige Black Hats
nmap fuer das Auswerten von Angriffszielen missbrauchen, koennen einige
Administratoren allergisch auf das Scannen ihrer Systeme reagieren. Somit ist
es stets empfehlenswert, die Erlaubnis fuer das Scannen eines Netzwerks
einzuholen.
.Sp
nmap sollte aus Sicherheitsgruenden nie mit erweiterten Privilegien (z.B. suid
root) gestartet werden.
.Sp
Dieses Produkt beinhaltet Software-Teile, die von der Apache Software
Foundation (http://www.apache.org/) entwickelt wurden. Die
.I Libpcap
portable Bibliothek wird als Teil von nmap mitgeliefert. Libpcap wurde
urspruenglich durch Van Jacobson, Craig Leres und Steven McCanne,
alle vom Lawrence Berkeley National Laboratory, Universitaet von Kalifornien,
Berkeley, CA, entwickelt. Zur Zeit wird sie von http://www.tcpdump.org
betreut.

887
docs/nmap_italian.1
View File

@@ -1,887 +0,0 @@
.\" This definition swiped from the gcc(1) man page
.\" Traslated in Italian by deneb <deneb@penguin.it>
.\" Wen Aug 30 2000
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOME
nmap \- Utility di esplorazione per le rete e security scanner
.SH SINTASSI
.B nmap
[Tipi Scan] [Opzioni] <host o rete #1 ... [#N]>
.SH DESCRIZIONI
.I Nmap
<EFBFBD> progettato per permettere agli ammistratori di sistema e
alle persone curiose lo scan di grandi reti al fine di
determinare quali host sono attivi e quali servizi offrono.
.I nmap
supporta un grande numero di tecniche per lo scanning come
ad esempio: UDP, TCP connect(), TCP SYN (semi aperto),
ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep),
FIN, ACK sweep, Xmas Tree, SYN sweep, e scan Null.
Vedete la sezione
.I Tipi di scan
per ulteriori informazioni.
nmap offre anche varie caratteristiche avanzate come per esempio
il rilevamento del S.O. via TCP/IP fingerprinting, lo scan stealth
(invisibile), ritardo dinamico e i calcoli delle ritrasmissioni,
lo scan parallelo, il rilevamento degli host non attivi mediante
i ping paralleli, lo scan mediante decoy, il rilevamento del
filtraggio delle porte, lo scan RPC diretto (non-portmapper),
lo scan di frammentazione, la specifica flessibile della
destinazione e delle porte.
.PP
Sforzi significativi sono stati impiegati nel rendere decenti
le performance per gli utenti non root. Sfortunatamente,
molte interfacce del kernel critiche (come ad esempio i
socket raw) richiedono i privilegi di root.
nmap dovrebbe essere eseguito da root ogni volta che <20>
possibile.
.PP
Il risultato di un'esecuzione di nmap <20> di solito una lista
di porte interessanti sulla/e macchina/e, che sono state
sottoposte allo scan (se ve ne sono). Nmap da sempre
il nome del servizio "ben noto" (se noto), il numero, lo
stato, e il protocollo. Lo stato pu<70> essere 'open' (aperto),
'filtered' (filtrato), o 'unfiltered' (non-filtrato).
Open significa che la macchina destinazione accetter<65> (
mediante accept()) le connessioni su quella porta. Filtered
significa che un firewall, filtro, o un altro ostacolo di
rete sta coprendo la porta e impedendo a nmap di determinare
se la porta <20> aperta. Unfiltered significa che nmap ha
riconosciuto la porta come chiusa e nessun firewall/filtro
sembra aver interferito con il tentativo di nmap di
rilevare se la porta fosse aperta o chiusa.
Le porte unfiltered (non-filtrate) sono il caso pi<70> comune e
sono mostrate solo quando la maggior parte delle porte
esaminate sono nello stato filtered (filtrate).
.PP
A seconda delle opzioni usate, nmap pu<70> riportare le seguenti
caratteristiche dell'host remoto: S.O. in uso, sequenziabilit<69>
TCP, nomi gli utenti che hanno eseguito i programmi che sono
associati ad una data porta, il nome del DNS, se l'host <20> un
indirizzo smurf, e poco altro.
.SH OPZIONI
Le opzioni che assieme hanno senso possono essere generalmente
combinate. Alcune opzioni sono specifiche a date modalit<69> di scan.
.I nmap
prova a rilevare e avvisare l'utente su combinazioni psicotiche o
non supportate.
.Sp
Se siete impazienti, potete passare direttamente alla sezioni di
.I esempi
posta alla fine, che dimostra l'utilizzo comune. Potete anche
eseguire
.B nmap -h
per ottenere una pagina di riferimento rapido, che elenca tutte
le opzioni.
.TP
.B TIPI DI SCAN
.TP
.B \-sT
Scan TCP connect(): Questa <EFBFBD> la forma base dello scan TCP. La
chiamata di sistema connect() fornita dal vostro sistema
operativo <EFBFBD> usata per aprire una connessione ad ogni porta
interessante sulla macchina. Se la porta <EFBFBD> in ascolto, la
connect() avr<76> luogo, altrimenti la porta non <20> raggiungibile.
Ogni utente sulla maggior parte dei sistemi UNIX <20> libero
di usare questa chiamata.
.Sp
Questo genere di scan <20> facilmente rilevabile in quanto
i log dell'host destinazione mostreranno un gruppo di connessioni
e messaggi di errore per i servizi che accettano la connessione
mediante accept() solo per chiuderla immediatamente dopo.
.TP
.B \-sS
Scan TCP SYN: Questa tecnica <20> spesso chiamata scan "semi-aperto",
perch<EFBFBD> non aprite una completa connessione TCP. Mandate un pacchetto
SYN, come se aveste intenzione di aprire una vera connessione,
e aspettate la risposta. Un SYN|ACK come risposta indica che
la porta <20> in ascolto. Un RST <20> indicativa di una porta
non in ascolto. Se viene ricevuto un SYN|ACK come risposta
, viene mandato immediatamente un RST per chiudere la connessione
( allo stato attuale il kernel del vostro S.O. lo fa per noi).
Il vantaggio primario di questa tecnica di scanning <20> che pochi
siti la loggeranno.
Sfortunatamente avete bisogno dei privilegi di root per
poter creare questi appositi pacchetti SYN.
.TP
.B \-sF \-sX \-sN
Le modalit<EFBFBD> di scan Stealth FIN, Xmas Tree, o Null:
Ci sono delle volte che anche lo scan SYN non <EFBFBD>
abbastanza anonimo. Alcuni firewall e packet filter
controllano i SYN per le porte riservate, e programmi come
Synlogger e Courtney sono disponibili per rilevare
questi scan. Questi scan avanzati, d'altra parte, possono
essere in grado di passare attraverso i firewall, packet
filter e/o programmi loggers indisturbati.
.Sp
L'idea <20> che le porte chiuse devono rispondere al vostro
pacchetto di prova con un RST, mentre le porte aperte devono
ignorare il pacchetto in questione (vedere RFC 793 pagina 64).
Lo scan FIN usa (sorpresa) un semplice pacchetto FIN come prova,
mentre lo scan Xmas attiva i flag FIN, URG, e PUSH.
Lo scan Null disattiva tutti i flag. Sfortunatamente Microsoft
(come sua consuetudine) ha deciso di ignorare completamente lo
standard e fare le cose a modo suo. Cos<6F> questo tipo di scan
non funziona contro i sistemi in cui gira Windows95/NT. Se
prendiamo la cosa dal punto di vista positivo, questo fatto
<EFBFBD> un buon modo per distinguere tra le due piattaforme.
Se lo scan trova porte aperte, sapete che la macchina non <20>
un computer con Windows. Se uno scan -sF,-sX, o -sN mostra
tutte le porte chiuse, ma uno scan SYN (-sS) vi fa vedere
porte aperte, probabilmente state guardando una macchina
Windows. Questo ora <20> meno utile in quanto nmap ha un
proprio un rilevamento di S.O. integrato. Ci sono anche
alcuni altri sistemi che violano lo standard nella stessa
maniera di Windows. Questi includono Cisco, BSDI, HP/UX, MVS,
e IRIX.
Tutti i sistemi operativi soprastanti mandano resets da
porte aperte quando invece dovrebbero solo ignorare il
pacchetto.
.TP
.B \-sP
Ping scanning:
Alcune volte volete solo sapere quali host sulla rete sono
attivi. Nmap pu<70> scoprire questo mandando pacchetti
ICMP echo request ad ogni indirizzo IP sulla rete che voi
specificate. Gli host che rispondono sono attivi. Sfortunatamente,
alcuni siti come ad esempio microsoft.com bloccano i pacchetti
echo-request. Cos<6F> nmap pu<70> mandare anche un pacchetto ack TCP (per
default) alla porta 80. Se ottenenete indietro un RST, la macchina
<EFBFBD> attiva. Una terza tecnica comporta il mandare un pacchetto
SYN e aspettare un RST o un SYN/ACK. Per gli uttenti non-root,
viene usato il metodo connect().
.Sp
Di default (per gli utenti root), nmap usa le tecniche sia ICMP
che ACK in parallelo. Potete cambiare questo comportamento con
l'opzione
.B \-P
descritta successivamente.
.Sp
Notate che il pinging comunque viene fatto di default, e solo gli
host che rispondono vengono sottoposti a scan. Usate questa opzione
solo se desiderate fare un ping sweep
.B senza
fare dei reali portscan.
.TP
.B \-sU
Scan UDP: Questo metodo viene usato per determinare quali porte UDP
(User Datagram Protocol, RFC 768) sono aprte su un host. La tecnica
<EFBFBD> mandare paccheti udp di 0 byte ad ogni porta sulla macchina
destinazione. Se riceviamo un messaggio ICMP port unreachable, allora
la porta <20> chiusa. Altrimenti presumiamo che essa sia aperta.
.Sp
Alcune persone pensano che lo scan UDP sia inutile. Di solito ricordo
loro il bug recente di rcpbind in Solaris. Rpcbind pu<70> essere trovato
nascosto su una porta UDP non documentata a patto che essa sia maggiore
di 32770. Cosi' non ha importanza se la 111 <20> bloccata dal firewall.
Ma, potete trovare quali porte alte maggiori della 30.000 siano in ascolto?
Con uno scanner UDP potete!
Esiste anche il programma backdoor Back Orifice del cDc, che
si nasconde su una porta UDP configurabile sulle macchine Windows.
Per non parlare i vari servizi comunemente vulnerabili che utilizzano
UDP come ad esempio snmp, tftp, NFS, ecc.
.Sp
Sfortunatamente lo scan UDP <20> alcune volte spaventosamente lento
in quanto molti host implementano la proposta di limitare il tasso
dei messaggi di errore ICMP fornita dalla RFC 1812 (sezione 4.3.2.8).
Per esempio, il kernel di Linux (in net/ipv4/icmp.h) limita la generazione
dei messaggi di destination unreachable ad 80 per 4 secondi, con una
penalit<EFBFBD> di 1/4 di secondo se questo limite viene sorpassato.
Solaris ha limiti pi<70> stretti (circa 2 messaggi per secondo)
e cosi si impiega pi<70> tempo per lo scan.
.I nmap
rileva questo tasso limitando e rallentando lo scan di conseguenza,
piuttosto che flooddare la rete con pacchetti inutili che saranno
ignorati dalla macchina destinazione.
.Sp
Come <20> tipico, Microsoft ha ignorato la proposta della RFC e
non sembra aver imposto nessun tasso di limitazione sulle macchine
Win95 e NT. Cos<6F> possiamo fare lo scan di tutte le 65K porte di una
macchina Windows
.B molto
velocemente.
.TP
.B \-sA
Scan ACK: Questo metodo avanzato viene usato solitamente per scoprire
gli insiemi delle regole dei firewall. In particolare, pu<70> aiutare
determinare se un firewall sia stateful o solo un
semplice filtro di pacchetti che blocca i pacchetti SYN in entrata.
.Sp
Questo tipo di scan manda un pacchetto ACK
(con acknowledgement/sequence numbers apparentemente casuali)
alle porte specificate.
Se si ha come ritorno un RST, le porta viene classificata come
"unfiltered" (non-filtrata). Se non si ritorno ( o se si ha come
ritorno un pacchetto ICMP
unreachable), la porta viene classificata come
"filtered" (filtrata). Notate che di solito
.I nmap
non stampa le porte "unfiltered",
cos<EFBFBD> se
.B non
otteniamo nessuna porta mostrata nell'output <20> di solito un
segno che tutte le prove sono state portate a termine ( e hanno
restituito dei RST). Questo scan ovviamente non mostrer<65> mai
porte nello stato "open" (aperto).
.TP
.B \-sW
Scan window: Questo scan avanzato <20> molto simile allo scan ACK,
eccetto che alcune volte pu<70> rilevare sia le port aperte che
filtrate/non filtrate a causa di un'anomalia nel TCP window size
reporting di alcuni sistemi operativi. I sistemi vulnerabili a
questo problema includono almeno alcune versioni di AIX, Amiga,
BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, e
VxWorks. Vedere l'archivio della mailing list
.I nmap-hackers
per un'elenco completo.
.TP
.B \-sR
Scan RPC. Questo metodo funziona in combinazione con i diversi
metodi di port scan di Nmap. Esso prende tutte le porte TCP/UDP
trovate aperte e poi le flodda con comandi NULL del programma
SunRPC nel tentativo di determinare se sono porte RCP, e se
le sono, quale programma e numero di versione esse servono.
In questo modo potete effettivamente ottenere le stesse informazioni
di 'rcpinfo -p' anche se il portmapper di destinazione <20> dietro
un firewall (o protetto da TCP wrappers). I decoy non funzionano
allo stato attuale con lo scan RPC, in un qualche momento posso
aggiungere il supporto per i decoy negli scan RPC UDP.
.TP
.B \-b <ftp relay host>
FTP bounce attack: Una "caratteristica" interessante del protocollo
ftp (RFC 959) <20> il supporto per le connessioni ftp "proxy".
In altre parole, io dovrei essere in grado di connettemi da evil.com
al server FTP di target.com e richiedere che tale server mandi un
file OVUNQUE su internet! Ora questo poteva andare bene nel 1985
quando la RFC fu scritta. Ma nell'Internet di oggi non possiamo avere
persone che fanno l'hijacking dei server ftp e che richiedono che i dati
siano spediti a punti arbitrari su Internet. Come *Hobbit* scrisse
nel 1995, questo punto debole nel protocollo "pu<70> essere usato per
postare mail e news virtualmente irritracciabili, riempire i dischi,
provare a scavalcare i firewall, e generalmente <20> fastidioso e difficile
da rintracciare allo stesso tempo."
Noi sfrutteremo questo problema per (sorpesa,sopresa) fare lo scan delle
porte TCP da un server ftp "proxy". Cosi potrete collegarvi a un
server ftp dietro un firewall, e poi dare lo scan di porte che
sono molto probabilmente bloccate (la 139 <20> una porta buona).
Se il server ftp permette la lettura da e la scrittura a
qualche directory (come ad esempio /incoming), potete mandare
dati arbitrari porte che trovate aperte (anche se
nmap non fa questo per voi).
.Sp
L'argomento passato all'opzione 'b' <20> l'host che volete
usare come proxy, in una notazione standard URL. Il formato <20>:
.I username:password@server:porta.
Tutto tranne il
.I server
<EFBFBD> opzionale. Per determinare quali server siano vulenrabili a
questo attacco, potete vedere il mio articolo in
.I Phrack
51. E una versione aggiornata <20> disponibili all'URL di
.I nmap
(http://www.insecure.org/nmap)
.TP
.B OPZIONI GENERALI
Nessuna di queste opzioni <20> richiesta ma alcune possono essere abbastanza utili
.TP
.B \-P0
Non provare e fare il ping degli host completo prima di fare
lo scan degli stessi. Queso permette lo scan di reti che non
permettono ICMP echo request (o risposte) attraverso il loro
firewall.
microsoft.com <20> un esempio di tale rete, cos<6F> dovreste sempre
usare
.B \-P0
o
.B \-PT80
quando fate il portscan di microsoft.com
.TP
.B \-PT
Usate il "ping" TCP per determinare quali host sono attivi.
Invece di mandare pacchetti ICMP echo request e aspettare una
risposta, mandiamo pacchetti TCP ACK attraverso la rete
destinazione (o a una macchina singola) e poi aspettiamo
le risposte per ottenere informazioni sull'host. Gli host
che sono attivi dovrebbero rispondere con un RST. Questa
opzione preserva l'efficenza dell'esaminare solo host che
sono attivi permettendovi anche di fare lo scan di reti/host
che bloccno i pacchetti ping. Per gli utenti non root, usiamo
la funzione connect(). Per impostare la porta di destinazione
dei pacchetti di prova usiamo -PT<numero porta>. La porta di
default <20> la 80, in quanto questa porta spesso non <20> filtrata.
.TP
.B \-PS
Questa opzione usa dei pacchetti SYN (richiesta di connessione)
invece dei pacchetti ACK per gli utenti root. Gli host che sono
attivi dovrebbero rispondere con un RST (o, raramente con un SYN|ACK).
.TP
.B \-PI
Questa opzione usa un vero pacchetto ping (ICMP echo request).
Esso trova gli host che sono attivi e cerca anche nella vostra
rete indirizzi broadcast orientati alla sottorete. Questi sono
indirizzi IP che sono esternamente raggiungibili e traduce a
un broadcast di pacchetti in entrata a una sottorete di computer.
Questi dovrebbero essere eliminati se scoperti in quanto permettono
numerosi attacchi denial of service (Smurf <20> il pi<70> comune).
.TP
.B \-PB
Questo <20> il tipo di ping di default. Esso usa gli sweep ACK (
.B \-PT
) e ICMP (
.B \-PI
) in parallelo. In questo modo potete rilevare i firewall che filtrano
uno dei due (ma non entrambe).
.TP
.B \-O
Questa opzione attiva l'identificazione dell'host remoto via
TCP/IP fingerprinting. In altre parole, usa un'insieme di
tecniche per rilevare le sottigliezze nello strato sottostante
dello stack di rete del sistema operativo del computer sottoposto
a scan. Usa questa informazione per creare una 'impronta'
.I (fingerprint)
che viene confrontata con il suo database di impronte note relative
ai vari S.O. (il file nmap-os-fingerprints) per decidere a quale
tipo di sistema state facendo lo scan.
.Sp
Se trovate una macchina che <20> mal diagnosticata e ha almeno
una porta aperta, sarebbe utile se voi mi madate via mail i
dettagli (per esempio il S.O pippo versione numero <20> stato rilevato
come S.O. pluto versione numero1). Se trovate una macchina
con almeno una porta aperta con almeno una porta aperta per
quale nmap dice 'unknown operating system' (sistema operativo
sconosciuto), allora sarebbe utile se mi mandaste l'indirizzo IP
assieme con il nome del S.O. e il numero di versione. Se non
potete mandarmi l'indirizzo IP, la cosa migliore da fare <20>
di eseguire nmap con l'opzione
.B \-d
e mandarmi le tre fingerprint che dovreste ottenere assieme
al nome del S.O. e il numero di versione. Facendo questo
voi contribuite all'elenco dei sistemi operativi conosciuti ad
nmap e cos<6F> tale elenco sar<61> pi<70> accurato per tutti.
.TP
.B \-I
Questa opzione abilita lo scanning TCP reverse ident. Come
notato da Dave Goldsmith in un post del 1996 a BugTraq, il
protocollo ident (rfc 1413) permette di scoprire il nome
dell'utente appartenente ad ogni processo connesso via TCP,
anche se il processo non ha iniziato una connessione. Cos<6F>
potete, per esempio collegarvi alla porta http e poi usare
identd per scoprire se il server <20> in esecuzione con i
diritti di root. Questo scan pu<70> essere fatto solo con una
connessione TCP completa alla porta destinazione (per esempio
con l'opzione -sT). Quando viene usata l'opzione
.B \-I
l'identd dell'host remoto viene interrogato per ogni porta
aperta. Ovviamente questo scan non funziona se nell'host
non <20> in esecuzione identd.
.TP
.B \-f
Questa opzione provoca gli scan SYN, FIN, XMAS, o NULL
ad usare minuscoli pacchetti IP frammentati. L'idea <20> di
suddividere l'header TCP in diversi pacchetti per rendere
pi<EFBFBD> difficile ai filtri di pacchetti (packet filters),
ai sistemi di rilevamento delle intrusioni (IDS), e
altre seccature rilevare quello che state facendo.
State attenti con questa opzione! Alcuni programmi hanno
problemi nella gestione di questi pacchetti minuscoli.
Il mio sniffer preferito <20> andato in segmentation fault
immediatamente dopo aver ricevuto il primo frammento
di 36-byte. Dopo quello ne viene mandato un'altro da
24 byte! Sebbene questo metodo non passer<65> i filtri di
pacchetto e firewall che mettono in coda tutti i frammenti
IP (come l'opzione CONFIG_IP_ALWAYS_DEFRAG nel kernel Linux),
alcune reti non possono permettersi l'abbattimento
delle prestazioni che questa opzioni causa e cos<6F> la lasciano
disabilitata.
.Sp
Notate che non ho ancora questa opzione funzionante su tutti
i sistemi. Funziona bene per le mie mcchine Linux, FreeBSD, e
OpenBSD e alcune persone hanno r con altre varianti *NIX.
.TP
.B \-v
Modalit<EFBFBD> verbose. Questa <20> un'opzione altamente raccomandata
e da molte pi<70> informazioni su quello che sta accadendo.
Potete usarla due volte per ottendere maggiori effetti. Usate
.B \-d
un paio di volte se volete realmente impazzire con lo scrolling dello
schermo!
.TP
.B \-h
Questa comoda opzione mostra una schermata di riferimento
rapido sulle opzioni di utilizzo di nmap. Come potete aver notato,
questa man page non <20> esattamente un 'riferimento rapido' :)
.TP
.B \-oN <nomefiledilog>
Questa opzione logga i risultati dei vostri scan nella normale forma
.B chiaramente leggibile
nel file che specificate come argomento.
.TP
.B \-oM <nomefiledilog>
Questa opzione logga i risultati dei vostri scan nella forma
.B analizzabile dalla macchina
nel file che specificate come argomento. Potete dare l'argomento
\'-\' (senza apici) per inviare l'output allo stdout
(per fare shell pipe, ecc.). In questo caso l'output normale
sar<EFBFBD> sopresso. Controllate i messaggi di errore se usate
quest'ultima possibilit<69> (essi andranno ancora allo stderr).
Notate anche che \'-v\' far<61> in modo che informazioni extra
vengano stampate.
.TP
.B \-oS <nomefiledilog>
QuEsT0 l0gGa | rIsUlTaT| d3i v0sTr| Scanz iN
UnA f0rMa
.B s|<ipT kiDd|3
n3L fiL3 sPec\|fiCaT0 C0mE arGuMEnT0!
P0t3t3 Dar3 L'Arg0M3nt0 \'-\' (s3Nza Virg0L3Tt3)
p3R mAnDAr3 L'0uTput n3ll0 stDouT!@!!
.TP
.B \--resume <nomefiledilog>
Uno scan di rete che <20> stato cancellato a causa di un control-C,
problemi di rete, ecc. pu<70> essere riprestinto usando questa opzione.
Il nomefiledilog deve essere o un log normale (-oN) o un log
analizzabile dalla macchina (-oM) dello scan interrotto.
Nessun'altra opzione deve essere data (le opzioni saranno le stesse
dello scan interrotto).
Nmap inizier<65> a fare lo scan sulla macchina posta dopo l'ultima
macchina di cui <20> stato fatto lo scan nel file di log.
.TP
.B \-iL <nomedelfilediinput>
Legge le specifiche della destinazione da un file specificato
PIUTTOSTO che da linea di comando. Il file dovrebbe contenere
una lista di host o espressioni di rete separate da spazi,
caratteri di tabulazione, o newline. Usate una linea trattegiata
(-) come
.I nomedelfilediinput
se volte che nmap legga le espressioni dell'host dallo stdin
(come alla fine di una pipe). Vedere la sezione
.I specifica della destinazione
per ulteriori informazioni sulle espressioni con le quali
potete riempire il file.
.TP
.B \-iR
Questa opzioni dicono ad Nmap di generare i propri host da
esaminare prendendo semplicemente numeri casuali :). Non
terminer<EFBFBD> main. Questa opzione pu<70> essere utile per campionamenti
statistici di Internet per stimare diverse cose. Se siete
veramente annoiati, provate
.I nmap \-sS \-iR \-p 80
per trovare dei web server da guardare.
.TP
.B \-p <intervallo di porte>
Questa opzione specifica quali porte volete specificare. Per
esempio con '-p 23' Nmap prover<65> la porta 23 del/degli host
destinazione.
Con \'\-p 20-30,139,60000-\' Nmap far<61> lo scan delle porte
tra 20 e 30, la porta 139, e tutte le porte maggiori di 60000.
Di default Nmap fa lo scan sia di tutte le porte tra 1 e 1024
che di ogni porta elencata nel file services fornito con nmap.
.TP
.B \-F Modalit<EFBFBD> di scan veloce.
Specifica che desiderate esaminare solo le porte elencate nel
file servizi fornito con nmap. Questo tipo di scan <20> ovviamente
pi<EFBFBD> veloce di fare lo scan di tutte le 65535 porte di un host.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
Causa lo svolgimento di uno scan decoy, che fa in modo che
all'host remoto posto sotto scan appaiano anche lo/gli host che
specificate come decoy (esche). Cos<6F> i loro IDS potrebbero
riportare 5-10 port scan da un unico indirizzo IP, ma non sanno
quale IP stava effettuando lo scn e quali sono innocenti decoy.
Sebbene questo scan possa essere sconfitto attraverso il
router path tracing, il response-dropping e altri meccanismi "attivi",
<EFBFBD> generalmente una tecnica estremamente efficace per nascondere il
vostro indirizzo IP.
.Sp
Separate ciascun host decoy con virgole, e potete opzionalmente
usare 'ME' come uno dei decoy per rappresentare la posizione
nella quale volete il vostro indirizzo IP venga usato.
Se mettete 'ME' nella sesta posizione o oltre, per alcuni
rilevatori di portscan comuni (come ad esempio l'eccellente
scanlogd di Solar Designer) <20> molto poco probabile che
mostrino il vostro indirizzo IP. Se non usate 'ME', nmap
lo porr<72> in una posizione casuale.
.Sp
Notate che gli host che usate come decoy dovrebbero essere
attivi o potreste accidentalmente fare il SYN flood delle
destinazioni. Dovrebbe essere anche abbastanza semplice
determinare quale host <20> sottoposto a scan se uno solo <20>
allo stato attuale attivo sulla rete. Potreste voler usare
gli indirizzi IP invece dei nomi (in questo modo le rete dei
decoy non vi vedono nei log dei loro nameserver).
.Sp
Notate anche che alcuni "rilevatori di port scan" (stupidi)
firewalleranno/negheranno il routing agli host che provano
a fare il portscan. Cos<6F> potreste inavvertitamente causare
alla macchina sottoposta a scan la perdita di connettivit<69>
con le macchine decoy che state usando,
Questo potrebbe causare alle macchine target maggiori problemi
se il decoy, <20> diciamo, il suo gateway internet o anche "localhost".
Cos<EFBFBD> potreste voler essere prundenti con questa opzione.
La vera morale della storia <20> che i rilevatori dei portscan
spoofabili non dovrebbero agire contro la macchina che a loro
sembra stia eseguendo lo scan. Potrebbe essere solo un decoy!
.Sp
I decoy sono usati sia nello scan ping iniziale (usando ICMP,
SYN, ACK, o altro) e durante la fase attuale fase di port
scanning. I decoy sono anche usate durante il rilevamento
remoto del S.O. (
.B \-O
).
.Sp
Vale la pena notare che usare troppi decoy pu<EFBFBD> rallentare il
vostro scan e renderlo potenzialmente anche meno accurato.
Inoltre, alcuni ISP filtreranno i vostri pacchetti spoofati,
sebbene molti (attualmente la maggior parte) non
restringono i pacchetti IP spoffati completamente.
.TP
.B \-S <Indirizzo_IP>
In alcune circostanze,
.I nmap
pu<EFBFBD> non essere in grado di determinare il vostro indirizzo sorgente (
.I nmap
vi informer<EFBFBD> se questo <EFBFBD> il caso). In questa situazione, usate
\-S con il vostro indirizzo IP (dell'interfaccia mediante la quale
desiderate mandare i pacchetti).
.Sp
Un'altro possibile uso di questo flag <20> di spooffare lo scan
per fare in modo che le destinazioni pensino che
.B qualcun altro
le stia scannando.
Immaginate una societ<65> sulla quale un'altra rivale fa ripetutamente
dei port scan!. Questo non <20> un utilizzo supportato ( o lo scopo
principale) di questo flag. Ho gi<67> pensato che questo flag
avanza una interessante possibilit<69> di cui le persone dovrebbero
essere consapevoli prima che vadano accusando altri di fare
lo portscanning contro di loro.
.B \-e
sarebbe generalmente richiesta per questo tipo di utilizzo.
.TP
.B \-e <interfaccia
Dice ad nmap su quale interfaccia mandare e ricevere i pacchetti.
Nmap dovrebbe essere ingrado di rilevare tale interfaccia, ma
questa opzione permette di dirgliela se non <20> in grado.
.TP
.B \-g <numeroporta>
Imposta il numero di porta sorgente usata negli scan. Molti
firewall nativi e installzioni di filtri di pacchetti fanno
un'eccezione nel loro insieme di regole per permettere ai
pacchetti DNS (53) o FTP-DATA (20) di passare attraverso e
stabilire una connessione. Ovviamente questo sovverte i
vantaggi di sicurezza di un firewall in quanto gli intrusi
possono mascherarsi come FTP o DNS modificando la loro porta
sorgente.
Ovviamente per uno scan UDP dovreste prima provare uno scan UDP
e gli scan TCP dovrebbero trovare 20 prima di 53.
Notate che questa <20> solo una richiesta -- nmap la onorer<65> solo
se <20> in grado di farlo. Per esempio, non potete fare il campionamento
TCP ISN da un host:porta a un'altro host:porta, cos<6F>
nmap cambia la porta sorgente anche se avete usato -g.
.Sp
Rendetevi conto che usando questa opzione v'<27> una lieve
penalit<EFBFBD> nelle prestazione, perch<63> alcune volte io memorizzo
informazioni utili nel numero della porta sorgente.
.TP
.B \-r
Dice ad Nmap
.B DI NON
rendere casuale l'ordine nel quale le porte sono esaminate.
.TP
.B \-\-randomize_hosts
Dice ad Nmap di mescolare ciascun gruppo di host, fino a 2048
host prima di farne lo scanner. Questo pu<70> renedere gli scan
meno ovvi ai diversi sistemi di monitoraggio della rete,
specialmente quando lo combinare con opzioni di timing
lente (vedere sotto).
.TP
.B \-M <max sockets>
Imposta il numero massimo di socket che saranno usati in
parallelo per uno scan TCP connect() (lo scan di default).
Questa opzione <20> utile per rallentare di poco lo scan e evitare
il crash delle macchine remote. Un'altro approccio <20> usare
\-sS, opzione che <20> generalmente pi<70> semplice da gestire le
le macchine.
.TP
.B OPZIONI DI TIMING
Generalmente Nmap fa un ottimo lavoro nell'adattarsi alle
caratteristiche di rete a run-time e fare lo scan tanto veloce
quanto possibile minimizando le possibilit<69> che degli host/ delle
porte rimangano non rilevate. Comunque, possono esservi casi lo
stesso in qui l politica di timing impostata di default possa
non incontrare i vostri obiettivi. Le seguenti opzioni forniscono
un buon livello di controllo sul timing di uno scan:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Queste sono possibili politiche di timing per esprimere
convenientemente le vostre priorit<69> ad Nmap.
La modalit<69>
.B Paranoid
fa gli scan
.B molto
lentamente nella speranza di evitare il rilevamento dai sistemi IDS.
Essa serializza tutti gli scan (nessuno scanning parallelo) e
generalmente aspetta almeno 5 minuti tra i pacchetti mandati.
.B Sneaky
<EFBFBD> simile, eccetto che aspetta solo 15 secondi tra i pacchetti mandati.
.B Polite
<EFBFBD> stato pensata per facilitare il carico sulla reta e ridurre le
possibilit<EFBFBD> di mandare in crash le macchine. Serializza le prove
e aspetta
.B almeno
0.4 secondi tra esse.
.B Normal
<EFBFBD> il comportamento di default di Nmap, che prova a fare gli scan
tanto velocemente quanto gli <20> possibile senza sovracaricare la
rete o mancare degli host/delle porte.
La modalit<69>
.B Aggressive
aggiunge un timeout di 5 minuti per host e non aspetta mai
pi<EFBFBD> di 1.25 secondi per le risposte di prova.
.B Insane
<EFBFBD> solo adatto per reti molto veloci o dove non vi importa
la perdit<69> di alcune informazioni. Manda in time out gli
host in 75 secondi e aspetta solo 0.3 per le prove individuali.
Pero non permette sweep di rete molto veloci :). Potete anche
fare riferimento a questi numeri. Per esempio, \'-T
0\' vi da la modalit<69> Paranoid e \'-T 5\' <20> la modalit<69> Insane.
.Sp
Queste possibili modalit<69> di timing NON dovrebbe essere usata con
i controlli a basso livello dati sotto.
.TP
.B --host_timeout <millisecondi>
Specifica la quantit<69> di tempo, permessa ad Nmap per
fare lo scan di un singolo host prima di terminare lo
scan su quel dato IP. La modalit<69> di timing impostata
per default non ha host timeout.
.TP
.B --max_rtt_timeout <millisecondi>
Specifica la somma massima di tempo permessa ad Nmap per
aspettare un risultato di una prova prima di ritrasmettere
o mandare in time-out quella prova particolare. La modalit<69>
di default imposta questo limite a circa 9000 ms.
.TP
.B --min_rtt_timeout <millisecondi>
Quando gli host destinazione iniziano a stabilire un pattern
di risposta molto velocemente, Nmap diminuir<69> la somma di tempo
data per prova. Questo velocizza lo scan, ma pu<70> condurre a
pacchetti mancati quando una risposta impiega di pi<70> del solito.
Con questo parametro potete garantire che Nmap aspetter<65>
al meno la data quantit<69> di tempo prima di terminare una prova.
.TP
.B --initial_rtt_timeout <millisecondi>
Specifica il timeout iniziale di prova. Questo <20> generalmente
utile solo quando fate lo scan di host firewallati con -P0.
Normalmente Nmap pu<70> ottenere buone stime RTT dal ping e dalle
prime prove. La modalit<69> di default usa 6000.
.TP
.B --max_parallelism <numero>
Specifica il massimo numero di scan da svolgere
in parallelo, che <20> permesso a Nmap. Se impostate questo a 1
Nmap non prover<65> mai ad esaminare pi<70> di una porta alla volta.
Questa opzione ha effetto anche sugli altri scan paralleli come
i ping sweep, lo scan RPC, ecc.
.TP
.B --scan_delay <millisecondi>
Specifica la quantit<69> di tempo
.B minima
nella quale Nmap deve aspettare tra le prove. Questa opzione
<EFBFBD> utile principalmente per ridurre il carico di rete o per
rallentare il metodo di scan per penetrare furtivamente
sotto le soglie degli IDS.
.SH SPECIFICA DELLA DESTINAZIONE
Tutto ci<63> che non <20> un'opzione (o un argomenti di un'opzione)
viene trattato in nmap come specifica dell'host destinazione.
Il caso pi<70> semplice <20> elencare hostname singoli o indirizzi IP
sulla linea di comando. Se volete fare lo scan di una sottorete
di indirizzi IP, potete aggiungere
.B '/mask'
al nome host
o all'indirizzo IP
.B mask
deve essere compreso tra 0 (fai lo scan dell'intera internet)
e 32 (fai lo scan del singolo host specificato). Usate /24 per
fare lo scan di un indirizzo di classe 'C' e /16 per fare lo scan
di un indirizzo di classe 'B'.
.Sp
Nmap ha anche un notazione pi<70> potente che vi permette di
specificare un indirizzo IP usando liste/intervalli per ogni
elemento. Cosi potete fare lo scan dell'intera rete classe 'B'
128.210.*.* specificando '128.210.*.*' o '128.210.0-255.0-255' o
anche '128.210.1-50,51-255.1,2,3,4,5-255'. E certamente potete
usare la notazione maschera: '128.210.0.0/16'. Queste sono tutte
equivalenti. Se usate asterischi ('*'), ricordatevi che la maggior
parte delle shell vi richiedono che voi ne facciate l'escape con
le backslashes o li proteggiate con gli apici.
.Sp
Un'altra cosa interessante da fare <20> quantizzare Internet
in un'altro modo. Invece di fare lo scan di tutti gli host
in una classe 'B', fate lo scan '*.*.5.6-7' per esaminare
ogni indirizzo IP che finisce in .5.6 o .5.7. Decidete i
voi i vostri numeri. Per ulteriori informazioni sulla
specifica degli host su cui fare lo scan, vedere la sezione
.I esempi
.SH ESEMPI
Ecco qui vi sono alcuni esempi di utilizzo per nmap, da quelli
semplici e normali a quelli pi<70> complessi/esoterici. Notate che
numeri attuali e alcuni nomi di dominio attuali sono stati usati
per rendere le cose pi<70> concrete. Al loro posto dovreste sostituire
gli indirizzi/nome della
.B vostra rete.
Non penso che fare il portscanning di altre reti sia illegale;
i portscan non dovrebbero essere interpretati dagli altri
come un attacco. Ho fatto lo scan di centinaia di migliaia
di macchine e ho ricevuto solo una lamentela. Ma non sono un
avvocato e alcune persone (anali) protrebbero essere infastidite
dalle prove con
.I nmap.
Ottete il permesso prima o usatelo a vostro rischio.
.Sp
.B nmap -v destinazione.esempio.com
.Sp
Questa opzione fa lo scan di tutte le porte riservate TCP sulla
macchina destinazione.esempio.com. Il \-v significa aabilita
la modalit<69> verbose.
.Sp
.B nmap -sS -O destinazione.esempio.com/24
.Sp
Lancia uno scan SYN invisibile (stealth) contro ogni macchina
che <20> attiva compresa nelle 255 macchine della classe 'C' dove
destinazione.esempio.com risiede. Prova anche a determinare
quale sistema opertivo <20> in esecuzione su ciascun host
che <20> attivo.
Questo scan richiede i privilegi di root a causa dello scan
SYN ed del rilevamento del S.O.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "128.210.*.1-127"
.Sp
Manda uno scan Xmas tree alla prima meta di ciascuno delle
possibili sottoreti a 8 bit nello spazio di indirizzo classe
'B' 128.210.
Stiamo testando se i sistemi hanno in esecuzione sshd, DNS,
pop3d, imapd, o la porta 4564 aperta.
Notate che lo scan Xmas non funziona sulle macchine Microsoft
a causa del loro stack TCP deficente.
Lo stesso vale per le macchine CISCO, IRIX, HP/UX, e BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Piuttosto che concentrarsi su un'intervallo IP specifico,
alcune volte <20> interessante suddividere in parti l'intera Internet
e fare lo scan di una piccola parte. Questo comando trova
tutti i server web sulle macchine con gli indirizzi IP che
terminano in .2.3, .2.4, o .2.5. Se siete root potrete allo
stesso modo aggiungere -sS. Potrete anche trovare macchine
pi<EFBFBD> interessanti che iniziano con 127. cosi potreste voler usare
'127-222' invece dei primi asterischi perche quella sezione ha
una maggior densit<69> di macchine interessanti (IMHO).
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fa un DNS zone tranfer per trovare gli host in company.com
e poi da in pasto gli indirizzi IP a
.I nmap.
I comandi sopra visti sono per la mia macchina GNU/Linux.
Potreste aver bisogno di diversi comandi/opzioni su altri
sistemi operativi.
.SH BUGS
Bugs? Che bugs? Mandatemeli se li trovate. Anche patch sono
gradite :) Ricordate anche di mandare i fingerprint per i nuovi
S.O. cos<6F> possiamo far crescere il database. Nmap vi dar<61> una
URL di submission quando <20> stata trovata un'appropriata fingerprint.
.SH AUTORE
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH DISTRIBUZIONE
La pi<70> recente distribuzione di nmap
.I nmap
puo' essere ottenuta al
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
.Sp
.I libpcap
viene anche distribuita assieme ad nmap. Il suo copyright
<EFBFBD> detenuto da Van Jacobson, Craig Leres and Steven McCanne,
tutti del Lawrence Berkeley National Laboratory, Universit<69>
della California, Berkeley, CA.
La versione distributa con nmap pu<70> essere stata modificata
i sorgenti originali sono disponibili al
ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Questo programma <20> software libero; potete ridistribuirlo e/o
modificarlo rispettando i termini della GNU General Public
License com pubblicata dalla Free Software Foundation;
Versione 2. Questa garantisce i vostri diritti di usare, modificare
e ridistribuire Nmap sotto certe condizioni. Se questa licenza
<EFBFBD> per voi inaccettabile, Insecure.Org pu<70> essere in grado di
vendervi licenze alternative (contattate fyodor@insecure.org).
.Sp
Il sorgente viene fornito con questo software perch<63> crediamo
che gli utenti abbiano il diritto di sapere cosa esattamente
un programma ha intenzione di fare prima di eseguirlo.
Questo potrebbe anche permettevi di correggere di testare il
software per buchi alla sicurezza (non ne sono stati trovati
da molto).
.Sp
Il codice sorgente vi permette anche di fare il port di nmap
a nuove architetture, fissare i bug, e aggiungere nuove
caratteristiche. Siete fortemente incoraggiati di mandare i
vostri cambi a Fyodor per la possibile inclusione nella
distribuzione principale di Nmap. Mandando questi cambi
a Fyodor, o a nmap-hackers, si assume che voi stiate offrendo
a Fyodor il diritto illimitato, non esclusivo di riusare,
di modificare, e porre sotto nuova licenza il codice.
Se desiderate specificare condizioni speciali per la licenza
dei vostri contributi, dichiarateli prima sul contributo stesso.
.Sp
Questo programma <20> distribuito nella speranza che sia utile, ma
.B SENZA ALCUNA GARANZIA;
senza anche l'implicita garanzia di
.B COMMERCIABILITA'
o
.B ADEGUATEZZA AD UNO SCOPO PARTICOLARE.
Vedere la GNU Public License per ulteriori dettagli (essa <20> nel file
COPYING della distribuzione di
.I nmap
).
.Sp
Si dovrebbe notare che Nmap pu<70> mandare in crash determinate
applicazioni mal progettate, stack TCP/IP, e anche
sistemi operativi.
.B Nmap non dovrebbe mai essere eseguito contro sistemi,
che hanno compiti critici (detti anche mission critical systems)
a meno che non siate preparati a tollerare
il tempo in cui essi siano disattivi.
Qui riconosciamo che Nmap pu<70> mandare in crash i vostri sistemi o
reti e non ci assumiamo nessuna responabilit<69> per ogni danno o
problema che Nmap potrebbe causare.
.Sp
Tutte le versioni di Nmap a partire dalla 2.0 inclusa
non presentano problemi in tutti i loro aspetti
con il bug dell'anno 2000 (Y2K bug).
Non esiste nessuna ragione di credere che le versioni
precedenti alla 2.0 siano suscettibili a tale problema,
ma non sono state testate.

389
docs/nmap_latvian.1
View File

@@ -1,389 +0,0 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH V<EFBFBD>RDS
nmap \- Network exploration tool and security scanner
.SH NOSAUKUMS
.B nmap
[skan<61><6E>anas metode(s)] [opcijas] <host vai t<>kls#1...[#N]>
.SH APRAKSTS
.I Ar Nmap var skan<EFBFBD>t neierobe<EFBFBD>otu daudzumu un lielumu t<EFBFBD>klus, noteikt to dro<EFBFBD><EFBFBD>bas pak<EFBFBD>pi, apzin<EFBFBD>t atv<EFBFBD>rtos portus, k<EFBFBD> ar<EFBFBD> atbilsto<EFBFBD>o servisu esam<EFBFBD>bu. <EFBFBD><EFBFBD> uzdevuma <EFBFBD>steno<EFBFBD>anai Nmap izmanto daudz da<EFBFBD><EFBFBD>das skan<EFBFBD><EFBFBD>anas metodes, k<EFBFBD> piem<EFBFBD>ram UDP, TCP connect(), TCP SYN, FTP proxy (skan<61><6E>ana caur ftp), Reverse-ident, ICMP (ping) FIN, ACK, Xmas tree, SYN, NULL metodes. Tuv<EFBFBD>k t<EFBFBD>s apskat<EFBFBD>tas noda<EFBFBD><EFBFBD> "Skan<61><6E>anas opcijas".
.I Nmap satur daudz da<EFBFBD><EFBFBD>das papildus iesp<EFBFBD>jas, konkr<EFBFBD>t<EFBFBD>k: datora oper<EFBFBD>t<EFBFBD>jsist<EFBFBD>mas noteik<EFBFBD>ana (t<>l<EFBFBD>k tekst<EFBFBD> OS) izmantojot TCP/IP steka sniegto inform<EFBFBD>ciju, "neredzamo" skan<EFBFBD><EFBFBD>anu, dinamiski <EFBFBD>ener<EFBFBD>tas aiztures un atk<EFBFBD>rtota pake<EFBFBD>u p<EFBFBD>rraid<EFBFBD><EFBFBD>ana, paral<EFBFBD>l<EFBFBD> skan<EFBFBD><EFBFBD>ana, neakt<EFBFBD>va host`a noteik<EFBFBD>ana izmantojot paral<EFBFBD>lo ping piepras<EFBFBD>jumu, skan<EFBFBD><EFBFBD>ana no neeksist<EFBFBD>jo<EFBFBD>iem hostiem, noteikt pake<EFBFBD>u filtru esam<EFBFBD>bu, tie<EFBFBD><EFBFBD> (neizmantojot portmapper) RPC skan<EFBFBD><EFBFBD>ana, skan<EFBFBD><EFBFBD>ana izmantojot IP-fragment<6E>ciju.
.I Kaut ar<EFBFBD> Nmap ir maksim<EFBFBD>li optimiz<EFBFBD>ts priek<EFBFBD> parastiem lietot<EFBFBD>jiem, daudzas t<EFBFBD> iesp<EFBFBD>jas ir at<EFBFBD>autas tikai root lietot<EFBFBD>jam. Ieteicam Nmap laist ar root ties<EFBFBD>b<EFBFBD>m.
.PP
Nmap rezult<6C>ti tiek izvad<61>ti k<> interes<65>jo<6A>o portu saraksts uz skan<61>t<EFBFBD> kompj<70>tera, protokola tips, servisa nosaukums. Portiem kl<6B>t ir apz<70>m<EFBFBD>jumi "atv<74>rts" (open), "filtr<74>ts" (filtered), "nefiltr<74>ts" (unfiltered). "atv<74>rts" noz<6F>m<EFBFBD>, ka <20>im portam var piesl<73>gties, "filtr<74>ts" - ugunsm<73>ris (firewall) pake<6B>u filtrs , vai k<>ds cits apst<73>klis ne<6E>auj Nmap noteikt, vai ports ir atv<74>rts vai n<>, "nefiltr<74>ts" - ports ir aizv<7A>rts, lai gan nekas netrauc<75>ja Nmap to skan<61>t.
.PP
Atkar<EFBFBD>b<EFBFBD> no dotaj<61>m komand<6E>m, Nmap sp<73>j noteikt <20><>das skan<61>jam<61> host`a <20>pa<70><61>bas: lietot<6F>ja OS, TCP ISN <20>ener<65><72>anas metodi, lietot<6F>ja v<>rdu (username) kam "pieder" noteikts serviss, DNS nosaukumu u.t.t.
.SH OPCIJAS
Vairumu opciju ir iesp<73>jams kombin<69>t sav<61> starp<72>.Vienas opcijas paredz<64>tas priek<65> skan<61><6E>anas meto<74>u izv<7A>l<EFBFBD>s, citas savuk<75>rt atbild par da<64><61>du papildus iesp<73>ju izmanto<74>anu, vai ar<61> atbild par da<64><61>diem skan<61><6E>anas parametriem. Palai<61>ot programmu Nmap ar opciju '-h' vienm<6E>r ir iesp<73>jams ieg<65>t inform<72>ciju par vis<69>m t<>s iesp<73>j<EFBFBD>m.
.TP
.B SKAN<EFBFBD><EFBFBD>ANAS VEIDI
.TP
.B \-sS
(scan SYN) - Izmantot TCP SYN metodi. <20>o metodi sauc par "pusatverto" skan<61><6E>anu, jo piln<6C>gs savienojums ar att<74>lin<69>t<EFBFBD> datora portu nenotiek. Nmap nos<6F>ta SYN paketi, itk<74> pieprasot nodibin<69>t savienojumu un gaida att<74>lin<69>t<EFBFBD>s sist<73>mas atbildi. Atbildot sist<73>ma nos<6F>ta paketi ar SYN|ACK mar<61><72>jumu (flag), ka ir gatava nodibin<69>t savienojumu. Kad Nmap sa<73>em SYN|ACK paketi, atpaka<6B> nekav<61>joties tiek nos<6F>t<EFBFBD>ta RST pakete liekot saprast att<74>lin<69>tajai sist<73>mai, ka nev<65>las nodibin<69>t v<>l neveikto savienojumu. Ne visas sist<73>mas fiks<6B> <20><>da tipa skan<61><6E>anu. Lietot<6F>jam vajadz<64>gas root ties<65>bas, lai var<61>tu izveidot SYN paketes.
.Sp
Lai pa<70>trin<69>tu skan<61><6E>anu, skan<61>jot lielus t<>klus, kop<6F> ar opciju '-sS' var lietot sa<73>sin<69>jumu, kur<75> at<61>auj piepras<61>t nor<6F>d<EFBFBD>to portu vis<69>m akt<6B>vaj<61>m sist<73>m<EFBFBD>m j<>su skan<61>taj<61> diapazon<6F> daudz <20>tr<74>k, nek<65> izmantojot tikai '-p' opciju. To var izdar<61>t ar sa<73>sin<69>juma -PS pal<61>dz<64>bu. Piem<65>ram, ja ir nepiecie<69>am<61>ba noteik, cik sist<73>mas noteikt<6B> diapazon<6F> ir atv<74>ru<72>as 25 portu jums ieteicams lietot <20>o sa<73>sin<69>jumu. (piem):
nmap -n -sS -p25 -PS25 24.0.0.0/8
.TP
.B \-sT
(scan TCP) - izmanto TCP connect() metodi. <EFBFBD><EFBFBD> ir visizplat<EFBFBD>t<EFBFBD>k<EFBFBD> TCP portu skan<EFBFBD><EFBFBD>anas metode. Funkcija connect(), ir iek<EFBFBD>auta jebkur<EFBFBD> OS, t<EFBFBD>dej<EFBFBD>di at<EFBFBD>aujot <EFBFBD>stenot savienojumus ar vienalga k<EFBFBD>du att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas portu. Ja skan<EFBFBD>jamais ports uz att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas b<EFBFBD>s pieejams, tad funkcija connect() norit<EFBFBD>s veiksm<EFBFBD>gi, pret<EFBFBD>j<EFBFBD> gad<EFBFBD>jum<EFBFBD> ports skait<EFBFBD>s sl<EFBFBD>gts, vai ar<EFBFBD> aizsarg<EFBFBD>ts ar ugunsm<EFBFBD>ri, vai ko taml<EFBFBD>dz<EFBFBD>gu.
.Sp
Lai izmantotu <20>o skan<61><6E>anas metodi, lietot<6F>jam nav vajadz<64>gas t.s. privili<6C><69>t<EFBFBD>s ties<65>bas. <20><>du skan<61><6E>anu <20>oti viegli konstat<61> skan<61>jam<61> dator<6F> <20>p<EFBFBD><70>nieks, jo viss tiek akur<75>ti ierakst<73>ts log fail<69>.
.TP
.B \-sF \-sX \-sN
(scan FIN, scan Xmas, scan NULL) - "neredzam<61>" FIN, Xmas Tree un NULL skan<EFBFBD><EFBFBD>ana. <EFBFBD>o metodi lieto, ja SYN skan<EFBFBD><EFBFBD>ana k<EFBFBD>du iemeslu d<EFBFBD><EFBFBD> nav iesp<EFBFBD>jama. Piem<EFBFBD>ram da<EFBFBD>i ugunsm<EFBFBD>ri filtr<EFBFBD> SYN paketes, kas tiek nos<EFBFBD>t<EFBFBD>tas uz vi<EFBFBD>u aizsarg<EFBFBD>tajiem portiem, un t<EFBFBD>das programmas k<EFBFBD> Synlogger sp<EFBFBD>j<EFBFBD>gas fiks<EFBFBD>t SYN skan<EFBFBD><EFBFBD>anas m<EFBFBD><EFBFBD>in<EFBFBD>jumu.
.Sp
Dot<EFBFBD>s skan<61><6E>anas laik<69> notiek sekojo<6A>ais. FIN skan<61><6E>anu veic ar FIN paket<65>m. Xmas Tree izmanto FIN|URG|PSH paketes, NULL skan<61><6E>anas gad<61>jum<75> tiek nos<6F>t<EFBFBD>tas nemar<61><72>tas paketes. Vadoties p<>c RFC 973 rakst<73>t<EFBFBD>, skan<61>jam<61>s sist<73>mas OS ir j<>atbild uz <20><>da veida paket<65>m, no sl<73>gtiem portiem ar RST paketi, taj<61> pa<70><61> laik<69> atv<74>rtie porti <20>o nemar<61><72>to paketi ignor<6F>.
K<EFBFBD> vienm<6E>r Microsoft Windows izstr<74>d<EFBFBD>t<EFBFBD>ji ner<65><72>in<69>s ar pie<69>emto standartu, t<>d<EFBFBD><64> <20>i skan<61><6E>anas metode b<>s neefekt<6B>va skan<61>jot jebkuru sist<73>mu, kas izmanto Microsoft veidot<6F>s OS. Ja FIN skan<61><6E>anas rezult<6C>t<EFBFBD>, tiek izmests atv<74>rto portu saraksts, tad att<74>lin<69>t<EFBFBD>s sist<73>mas OS nav Windows. Ja visas <20><>s metodes izmet pazi<7A>ojumu, ka visi porti sl<73>gti, turpret<65>m SYN skan<61><6E>ana atkl<6B>j atv<74>rtus portus, tad visticam<61>k att<74>lin<69>t<EFBFBD>s sist<73>mas OS ir Windows. J<>piebilst, ka Windows nav vien<65>g<EFBFBD> OS, kura satur <20>o nepiln<6C>bu. Pie <20><>da tipa OS var pieskait<69>t ar<61> Cisco, BSDI, IRIX, HP/UX un MVS. Visas <20>is OS neatbild nemar<61><72>t<EFBFBD>m paket<65>m.
.TP
.B \-sP
scan Ping) - ping "skan<61><6E>ana". Da<44>reiz ir nepiecie<69>am<61>ba uzzin<69>t tikai akt<6B>vo hostu adreses. Nmap to sp<73>j izdar<61>t, nos<6F>tot ICMP ECHO piepras<61>jumu katrai ip adresei nor<6F>d<EFBFBD>taj<61> diapazon<6F>. Hosts, kas atbild uz <20>o piepras<61>jumu ir akt<6B>vs, t.i. ir piesl<73>gts t<>klam.
.Sp
Da<EFBFBD>i hosti (piem<65>ram microsoft.com) blo<6C><6F> ECHO piepras<61>jumus, t<>d<EFBFBD><64> Nmap papildus nos<6F>ta TCP ACK paketi uz 80 portu (noklus<75>ti). Ja hosts atbild ar RST paketi, tad vi<76><69> ir akt<6B>vs. Tre<72><65> metode izmanto SYN paketi, par atbildi gaidot RST vai SYN|ACK paketi. Lietot<6F>jiem, kuriem nav root privil<69><6C>ijas tiek izmantota connect() metode.
.Sp
Lietot<EFBFBD>jiem ar root privil<69><6C>ij<69>m Nmap noklus<75>ti lieto abas metodes - ICMP un ACK. <20>o iest<73>dijumu var main<69>t izmantojot opciju .B \-P
, kur aprakst<73>ta zem<65>k. Ping skan<61><6E>ana tiek lietota vienm<6E>r un tikai akt<6B>v<EFBFBD>s sist<73>mas tiek skan<61>tas, t<>d<EFBFBD><64> <20>o skan<61><6E>anas metodi izmatojiet tikai ta, ja v<>laties uzzin<69>t akt<6B>vo sist<73>mu daudzumu, ne veikt to portu skan<61><6E>anu.
.TP
.B \-sU
(scan UDP) - <20><> skan<61><6E>anas metode <20>auj noteikt k<>di UDP porti (RFC 768) ir atv<74>rti uz att<74>lin<69>t<EFBFBD>s sist<73>mas. Uz katru skan<61>jam<61>s sist<73>mas portu tiek nos<6F>t<EFBFBD>ta UDP pakete, kas nesatur datus. Ja sist<73>ma atbild ar ICMP pazi<7A>ojumu "port unreachable" tad ports ir aizv<7A>rts, pret<65>j<EFBFBD> gad<61>jum<75> tas tiek uzskat<61>ts par atv<74>rtu. Da<44>i uzskata, ka skan<61>t UDP portus nav nek<65>das j<>gas. <20>in<69> gad<61>jum<75> atg<74>dinu par "slaven<65>bu" ieguvu<76>o g<>uku iek<65> d<>mona rpcbind OS Solaris. <20>is d<>mons grie<69>as uz jebkura no nedokument<6E>tajiem UDP portiem, kas ir liel<65>ki par 32770.
.Sp
Par no<6E><6F>lo<6C>anu j<>atdz<64>st, ka UDP skan<61><6E>ana velkas l<>ni, jo gandr<64>z visas OS seko RFC 1812 (sada<64>a 4.3.2.8) rekomend<6E>cij<69>m iegro<72>ot ICMP "port unreachable" <20>ener<65><72>anas <20>trumu. Piem<65>ram Linux kernelis (katalogs net/ipv4/icmp.h) ierobe<62>o <20><>da tipa pazi<7A>ojumu <20>ener<65><72>anu l<>dz 80, 4 sekund<6E>s ar 1/4 sekundes nov<6F>lo<6C>anu, ja <20><> robe<62>a tiek p<>rsniegta. OS Solaris ir v<>l strikt<6B>ki ierobe<62>ojumi (2 zi<7A>ojumi sekund<6E>), t<>d<EFBFBD><64> sist<73>mu skan<61><6E>ana kuras grie<69>as uz OS Solaris ir v<>l l<>n<EFBFBD>ka.
.Sp
Nmap nosaka <20>o ierobe<62>ojumu parametrus un atbilsto<74>i tiem samazina <20>ener<65>jamos piepras<61>jumus, t<>dej<65>di atturoties no t<>kla piem<65>slo<6C>anas ar nevajadz<64>g<EFBFBD>m paket<65>m, kuras ignor<6F> att<74>lin<69>t<EFBFBD> sist<73>ma. K<> jau ierasts komp<6D>nija Microsoft ignor<6F> visas rekomend<6E>cijas un neizmanto sav<61>s OS nek<65>dus ierobe<62>ojumus. T<>dej<65>di j<>s varat <20>oti <20>tri noskan<61>t visus 65535 UDP portus sist<73>mai, kas grie<69>as zem OS Windows.
.TP
.B \-sO
(scan Open protocol) - Dot<6F> metode tiek izmantota, lai noteiktu IP protokolus, kurus uztur att<74>lin<69>t<EFBFBD> sist<73>ma. Att<74>lin<69>tajai sist<73>mai tiek s<>t<EFBFBD>tas IP paketes, kur<75>m nav nek<65>da mar<61><72>juma. T<>s tiek s<>t<EFBFBD>tas katram protokolam. Ja par atbildi tiek sa<73>emts pazi<7A>ojums "protocol ureachable", tad doto protokolu att<74>lin<69>t<EFBFBD> sist<73>ma neuztur. Pret<65>j<EFBFBD> gad<61>jum<75> Nmap uzskata, ka protokols tiek uztur<75>ts.
.Sp
Da<EFBFBD>as OS (AIX, HP-UX, Digital UNIX) k<> ar<61> ugunsm<73>ris var blo<6C><6F>t zi<7A>ojumus "protocol ureachable", t<> rezult<6C>t<EFBFBD> visi protokoli tiks uzskat<61>ti par uztur<75>tiem.
Par cik aprakst<73>t<EFBFBD> metode ir l<>dz<64>ga UDP skan<61><6E>anas metodei, tad ICMP <20>ener<65><72>anas ierobe<62>ojumu noteik<69>ana paliek sp<73>k<EFBFBD>, ta<74>u t<>d<EFBFBD><64> ka IP paketes "header" sast<73>v tikai no 8 bitiem visus 256 protokolus izdodas noskan<61>t pie<69>emam<61> <20>trum<75>.
.TP
.B \-sA
(scan ACK) - ACK skan<61><6E>anas metode. <20><> papildus metode <20>auj noteikt ugunm<6E>ra konfigur<75>ciju (rulesets). Izmantojot <20>o metodi var noteikt, vai att<74>lin<69>t<EFBFBD> sist<73>ma ir aizsarg<72>ta ar ugunsm<73>ri vai tikai ar pake<6B>u filtru, kur<75> blo<6C><6F> ien<65>ko<6B><6F>s SYN paketes.
.Sp
Skan<EFBFBD>jamajai sist<73>mai tiek nos<6F>t<EFBFBD>ta ACK pakete (ar gad<61>juma skait<69>u acknowledgement number un sequence number). Ja par atbildi tiek sa<73>emta RST pakete, ports tiek uzskat<61>ts par nefiltr<74>tu. Ja atbilde nepien<65>k (vai ar<61> pien<65>k ICMP "port unreachable") tad ports tiek uzskat<61>ts par filtr<74>tu.
.Sp
J<EFBFBD>piebilst, ka Nmap ner<65>da "nefiltr<74>tos" portus, t<>p<EFBFBD>c, ja skan<61>jot att<74>lin<69>tu sist<73>mu jums neatkl<6B>j nevienu atv<74>rtu portu, tas noz<6F>m<EFBFBD> ka porti skait<69>s nefiltr<74>ti. <20><> metode nekad rezult<6C>tos ner<65>d<EFBFBD>s portus kuri skait<69>s atv<74>rti.
.TP
.B \-sW
(scan Window) - Izmanto TCP Window metodi. <20><> metode l<>dzin<69>s ACK skan<61><6E>anai, iz<69>emot to, ka da<64>reiz ar <20><>s metodes pal<61>dz<64>bu var noteikt k<> atv<74>rtos, t<> filtr<74>tos/nefiltr<74>tos portus. To iesp<73>jams izdar<61>t, p<>rbaudot Initial Window datus TCP paket<65>, kurus nos<6F>ta att<74>lin<69>t<EFBFBD> sist<73>ma par atbildi tai nos<6F>titajai paketei, kuru t<> nepareizi apstr<74>d<EFBFBD>.
Sist<EFBFBD>mas kur<75>s ir <20><> k<>uda: vair<69>kas AIX versijas, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX un VxWorks. Tuv<75>ku inform<72>ciju var ieg<65>t apl<70>kojot Nmap-hackers listes arh<72>vus.
.TP
.B \-sR
(scan RPC) - Izmantot RPC skan<EFBFBD><EFBFBD>anas metodi. <EFBFBD>o metodi izmanto kop<EFBFBD> ar cit<EFBFBD>m. T<EFBFBD> pal<EFBFBD>dz noteikt, k<EFBFBD>da programma apkalpo RPC portu un t<EFBFBD>s versiju. Lai to noteiktu, visi TCP/UDP porti tiek fl<EFBFBD>doti ar SunRPC NULL piepras<EFBFBD>jumiem p<EFBFBD>c tam nosakot programmu kas apkalpo RPC portu(s). Izmantojot <EFBFBD>o metodi j<EFBFBD>s viegli ieg<EFBFBD>stat t<EFBFBD>du pa<EFBFBD>u inform<EFBFBD>ciju k<EFBFBD> palai<EFBFBD>ot komandu 'rpcinfo -p', ar<EFBFBD> t<EFBFBD>d<EFBFBD> gad<EFBFBD>jum<EFBFBD>, ja att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas portmapper ir aizsarg<EFBFBD>ts ar ugunsm<EFBFBD>ri vai TCP_wrapper.
.TP
.B \-sL
(scan List) - Ieg<65>t skan<61>jamo adre<72>u sarakstu. <20><> opcija <20>auj jums apl<70>kot adre<72>u sarakstu, kuras TIKS skan<61>tas ar Nmap pal<61>dz<64>bu. Noklus<75>ti tiek noteikti to DNS nosaukumi. <20>o iesp<73>ju var aizliegt izmantojot -n opciju.
.TP
.B \-b <ftp relay host>
(bounce scan) - Izmantot "ftp bounce attack" uzbrukumu. <20>i interesant<6E> FTP protokola iesp<73>ja tuv<75>k aprakst<73>ta RFC 959. No hosta source.com var nodibin<69>t savienpjumu ar target.com ftp serveri un nos<6F>t<EFBFBD>t failus, kas tur atrodas uz vienalga k<>du adresi. <20>is uzbrukums tika atkl<6B>ts 1985 gad<61>, kad tika uzrakst<73>ts aug<75>min<69>tais RFC. Nmap izmanto <20>o k<><6B>du lai skan<61>tu portus no "uzticam<61>" ftp servera.
.Sp
Iesp<EFBFBD>jams piesl<73>gties ftp serverim, kuru apsarg<72> ugunsm<73>ris un noskan<61>t p<>r<EFBFBD>jos aizsarg<72>tos portus. Ja ftp serveris at<61>auj las<61>t un rakst<73>t datus k<>d<EFBFBD> katalog<6F> (piem<65>ram /incoming), j<>s varat nos<6F>t<EFBFBD>t jebk<62>dus datus uz <20>o portu. Opcija '-b', nor<6F>da ftp servera adresi, kur<75> tiek izmantots k<> "uzticamais" serveris. URL form<72>ts:
.I login:parole@serveris:ports
Adrese nepiecie<69>ama oblig<69>ti, p<>r<EFBFBD>jo var neievad<61>t.
.TP
.B PAPILDUS IESP<EFBFBD>jAS
<EFBFBD><EFBFBD>s opcijas nav nepiecie<69>ams lietot oblig<69>ti, ta<74>u da<64>reiz t<>s var b<>t diezgan noder<65>gas.
.TP
.B \-P0
(Ping 0) - Nepingot att<74>lin<69>to sist<73>mu pirms skan<61><6E>anas. <20><> opcija at<61>auj skan<61>t t<>klus kuri neat<61>auj ICMP ECHO piepras<61>jumus, vai atbildes uz tiem. piem<65>ram microsoft.com. Var izmantot .B \-P0
vai
.B \-PT80
kad skan<61>jat t<>du tiklu.
.TP
.B \-PT
(Ping TCP) - Izmantot TCP "ping". ICMP ECHO viet<65> Nmap nos<6F>ta TCP ACK paketi skan<61>jamajai sist<73>mai un gaida t<>s atbildi. Ja sist<73>ma ir "akt<6B>va" t<> atbild ar RST paketi. Lietot<6F>ju, kuriem nav root privil<69><6C>ijas tiek izmantota connect() funkcija. <20><> opcija jums <20>auj noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas st<73>vokli pat t<>d<EFBFBD> gad<61>jum<75> , ja ICMP piepras<61>jumu tiek aizliegti ar ugunsm<73>ra pal<61>dz<64>bu. Lai nor<6F>d<EFBFBD>tu kuram att<74>lin<69>t<EFBFBD>s sist<73>mas portam s<>t<EFBFBD>t piepras<61>jumu izmantojiet opciju '-PT <porta_nummurs>'. Noklus<75>ti piepras<61>jums tiek s<>t<EFBFBD>ts uz 80 portu, jo tas praktiski nekad netiek filtr<74>ts.
.TP
.B \-PS
(Ping SYN) - opcija, kas ar<61>dzan tiek izmantota ping piepras<61><73>anai. <20>in<69> gad<61>jum<75> ACK paketes viet<65> tiek s<>t<EFBFBD>ta SYN pakete. Akt<6B>v<EFBFBD>s sist<73>mas atbild ar RST paketi (ret<65>k ar SYN|ACK).
.TP
.B \-PI
(Ping ICMP) - <20><> opcija ping piepras<61><73>anai izmanto norm<72>lu ping paketi (ICMP ECHO). Opcija tiek izmantota, lai mekl<6B>tu akt<6B>vas sist<73>mas, k<> ar<61> nepareizi konfigur<75>tas sist<73>mas, kuras at<61>auj veikt DoS uzbrukumus cit<69>m sist<73>m<EFBFBD>m (piem<65>ram Smurf).
.TP
.B \-PP
Izmanto ICMP timestamp piepras<61>juma paketi, lai atrastu akt<6B>vus hostus.
.TP
.B \-PM
Lidz<EFBFBD>ga k<> -PI un -PP, vien<65>g<EFBFBD> at<61><74>ir<69>ba ir netmask piepras<61>jums.
.TP
.B \-PB
(Ping Both) - Vienlaic<69>gi izmantot ACK un ICMP piepras<61>jumu.
.TP
.B \-O
(Operating system detection) - <20><> opcija <20>auj noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas OS izmantojot t.s. TCP/IP steka "pirkstu nospiedumus". Citiem v<>rdiem skaidrojot, Nmap nos<6F>ta piepras<61>jumus uz att<74>lin<69>to sist<73>mu un sa<73>emot atbildi sal<61>dzina to ar savu datub<75>zi, kura glab<61>jas fail<69> Nmap-os-fingerprinting. Ja Nmap nesp<73>j noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas OS jums tiek pied<65>v<EFBFBD>ts nos<6F>t<EFBFBD>t rezult<6C>tus Nmap autoram, ja j<>s zin<69>t att<74>lin<69>t<EFBFBD>s sist<73>mas OS un esat p<>rliecin<69>ts, ka Nmap nesp<73>ja to atpaz<61>t.
.TP
.B \-I
(Ident scan) - Izmanto reverse-ident skan<61><6E>anu. Ident protokols (RFC 1413) at<61>auj uzzin<69>t t<> lietot<6F>ja v<>rdu (username), kuram pieder process, kur<75> izmanto TCP, pat t<>d<EFBFBD> gad<61>jum<75> ja <20>is process nenodibina savienojumu. Piem<65>ram var piesl<73>gties http portam un izmantojot ident uzzin<69>t vai serveris grie<69>as zem root lietot<6F>ja. Tas ir iesp<73>jams tikai nodibinot "piln<6C>gu" TCP savienojumu ar skan<61>jam<61>s sist<73>mas portu (t.i. nepiecie<69>ams izmantot ar<61> opciju '-sT'). Nmap pieprasa ident`am inform<72>ciju par katru atv<74>rto portu. Protams <20><> metode nestr<74>d<EFBFBD>s ja skan<61>jam<61> sist<73>ma neuztur ident.
.TP
.B \-f
(use fragmentation) - <20><> opcija izmantojama kop<6F> ar SYN, FIN, Xmas vai NULL skan<61><6E>anas metod<6F>m un nor<6F>da uz vajadz<64>bu izmantot IP fragment<6E>ciju ar mazizm<7A>ra fragmentiem. Skan<61><6E>anas laik<69> TCP header tiek sadal<61>ta pa vair<69>k<EFBFBD>m paket<65>m, t<>dej<65>di apgr<67>tinot pake<6B>u filtriem, IDS, un taml<6D>dz<64>g<EFBFBD>m aizsardz<64>bas metod<6F>m noteikt ko tu v<>lies dar<61>t. Lietojiet <20>o opciju piesardz<64>gi. Da<44>as programmas uzkar<61>s cen<65>oties sav<61>kt kop<6F> tik s<>kus fragmentus.
.TP
.B \-v
(verbose output) - <20>o opciju ir ieteicams lietot, jo t<> sniedz vair<69>k inform<72>ciju par to kas pa<70>reiz notiek. Nmap atskait<69>s detaliz<69>t<EFBFBD>k par to ko vi<76><69> pa<70>reiz dara. Priek<65> liel<65>ka efekta ieteicams to lietot divreiz. Kop<6F> ar '-d' opciju var ieg<65>t visdetaliz<69>tako inform<72>ciju.
.TP
.B \-h
(show help) - izmet Nmap help`u.
.TP
.B \-oN <logfilename>
(output Normal) - ieraksta skan<61><6E>anas rezult<6C>tus las<61><73>anai <20>rt<72> form<72> nor<6F>d<EFBFBD>t<EFBFBD>j<EFBFBD> fail<69>.
.TP
.B \-oX <logfilename>
(output XML) - <20><> opcija ieraksta sa<73>emtos datus XML form<72>.
.TP
.B \-oG <logfilename>
(output grepable) - <20><> opcija ieraksta sa<73>emtos datus nor<6F>d<EFBFBD>taj<61> fail<69> vien<65> rindi<64><69>.
.TP
.B \-oA <basefilename>
output All) - liek Nmap logot rezult<6C>tus izmantojot visas logo<67>anas metodes (normal, grepable, un XML).
.TP
.B \-oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a
.B s|<ipT kiDd|3
f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
stDouT!@!!
.TP
.B \--resume <logfilename>
ja k<>da iemesla d<><64> esat bijis spiests p<>rtraukt skan<61><6E>anu nospie<69>ot <Ctrl C>, j<>s varat izmantot <20>o opciju, ja skan<61><6E>anas rezult<6C>ti ierakst<73>ti izmantojot opcijas '-oM' vai '-oN'. lai atjaunotu skan<61><6E>anu no t<>s vietas, kur p<>rtrauc<75>t. Vair<69>k nek<65>das papildus opcijas lietot nav nepiecie<69>ams.
.TP
.B \--append_output
liek Nmap rakst<73>t rezult<6C>tus t<>l<EFBFBD>k taj<61> pa<70><61> fail<69>, kur<75> izmantots iepriek<65>.
.TP
.B \-iL <inputfilename>
(input List) - las<61>t adreses no nor<6F>d<EFBFBD>t<EFBFBD> faila. Adres<65>m fail<69> j<>bur atdal<61>t<EFBFBD>m ar tuk<75>umu, ar tab, vai ar <CR><LF> kombin<69>ciju (katrs hosts jaun<75> rind<6E>).
.TP
.B \-iR
(input Random) - lietojot <20>o opciju Nmap skan<61>s gad<61>juma izv<7A>l<EFBFBD>tas adreses. <20>is process vilksies tik ilgi, kam<61>r j<>s to neaptur<75>siet. <20><> opcija ir noder<65>ga, lai veiktu Internet statistiku.
.TP
.B \-p <port ranges>
(ports) - <20><> opcija nor<6F>da Nmap, k<>dus portus nepiecie<69>ams skan<61>t. Piem. opcija '-p23' liek tam skan<61>t skan<61>s tikai 23 portu. Ja nor<6F>d<EFBFBD>s ko l<>dz<64>gu <20>ai opcijai '-p 20-30,139,60000-', Nmap skan<61>s portus no 20 l<>dz 30 ieskaitot, 139 portu un visus portus, kas liel<65>ki par 60000. Noklus<75>ti Nmap skan<61> portus no 1 l<>dz 1024.
.Sp
Skan<EFBFBD>jot TCP un UDP portus tu vari nor<6F>d<EFBFBD>t '-p U:53,11,137,T:21-25,139,8080'. Lai skan<61>tu <20><>di tev nepiecie<69>ams nor<6F>d<EFBFBD>t vismaz vienu TCP skan<61><6E>anas tipu (piem. -sS, -sF, vai -sT). Ja netiek nor<6F>d<EFBFBD>ts protokols, tad dotie porti tiek skan<61>ti visos protokolos.
.TP
.B \-F (Fast scan) -
nor<EFBFBD>da skan<EFBFBD>t tikai tos portus kas nor<EFBFBD>d<EFBFBD>ti servisu fail<EFBFBD> (iek<65>auts kop<EFBFBD> ar Nmap).
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
use Decoy hosts). - <20>aj<61> re<72><65>m<EFBFBD> Nmap liek att<74>lin<69>tajai sist<73>mai dom<6F>t, ka t<> tiek skan<61>ta no vair<69>kiem hostiem.T<>dej<65>di ir gr<67>t<EFBFBD>k noteikt, no kurienes re<72>li tiek skan<61>ts. <20><> ir <20>oti efekt<6B>ga metod<6F>, lai sl<73>ptu savu IP adresi skan<61>jot.
.Sp
J<EFBFBD>s varat nor<6F>d<EFBFBD>t savu IP adresi k<> 'ME' T<> nor<6F>da, kad tiks lietota tava IP adrese. Piem<65>ram, ja tu to ieraksti k<> sesto vai v<>l t<>l<EFBFBD>k, tad daudzi skan<61><6E>anas detektori uz att<74>lin<69>t<EFBFBD>s sist<73>mas var visp<73>r neielogot tavu IP adresi. J<>piebilst, ka nor<6F>d<EFBFBD>tajiem att<74>lin<69>tajiem hostiem ir j<>b<EFBFBD>t piesl<73>gtiem pie t<>kla, pret<65>j<EFBFBD> gad<61>jum<75> j<>s varat p<>rslogot skan<61>jamo sist<73>mu ar SYN paket<65>m. J<>piebilst, ka past<73>v iesp<73>ja t<>dej<65>di noteikt tavu IP adresi, ja tevis nor<6F>d<EFBFBD>tie att<74>lin<69>tie hosti re<72>li neeksist<73>s.
.Sp
Ja tu nor<6F>di daudzus att<74>lin<69>tus hostus, tas var iev<65>rojami pal<61>lin<69>t skan<61><6E>anas <20>trumu. <20>o iesp<73>ju var izmantot jebkur<75> skan<61><6E>anas veid<69>. Da<44>i provaideri var filtr<74>t j<>su paketes, t<>dej<65>di <20>i opcija var nedot jums v<>lamos rezult<6C>tus.
.TP
.B \-S <IP_Address>
(set Source) - Ja Nmap nesp<73>j patst<73>v<EFBFBD>gi noteikt j<>su hosta ip adresi (vi<76><69> par to j<>s br<62>din<69>s), jums ir nepiecie<69>ams to vi<76>am nor<6F>d<EFBFBD>t. V<>l viens pielietojums <20>ai opcijai var b<>t - izlikties, ka skan<61><6E>ana notiek no citas IP adreses. <20>in<69> gad<61>jum<75> j<>s nevarat ieg<65>t rezult<6C>tus, ta<74>u att<74>lin<69>t<EFBFBD> sist<73>ma dom<6F>s, ka skan<61> no tevis nor<6F>d<EFBFBD>t<EFBFBD>s adreses. <20>ai gas<61>jum<75> nepiecie<69>ams lietot opciju '-S' kop<6F> ar '-e'.
.TP
.B \-e <interface>
(interface) - nor<6F>da Nmap, k<>ds interfeiss tiks izmantots lai sa<73>emtu/s<>t<EFBFBD>tu paketes. Nmap parasti pats nosaka, k<>ds interfeiss tiek lietots.
.TP
.B \-g <portnumber>
nor<6F>da porta numuru uz tava datora, kuru Nmap izmatos skan<61><6E>anai. Daudzi pake<6B>u filtri vai ugunsm<73>ri lai<61> cauri DNS paketes (53 ports)un FTP-DATA (20 ports) t<>dej<65>di at<61>aujot nodibin<69>ts savienojumu ar att<74>lin<69>tu aizsarg<72>tu sist<73>mu. Skan<61>jot UDP portus Nmap no s<>kuma izm<7A><6D>ina 53 portu, p<>ctam 20 poru. Skan<61>jot TCP portus - otr<74>d<EFBFBD>k.
.TP
.B \--data_length <number>
Parasti Nmap s<>ta mazi<7A>as paketes, kuras satur tikai header inform<72>ciju. <20><> opcija at<61>auj t<>s palielin<69>t t<>dej<65>di pal<61>linot skan<61><6E>anas <20>trumu, ta<74>u samazinot iesp<73>ju ka j<>su skan<61><6E>anu k<>ds paman<61>s.
.TP
.B \-n
nor<EFBFBD>da, lai Nmap nekad nenoteiktu DNS IP adres<65>m, kuras tas atrod. <20><> opcija var pa<70>trin<69>t skan<61><6E>anu.
.TP
.B \-R
nor<EFBFBD>da, lai Nmap vienm<6E>r noteiktu atrasto IP adre<72>u DNS.
.TP
.B \-r
(randomize off) - Nmap skan<61> visus portus noteikt<6B> sec<65>b<EFBFBD> katrai skan<61>jamai sist<73>mai.
.TP
.B \-\-randomize_hosts
Nor<EFBFBD>da lai Nmap skan<61> att<74>lin<69>to sist<73>mu portus neregul<75>ri. Piem. vienai sist<73>mai tas noskan<61> 23 portu otrai sist<73>mai noskan<61> 665 portu, tad atkal pirmajai sist<73>mai 45 utt. T<>dej<65>di ir iesp<73>jams skan<61>t 2048 sist<73>mas vienlaic<69>gi.
.TP
.B \-M <max sockets>
(Max sockets) - nor<6F>da maksim<69>lo soketu skaitu, kas tiks izmantots paral<61>li skan<61>jot ar TCP connect() metodi. T<>dej<65>di var izvair<69>ties no att<74>lin<69>to sist<73>mu nok<6F>r<EFBFBD>anas. Var izmantot ar<61> '-sS' opciju, jo SYN paketes jebkura OS "pacie<69>" viegl<67>k.
.TP
.B LAIKA IEST<EFBFBD>D<EFBFBD><EFBFBD>ANA
Parasti Nmap autom<6F>tiski nosaka k<>d<EFBFBD> laika interv<72>l<EFBFBD> tiks s<>t<EFBFBD>tas paketes un notiks skan<61><6E>ana. <20><>s opcijas paredz<64>tu, gan lai palielin<69>tu skan<61><6E>anas <20>trumu, gan lai samazin<69>tu k<>udas, gan lai pal<61>lin<69>tu <20>trumu un samazin<69>tu iesp<73>ju att<74>lin<69>t<EFBFBD>s sist<73>mas administr<74>tor<6F>m fiks<6B>t skan<61><6E>anas m<><6D>in<69>jumu.
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> (Timing options) - <EFBFBD><EFBFBD> opcija tiek izmantota, lai regul<EFBFBD>tu skan<EFBFBD><EFBFBD>anas <EFBFBD>trumu.
.B Paranoid re<EFBFBD><EFBFBD>ms tiek izmantots tad, ja ir liela iesp<EFBFBD>jam<EFBFBD>ba, ka uz att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas ir uzst<EFBFBD>d<EFBFBD>ts IDS. <EFBFBD>in<EFBFBD> gad<EFBFBD>jum<EFBFBD> skan<EFBFBD><EFBFBD>ana noris <EFBFBD>oti l<EFBFBD>ni. Paral<EFBFBD>la skan<EFBFBD><EFBFBD>ana netiek izmantota. Pakete tiek izs<EFBFBD>t<EFBFBD>t<EFBFBD> k<EFBFBD> minimums ar 5 min<EFBFBD><EFBFBD>u interv<EFBFBD>lu.
.B Sneaky
re<EFBFBD><EFBFBD>ms ir l<EFBFBD>dz<EFBFBD>gs Paranoid re<EFBFBD><EFBFBD>mam. Tas s<EFBFBD>ta paketes ar 15 sekun<EFBFBD>u interv<EFBFBD>lu.
.B Polite
re<EFBFBD><EFBFBD>ms tiek izmantots gad<61>jumos, kad ir vajadz<64>ba samazin<69>t t<>kla noslogot<6F>bu l<>dz minimumam. <20>in<69> re<72><65>m<EFBFBD> paketes tiek s<>t<EFBFBD>tas ar minim<69>lo interv<72>lu 0,4 sekundes.
.B Normal
re<EFBFBD><EFBFBD>mu Nmap izmanto noklus<75>ti. <20>in<69> re<72><65>m<EFBFBD> tiek nodro<72>in<69>ts maksim<69>lo iesp<73>jamo <20>trumu, taj<61> pa<70><61> laik<69> nenoslogojot t<>klu un cen<65>oties izvair<69>ties no k<><6B>d<EFBFBD>m skan<61><6E>anas gait<69>.
.B Aggressive
re<EFBFBD><EFBFBD>m<EFBFBD> tiek uzst<73>d<EFBFBD>ts 5 min<69><6E>u skan<61><6E>anas limits katram hostam, un Nmap nekad negaida ilg<6C>k par 1,25 sekundi uz atbildi.
.B Insane
re<EFBFBD><EFBFBD>ms ir ieteicams tikai priek<EFBFBD> <EFBFBD>oti <EFBFBD>triem t<EFBFBD>kliem, vai ar<EFBFBD> tad ja tu vari samierin<EFBFBD>ties ar iesp<EFBFBD>jam<EFBFBD>m k<EFBFBD><EFBFBD>d<EFBFBD>m sk<EFBFBD>n<EFBFBD><EFBFBD>anas noris<EFBFBD>. Tiek uzst<EFBFBD>d<EFBFBD>ts 75 sekun<EFBFBD>u limits katram hostam un tiek gaid<EFBFBD>ts tikai 0.3 sekundes uz atbildi.
.Sp
Katram re<72><65>mam ir piesaist<73>ts nummurs. Piem. opcija '-T0' apz<70>m<EFBFBD> paranoid re<72><65>mu, bet '-T5' - Insane
.TP
.B --host_timeout <milliseconds>
Uzst<EFBFBD>da laiku, nor<6F>dit Nmap cik ilgs laiks tiek atv<74>l<EFBFBD>ts priek<65> viena hosta piln<6C>gas noskan<61><6E>anas. Noklus<75>ti <20>is parametrs netiek izmantost. Nmap s<>k skan<61>t n<>ko<6B>o hostu p<>c tam, kad pabeidzis skan<61>t iepriek<65><6B>jo.
.TP
.B --max_rtt_timeout <milliseconds>
(maximal round-trip time timeout) - Maksim<69>lais laiks, cik ilgi Nmap gaid<69>s uz nos<6F>t<EFBFBD>to piepras<61>juma atbildi, p<>c tam nos<6F>tot jaunu, vai p<>rtraucot gaid<69><64>anu. Standart<72> tas ir nost<73>d<EFBFBD>ts uz 9000 milisekund<6E>m.
.TP
.B --min_rtt_timeout <milliseconds>
Minim<EFBFBD>lais laiks, cik ilgi Nmap gad<61>s uz nos<6F>t<EFBFBD>t<EFBFBD> piepras<61>juma atbildi. <20><> opcija var pa<70>trin<69>t skan<61><6E>anas <20>trumu, ta<74>u var tika pazaud<75>tas paketes.
.TP
.B --initial_rtt_timeout <milliseconds>
Nor<EFBFBD>da vid<69>jo laiku, cik ilgi Nmap gaid<69>s nos<6F>t<EFBFBD>t<EFBFBD> piepras<61>juma atbildi. Parasti <20>o opciju izmanto, kad tiek skan<61>tas sist<73>mas kas tiek aizsarg<72>tas ar ugunsm<73>ri. Parasti Nmap <20>o lielumu nosaka autom<6F>tiski p<>c pirmo p<>ris piepras<61>jumu noteik<69>anu. Standart<72> tas ir 6000 milisekundes
.TP
.B --max_parallelism <number>
Uzst<EFBFBD>da skaitu cik daudz paketes tiks s<>t<EFBFBD>tas paral<61>li. Ja <20>is parametrs tiek nor<6F>d<EFBFBD>ts k<> 1 tad tas noz<6F>m<EFBFBD>, ka Nmap nekad neskan<61>s vair<69>k par vienu portu reiz<69>.
.TP
.B --scan_delay <milliseconds>
Nor<6F>da minim<69>lo laiku, cik ilgi Nmap gaid<69>s starp piepras<61>jumu nos<6F>t<EFBFBD><74>anu. <20><> opcija <20>auj minim<69>li noslogot t<>klu un/vai izvair<69>ties no skan<61><6E>anas paman<61><6E>anas uz att<74>lin<69>t<EFBFBD>s sist<73>mas.
.TP
.SH SKAN<EFBFBD>JAM<EFBFBD> M<EFBFBD>R<EFBFBD>A NOR<EFBFBD>D<EFBFBD><EFBFBD>ANAS IESP<EFBFBD>JAS
Visu, kas nav opcijas vai to argumenti, Nmap pie<69>em k<> adresi vai att<74>lin<69>t<EFBFBD>s sist<73>mas DNS. Viselement<6E>r<EFBFBD>kais veids k<> nor<6F>d<EFBFBD>t skan<61>jamo hostu, ir, nor<6F>d<EFBFBD>t to aiz opcij<69>m. Ja j<>s v<>laties noskan<61>t subnet`u, jums nepiecie<69>ams nor<6F>d<EFBFBD>t parametru '/<mask>' p<>c skan<61>jam<61>s sist<73>mas DNS vai ip adreses. Subnet`a masku var nor<6F>d<EFBFBD>t <20><>dos veidos:
.Sp
'/0' - skan<61>t visu Internetu;
.Sp
'/16' - skan<61>t B klases adreses;
.Sp
'/24' - skan<61>t C klases adreses;
.Sp
'/32' - skan<61>t tikai nor<6F>d<EFBFBD>to hostu.
.TP
Nmap t<>d<EFBFBD> pa<70><61> veid<69> at<61>auj nor<6F>d<EFBFBD>t ip adreses izmantojot sarakstu, vai ar<61> diapazonu katram t<>s elementam. Piem. ir vajadz<64>ba noskan<61>t B klases subnetu ar adresi 128.210.*.*. To iesp<73>jams nor<6F>d<EFBFBD>t sekojo<6A>os veidos:
.Sp
128.210.*.*
.Sp
128.210.0-255.0-255
.Sp
128.210.1-50,51-255.1,2,3,4,5-255
.Sp
128.210.0.0/16
.TP
Visas <20><>s komandas ir vien<65>das. Ja j<>s izmantojat *, tad vair<69>kum<75> shell`os nepiecie<69>ams t<>s atdal<61>t ar ' vai apostrofu. V<>l viens piem<65>rs: Ja j<>s nor<6F>dat adresi <20><>d<EFBFBD> form<72>t<EFBFBD> '*.*.5.6-7' , tad Nmap noskan<61>s visas ip adreses, kas beidzas ar .5.6 vai .5.7
.SH PIEM<EFBFBD>RI
.Sp
.B nmap -v target.example.com
.Sp
Nor<EFBFBD>da skan<61>t visus atv<74>rtos portus hostam target.example.com. Opcija '-v' at<61>auj nov<6F>rot skan<61><6E>anas procesu detaliz<69>t<EFBFBD>k.
.Sp
.B nmap -sS -O target.example.com/24
.Sp
Visi 255 kompji ar C klases adres<65>m, no kur<75>m viens ir target.example.com tiks noskan<61>ti izmantojot SYN skan<61><6E>anas metodi. V<>l tiks noteikta OS kas grie<69>as uz <20><>m sist<73>m<EFBFBD>m. Lai izmantotu <20>o metodi jums nepiecie<69>amas root ties<65>bas.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Nmap skan<61>s pirmo pusi ar adres<65>m (0-127) katr<74> no 255 B klases subnet`iem ar Xmas skan<61><6E>anas metodi ip zon<6F> 128.210.*.*. <20>ajos hostos tiks konstat<61>ta sshd (22 ports), DNS (53), pop3 (110), imapd (143) un 4564 portu pieejam<61>ba. V<>l<EFBFBD>tos piev<65>rst uzman<61>bu faktam, ka Xmas skan<61><6E>anas metodi nevar izmantot sist<73>m<EFBFBD>m, kuras grie<69>as uz WinOS, CISCO, IRIX, HP/UX un BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 \'*.*.2.3-5\'
.Sp
Nmap mekl<6B>s visus kompjus ar IP adres<65>m, kuras beidzas ar .2.3, .2.4 un .2.5. Ja jums ir root ties<65>bas, tad j<>s var<61>t pie reizes ar<61> noskan<61>t portus izmantojot opciju '-sS'. J<>s varat atrast daudz interesantas sist<73>mas skan<61>jot diapazonu 127-222.*.*
.Sp
.B host -l company.com | cut \'-d \' -f 4 | ./nmap -v -iL -
.Sp
Atrast eksist<73>jo<6A>us hostus dom<6F>n<EFBFBD> company.com, nodot Nmap to adreses. <20><> komanda str<74>d<EFBFBD> GNU/Linux OS. Ja izmantojat citu OS jums var b<>t vajadz<64>ba rakst<73>t to sav<61>d<EFBFBD>k.
.SH IESP<EFBFBD>JAM<EFBFBD>S K<EFBFBD><EFBFBD>DAS
Ja j<EFBFBD>s gad<EFBFBD>jum<EFBFBD> konstat<EFBFBD>jat k<EFBFBD>das k<EFBFBD><EFBFBD>das Nmap darb<EFBFBD>b<EFBFBD>, l<EFBFBD>dzu pazi<EFBFBD>ojiet par to autoram
.SH AUTORS
.Sp
Fyodor
.I <fyodor@insecure.org>
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1995-2001 by Insecure.Com LLC
.Sp
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation;
Version 2. This guarantees your right to use, modify, and
redistribute Nmap under certain conditions. If this license
is unacceptable to you, Insecure.Org may be willing to sell
alternative licenses (contact fyodor@insecure.org).
.Sp
Source is provided to this software because we believe users
have a right to know exactly what a program is going to do
before they run it. This also allows you to audit the
software for security holes (none have been found so far).
.Sp
Source code also allows you to port Nmap to new platforms, fix bugs,
and add new features. You are highly encouraged to send your changes
to fyodor@insecure.org for possible incorporation into the main
distribution. By sending these changes to Fyodor or one the
insecure.org development mailing lists, it is assumed that you are
offering Fyodor the unlimited, non-exclusive right to reuse, modify,
and relicense the code. This is important because the inability to
relicense code has caused devastating problems for other Free Software
projects (such as KDE and NASM). Nmap will always be available Open
Source. If you wish to specify special license conditions of your
contributions, just say so when you send them.
.Sp
This program is distributed in the hope that it will be useful, but
.B WITHOUT ANY WARRANTY;
without even the implied warranty of
.B MERCHANTABILITY
or
.B FITNESS FOR A PARTICULAR PURPOSE.
See the GNU
General Public License for more details (it is in the COPYING file of
the
.I nmap
distribution).
.Sp
It should also be noted that Nmap has been known to crash
certain poorly written applications, TCP/IP stacks, and even
operating systems.
.B Nmap should never be run against mission critical systems
unless you are prepared to suffer downtime. We acknowledge
here that Nmap may crash your systems or networks and we
disclaim all liability for any damage or problems Nmap could
cause.
.Sp
Because of the slight risk of crashes and because a few black hats like
to use Nmap for reconnaissance prior to attacking systems, there are
administrators who become upset and may complain when their system is
scanned. Thus, it is often advisable to request permission before
doing even a light scan of a network.
.Sp
Nmap should never be run with privileges (eg suid root) for security
reasons.
.Sp
This product includes software developed by the Apache Software
Foundation (http://www.apache.org/). The
.I Libpcap
portable packet capture library is distributed along with nmap.
Libpcap was originally copyrighted by Van Jacobson, Craig Leres and
Steven McCanne, all of the Lawrence Berkeley National Laboratory,
University of California, Berkeley, CA. It is now maintained by
http://www.tcpdump.org .
.Sp
Latviski manu<6E>li p<>rtulkojis m|sc (misc@inbox.lv)
(Var gad<61>ties da<64>i g<>uki tekst<73>, ta<74>u ko lai dara, ja latvie<69>u valod<6F> nav norm<72>li datortermini.)

436
docs/nmap_lithuanian.1
View File

@@ -1,436 +0,0 @@
.\" <20> Lietuvi<76> kalb<6C> i<>vert<72>
.\" Aurimas Mikalauskas <inner@crazy.lt>
.\" 2001 03 17
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH PAVADINIMAS
nmap \- tinklo tyrin<69>jimo <20>rankis bei saugumo skeneris
.SH SINTAKS<EFBFBD>
.B nmap
[skanavimo tipas(ai)] [opcijos] <hostas/tinklas #1 ... #n>
.SH APIB<EFBFBD>DINIMAS
.I nmap'as
yra sukurtas tam, kad leist<73> sistem<65>
administratoriams bei smalsiems individams skanuoti
didelius tinklus, siekiant nustatyti kokie hostai
yra veikiantys ir kokias paslaugas jie si<73>lo.
.I nmap'as
turi be galo daug skanavimo technologij<69>,
tai: UDP, TCP connect(), TCP SYN (pusiau atviras),
ftp proxy (bounce ataka), Reverse-ident,
ICMP(ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep,
bei Null skan'as.
.I Skanavimo Tipai
sekcijoje rasite apie tai smulkesn<73>s informacijos.
nmap'as taip pat turi nema<6D>ai pa<70>angi<67> savybi<62>, toki<6B>
kaip nutolusio kompiuterio (toliau vadinamo 'remote')
(O)peracin<69>s (S)istemos nustatymas per TCP/IP
fingerprintinima, stealth (vogtinis) skanavimas,
dinamin<EFBFBD>s pauz<75>s ir retransimisijos skai<61>iavimai,
lygiagretusis skanavimas , nepasiekiam<61> host'<27> nustatymas
skanuojant lygiagre<72>iu skanavimo metodu, decoy skanavimas,
filtruojam<EFBFBD> port<72> nustatymas, tiesioginis RPC skanavimas,
fragmentinis skanavimas, bei labai lankstus taikinio
ir port<72> nurodymas.
.PP
nmap'o autorius stengiasi kaip galima daugiau <20>vairi<72>
nmap'o galimybi<62> suteikti ne tik root vartotojui, bet ir
paprastam sistemos vartotojui, deja daug<75>lis kritini<6E>
sistemos branduolio (kernel) interfeis<69> (toki<6B> kaip
"raw socket'ai") reikalauja root'o privilegij<69>, tod<6F>l
nmap'as tur<75>t<EFBFBD> b<>ti naudojamas root'u kai tik <20>manoma.
.PP
nmap'o naudojimo rezultatas da<64>niausiai b<>na
papras<EFBFBD>iausias s<>ra<72>as <20>domi<6D> port<72>, rast<73> skanuojamoje
ma<EFBFBD>inoje(se). Nmap'as visada parodo koki<6B> paslaug<75> (service)
teikia portas, jo numer<65>, b<>sen<65> bei protokol<6F>. B<>san<61>
nusako vienas i<> trij<69> <20>od<6F>i<EFBFBD>: "open", "filtered", "unfiltered".
"open" (atviras) rei<65>kia, kad taikinys leis prisijungti prie
<EFBFBD>ito porto. "filtered" (filtruojamas) rei<65>kia, kad firewall'as
(ugnies siena), filtras ar dar ka<6B>koks <20>domus <20>rankis dengia
port<EFBFBD>, d<>l to nmap'as tiklsiai negali nustatyti ar portas
atviras. "unfiltered" (nefiltruojamas) parodo, kad portas
yra tikrai "closed" (u<>darytas) ir nera dengiamas jokio
firewall'o/filtro. Nefiltruojamas portas yra gan <20>prastas
atv<EFBFBD>jis ir yra rodomas tik tuo atveju, kai dauguma i<> skanuot<6F>
port<EFBFBD> yra filtruojami.
.PP
Priklausomai nuo to, kokios opcijos naudojamos, nmap'as
taip pat gali parodyti ir nutolusio kompiuterio: (O)peracin<69>
(S)istem<65>, TCP susekamum<75>, vartotoju vardus, kuriems priklauso
tam tikri procesai, DNS vardus ir dar vien<65> kit<69>.
.SH OPCIJOS
Prasmingos opcijos visos gali b<>ti ra<72>omos kartu (t.y. vienoje
eilut<EFBFBD>je).
.I nmap'as
stengsis pasakyti, kokias klaidas esate padar<61>
(ai<61>ku jei esate :).
.Sp
Jei esate nekantrus, galite i<>karto <20>oktelti <20> sekcij<69>
.I pavyzd<EFBFBD>iai
gale dokumento, kur gan ai<61>kiai parodo naudojim<69>. Taip pat
galite paleisti
.B nmap -h
ir pamatysite pagrindines opcijas, su trumpais apra<72>ymais.
.TP
.B SKANAVIM<EFBFBD> TIPAI
.TP
.B \-sT
papras<EFBFBD>iausias TCP connect() skanavimas. J<>s bandote prisijungti
prie kiekvieno porto i<> eil<69>s. Jei portas klausosi, nmap'as
prisijungia prie jo, taigi jei host'as logina, jis matys, kad
bandote jungtis. <20>is metodas yra tiksliausias, bet rekomenduo<75>iau
j<EFBFBD> naudoti tik tuo atveju, jei skanuojate savo ar draugo
kompiuter<EFBFBD>, t.y. tok<6F>, d<>l kurio v<>liau tikrai nesusilauksite
nemalonum<EFBFBD>.
.TP
.B \-sS
TCP SYN skanavimas, kitaip dar da<64>nai vadinamas kaip
"pusiau-atviras" skanavimas, nes n<>ra padaromas TCP prisijungimas.
J<EFBFBD>s papras<61>iausiai nusiun<75>iate TCP SYN paketuk<75> kaip kad nor<6F>damas
prisijungti ir laukiate atsakymo. Pakankamai neblogas metodas,
bet jei yra filtruojam<61> port<72> (pvz. pastatytas firewall'as) ir
host kompiuteris juos logina, - b<>site pasteb<65>tas.
.TP
.B \-sF \-sX \-sN
Stealth FIN, Xmas Tree bei Null skanavimo re<72>imai. Tai yra <20>iek
tiek saugesni skanavimo b<>dai nei TCP SYN (pastebimumo
at<EFBFBD>vilgiu), bet deja nei vienas i<> j<> neveikia M$ sistemoms.
I<EFBFBD> kitos pus<75>s, tai nebloga priemon<6F>, kurios pagalba galima
nustatyti ar tai M$ sistema ar ne, t.y. jei -sF -sX arba -sN
parodo, kad visi portai u<>daryti, o -sS rodo kelis atvirus
portus, taikinys grei<65>iausiai windows d<><64>ut<75>.
.TP
.B \-sP
Tai papras<61>iausias ping'as, kuris parodo kurie hostai tinkle
yra gyvi. Atliekama papras<61>iausiai siun<75>iant ICMP echo pra<72>ym<79>
(request). Deja kai kurie saitai (kaip mail.takas.lt) blokuoja
pra<EFBFBD>ymus. Kad i<> tikro <20>sitikinti, ar hostas negyvas, nmap'as
nusiun<EFBFBD>ia ir TCP ack paketuk<75> <20> 80 (standarti<74>kai) port<72>. Jei
gauname atgal RST, rei<65>kia hostas gyvas. Pagal standart<72>
(r00t'ui) nmap'as naudoja abu ICMP bei ACK metodus. Pakankamai
efektyvu, nes vienu metu galite patikrinti #n host<73>.
.TP
.B \-sU
UDP skanavimas. Naudojamas tam, kad nustatyti kokie UDP (User
Datagram Protocol, RFC 768) portai yra atviri.
.Sp
Kai kurie mano, kad UDP skanavimas yra beprasmi<6D>kas, bet j<>
prisiminti verta vien d<>l vienos Solaris rcpbind skyl<79>s. Taip
pat yra cDc Back Orifice trojanas, kuris atsidaro UDP port<72> ant
window's<>. Gaila tik, kad UDP skanavimas kartais gali trukti
labai ilgai.
.TP
.B \-SO
IP protokolo skanavimas. <20>is metodas yra naudojamas tam, kad
nustatyti kokius protokolus naudoja j<>s<EFBFBD> taikinys. Technika
labai paprasta: siun<75>iami IP paketai be jokio protokolo header'io
<EFBFBD> visus nurodytus protokolus. Jeigu pvz gauname "ICMP protocol
unreachible" (ICMP protoklolas nepasiekiamas) atsakym<79>, vadinasi
protokolas nenaudojamas, prie<69>ingu atveju skaitoma, kad jis
atviras.
.TP
.B \-sA
ACK skanavimas: <20>itas metodas paprastai yra naudojamas tam,
kad i<>siai<61>kinti firewall'<27> (ugnies sin<69>) taisykles. Jis gali
pad<EFBFBD>ti nustatyti ar firewall'as tikras, ar papras<61>iausias
paket<EFBFBD> filtras, blokuojantis <20>plaukian<61>ius SYN paketukus.
.TP
.B \-sW
Window skanavimas. <20>is skanavimo b<>das labai pana<6E>us <20> ACK
skan<EFBFBD>, skirtumas tik tas, kad <20>is skanavimo metodas kartais
parodo ir atvirus portus (ACK j<> nerodo).
.TP
.B \-sR
RPC skanavimas. Praskanavus parodoma kokia programa ir jos versija
laiko RPC portus atvirus.
.TP
.B \-b <ftp relay hostas>
Dar vienas pakankamai originalus skanavimo b<>das, t.y.
pasinaudojant ftp proxy serveriu. <ftp relay host'o> formatas
gali b<>ti useris:passwordas@serveris:portas . Viskas i<>skyrus
server<EFBFBD> yra neb<65>tina.
.TP
.B BENDROSIOS OPCIJOS
Nei viena i<> <20>i<EFBFBD> n<>ra b<>tina, bet kai kurios gali b<>ti pakankamai
naudingos
.TP
.B \-P0
Skanuoti i<> kart, nepaband<6E>ius i<> prad<61>i<EFBFBD> ping'int serverio.
Tai naudinga skanuojant tokius kaip mail.takas.lt, kurie
neatsakin<EFBFBD>ja <20> ICMP echo request'us. Tokiu atveju reik<69>t<EFBFBD>
naudoti
.B \-P0
arba
.B \-PT80.
.TP
.B \-PT
Naudoti TCP "ping'<27>" vietoje standartinio ICMP ping'o. Naudinga
tokiais atvejais, kai serveris neatsakin<69>ja i ICMO echo
request'us. Taip pat galima naudoti kartu su postu (-PT<portas>).
.TP
.B \-PS
Naudoja SYN (prisijungimo pra<72>ym<79>) vietoje ACP
.TP
.B \-PI
Paprastas ping'as + suranda subnet'o broadcast'u adresus tinkle.
.TP
.B \-PB
Standartinis ping'inimo metodas: naudoja ACP bei ICMP ping'us
kartu. Geriausia b<>das patikrinti firewall'us, kurie blokuoja
vien<EFBFBD> i<> j<>.
.TP
.B \-O
Viena geriausi<73> nmap'o ypatybi<62> - serverio OS'o atpa<70>inimas
pagal jo fingerprint'us (jei atvirai, pats nelabai <20>inau kas
per biesas tie fingerprintai).
.TP
.B \-I
<EFBFBD>jungiamas TCP reverse ident skanavimas. Kaip 1996 Dave'as
Goldsmith'as pasteb<65>jo, ident protokolas (rfc 1413) leid<69>ia
pamatyti, kokiam useriui priklauso procesas, kuris naudoja
TCP susijungima. Taigi, tu gali pvz prisijungti prie 80 porto
ir tada pasinaudojes inentd'u, gali pamatyti ar http serveris
yra paleistas root'u ar kokiu kitu userium.
.TP
.B \-f
Skanuojant SYN (-sS) , FIN (-sF), XMAS (-sX) arba NULL (-sN)
metodu, naudojami labai ma<6D>y<EFBFBD>iai sufragmentuoti IP paketai.
.TP
.B \-v
Verbose mode. Labai rekomenduojama opcija, ypa<70> jei norit geriau
suprasti kas <20>ia dedasi. naudodamas <20>i<EFBFBD> opcij<69> du kartus, efektas
bus dar geresnis. Gali naudoti ir dvigub<75> -d, efektas - nerealus.
Nepaband<EFBFBD>s, nesuprasi.
.TP
.B \-h
Jei norite kad nedidelis langelis jums trumpai primintu kelias
pagrindines komandas, <20>i opcija - jums.
.TP
.B \-oN <logas>
Viskas, kas vyksta ekrane bus loginama <20> "logas" fail<69>.
.TP
.B \-oX <logas>
Skanavimo rezultatai i<>saugomi XML formatu <20> fail<69>, kur<75> nurodote
kaip argument<6E> <20>iai opcijai.
.TP
.B \-oG <logas>
<EFBFBD>i opcija i<>saugo skanavimo rezultatus taip, kad j<>s juos galetum<75>te
lengvai grepinti. <20>is gan primityvus formatas i<>saugo visk<73> vienoje
eilut<EFBFBD>je.
.TP
.B \-oS <logas>
Loginama <20> fail<69> "logas" "skipt kiddie" formatu.
.TP
.B \--resume <logas>
Skanavimas, kuris buvo nutrauktas su ^C, gali b<>ti prat<61>stas,
su s<>lyga, kad viskas buvo loginama su -oN opcija.
Daugiau jokie parametrai negali b<>ti pateikti (jie bus tokie,
kokie buvo naudojami loginant). nmap'as prad<61>s skanuoti nuo
sekan<EFBFBD>ios ma<6D>inos, po tos, kuri paskutin<69> buvo s<>kmingai
nuskanuota..
.TP
.B \-iL <failas>
Nuskaito hostus (IP adresus) i<> failo "failas". Hostai faile turi
b<EFBFBD>ti atskirti tarpais, TAB'ais arba atskirose linijose. deja
opcij<EFBFBD> nurodyti joki<6B> negalite tame faile, u<>tat yra galimyb<79> jas
nurodyti komandin<69>je eilut<75>je.
.TP
.B \-iR
<EFBFBD>ita opcija priver<65>ia nmap'<27> generuoti atsitiktinius hostus. Jei
kada netur<75>site k<> veikti, pabandykite `nmap -sS -iR -p 80', kad
surastum<EFBFBD>te kelet<65> www serveri<72>.
.TP
.B \-p <portai>
Galite nurodyti kur<75>/kuriuos portus tikrinti. pvz. -p 110
patikrins ar hostas turi pop3 server<65>, taip pat galite mi<6D>riai
nurodin<EFBFBD>ti portus:
-p 21,60-90,1243 -- 21, visi nuo 60 iki 90 bei 1243 portas
-p 1- -- visi portai nuo 1 iki 65535.
.TP
.B \-F
Greitasis metodas. Skanuoja tik tuos portus, kurie nurodyti nmap'o
services faile (pagal default'<27> - /usr/local/lib/nmap/nmap-services)
.TP
.B \-D <decoy1 [,decoy2][,decoyN][,ME]>
Decoy skanavimas priver<65>ia skanuojam<61> host'<27> manyti, kad j<> vienu
metu skanuoja visi nurodyti decoy'iai. Host<73> logai gali parodyti
5-10 skanavim<69> i<> unikali<6C> IP adres<65>, bet kuris i<> j<> skanuoja
i<EFBFBD> tikro jie pasakyti negal<61>s.
.Sp
Atskirk kiekvien<65> decoy'<27> kableliais (be tarpo) ir gali tarp j<>
<EFBFBD>terpti 'ME' kaip vien<65> i<> decoy'i<>. nmap'as ten <20>terps tavo
adres<EFBFBD>. Jei <20>ito nenurodysi, nmap'as atsitiktinai i<>rinks tau
viet<EFBFBD>. Tiesa, jei 'ME' <20>ra<72>ysi 6-oje ar dar v<>lesn<73>je vietoje,
kai kurie skanavim<69> detektoriai (tokie kaip Solar Designer'io
nepakartojamas scanlog daemon'as) gali tavo IP i<>viso neparodyti.
.Sp
Nepamir<EFBFBD>k, kad hostai, kuruos naudosi kaip decoy'ius, turi b<>ti
gyvi, kitaip gali u<>-SYN-flood'inti taikin<69>, o be to labai
nesunku bus surasti skanuotoj<6F>, jei jis bus vienintelis gyvas
visame tinkle.
.Sp
Atkreipk d<>mes<65> ir <20> tai, kad kai kurie (durnesni) port<72>
skanavim<EFBFBD> detektoriai gali aplamai skanuojantiems host'ams
u<EFBFBD>drausti pri<72>jim<69>. <20>sivaizduok, kas gali nutikti, jei vien<65>
i<EFBFBD> decoy'i<> nurodytum "localhost'<27>" :)
.Sp
Decoy skanavimas gali b<>ti naudojamas kartu su ping (naudojant
ICMP, SYN, ACK, ar dar k<> nors) arba tikru port<72> skanavimu bei
bandant surasti remote OS'<27> ( -O ).
.TP
.B \-S <IP_adresas>
Kartais nmap'as gali nerasti j<>s<EFBFBD> adreso. Tokiu atveju galite
naudoti -S opcij<69> su j<>s<EFBFBD> IP adresu bei interfeisu, kuriuo
si<EFBFBD>site paketus.
.TP
.B \-e <interfeisas>
Nurodo nmap'ui kokiu interfeisu si<73>sti paketus.
(lo, ppp0, eth0 ir etc.)
.TP
.B \-g <portas>
Nurodo i<> kokio porto skanuoti. Daugelis firewall'<27> bei filtr<74>
padaro i<>imtis DNS (53) bei FTP-DATA (20) paketams.
.TP
.B \-n
Liepia nmap'ui net nem<65>ginti rezolvinti ip adres<65> i j<> vardus,
nes da<64>nai tai b<>na labai l<>tas procesas ir stabdo nmap'o darb<72>.
.TP
.B \-R
Prie<EFBFBD>ingai nei -n opcija, -R liepia nmap'ui visada pam<61>ginti
i<EFBFBD>rezolvinti ip adres<65>.
.TP
.B \-r
Nurodo nmap'ui portus skanuoti
.B NE
atsitiktine tvarka.
.TP
.B --randomize_hosts
Nmap'as atsitiktine tvarka i<>mai<61>o kiekvien<65> grup<75> i<> daugiau nei
2048 host<73> prie<69> pradedant juos skanuoti. Tai <20>iek tiek suklaidina
<EFBFBD>vairius tinklo stebejimo <20>rankius.
.TP
.B \-M <maximalus susijungimu skaicius>
Nustato naksimal<61> susijungimu skai<61>i<EFBFBD>, kuris bus naudojamas
paralel<EFBFBD>je su TCP(standarti<74>kai) skanavimu.
.TP
.B LAIKO APRIBOJIMAI
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Paranoid - pats l<><6C>iausias skanavimo b<>das, Insane - pats
grei<EFBFBD>iausias, deja ne toks tikslus, ypa<70> jei tinklas l<>tas.
Vietoj <20>od<6F>i<EFBFBD> galite naudoti ir -T (0-5), kur 0 == Paranoid,
1 == Sneaky ir t.t.
.TP
.B --host_timeout <milisekund<6E>s>
Nurodo kiek laiko nmap'as gali skanuoti duot<6F>j<EFBFBD> IP. Laikas turi
b<EFBFBD>ti nema<6D>iau nei 200 milisekund<6E>i<EFBFBD>.
.TP
.B --max_rtt_timeout <milisekund<6E>s>
Kiek daugiausia laiko nmap'as gali laukti atsakymo i<> skanuojamo
IP.
.TP
.B --scan_delay <milisekund<6E>s>
Nustato minimal<61> laiko tarp<72>, kuri nmap'as turi laukti tarp
bandym<EFBFBD>. Tai naudingiausia siekiant suma<6D>inti tinklo apkrovim<69>.
.SH TAIKINIO NURODYMO B<EFBFBD>DAI
Viskas, kas n<>ra opcijos, nmap'e suprantama kaip taikinys.
Papras<EFBFBD>iausias b<>das yra nurodyti konkre<72>ius IP arba hostus.
Jeigu norite nuskanuoti IP adres<65> subnet'<27>, galite prid<69>ti
.B /mask<73>
hostname'ui ar IP adresui.
.B Mask<EFBFBD>
turi b<>ti tarp 0
(norint nuskanuoti vis<69> internet<65>) ir 32 (norint nuskanuoti
konkret<EFBFBD> host'<27>/IP. Naudok /24 'C' klas<61>s adres<65> skanavimui
bei /16 'B' klas<61>s adres<65> skanavimui.
.Sp
nmap'as taip pat turi gan patogi<67> galimyb<79> nustatin<69>ti IP
adresus s<>ra<72>ais/atstumais. pvz. gali nuskanuoti 'B' klas<61>
u<EFBFBD>ra<EFBFBD>ydamas 128.210.*.* arba 128.210.0-255.0-255 arba dar
128.210.0-50,51-255.1,2,3,4,5-255 . Manau kad tai pakankamai
patogu ir nesud<75>tinga.
.SH KELETAS PAVYZD<EFBFBD>I<EFBFBD>
.Sp
.B nmap -sX -e lo -P0 -S 127.0.0.3 localhost
.Sp
Pasinaudodamas Xmas Tree skanavimo metodu, apsimetin<69>damas,
kad esu 127.0.0.3 Loopback protokolu skanuoju savo localhost'<27>
<EFBFBD>tai kaip atrodo ipchains'<27> log'as:
.Sp
Packet log: input DENY lo PROTO=6 127.0.0.3:37009 127.0.0.1:139
L=40 S=0x00 I=53682 F=0x0000 T=41 (#1)
.Sp
kaip matote, kernelis yra <20>sitikin<69>s, kad j<> skanuoja i<> 127.0.0.3
o tai ir yra vienas svarbiausi<73> u<>davini<6E> - likti nematomiems :)
.Sp
.B nmap -sS -O target.example.com/24
.Sp
stealth SYN metodu nuskanuoja visas 255 ma<6D>inas, esan<61>ias
target.example.com 'C' klas<61>je. Taip pat bando nustatyti
kiekvieno i<> j<> operacin<69> sistem<65>.
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
suranda visus *.company.com hostus ir atiduoda juos nmap'ui,
kuris savo ruo<75>tu <20>sijung<6E>s verbose mode visus juos nuskanuoja.
.Sp
.B nmap -sN -D microsoft.com,mail.takas.lt,ME -oN /root/crazy -p 1-1024 -O crazy.com
.Sp
skanauoja Null skanavimo re<72>imu, panaudoja du decoy adresus,
visk<EFBFBD> logina <20> /root/crazy fail<69>, skanuoja nuo 1 iki 1024 crazy.com
portus bei stengiasi atsp<73>ti crazy.com serverio operacin<69> sistem<65>
.SH BUGAI
Vabal<EFBFBD>liai? Kokie dar vabal<61>liai? Na.. jei rasit koki<6B>, b<>tinai
si<EFBFBD>skit autoriui: <fyodor@insecure.org> . Pachai taip pat labai
laukiami. Taip pat nepamir<69>kite si<73>sti OS'<27> fingerprintus, kad
nmap'o autoriai gal<61>t<EFBFBD> pl<70>sti duom. baz<61>. Apie tai smulkiau
galite rasti docs/nmap-fingerprinting-article.txt dokumente
arba nmap'o puslapyje: http://www.insecure.org/nmap
.SH AUTORIUS
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH I<EFBFBD>VERT<EFBFBD>
.Sp
Aurimas Mikalauskas
.I <inner@crazy.lt>
.Sp
.SH PLATINIMAS
.Sp
Naujausi<EFBFBD>
.I nmap'o
versij<EFBFBD> visada galite rasti <20>ia:
.Sp
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
.Sp
.I libpcap'as
yra taip pat platinamas kartu su nmap'u. Autorines
teises <20> j<> turi Van Jacobson, Craig Leres ir Steven McCanne,
visi i<> Lawrence Berkeley nacionalin<69>s Laboratorijos Kalifornijos
Universiteto, Berkeley, CA. Versija platinama su nmap'u gali
b<EFBFBD>ti perra<72>in<69>jama. Sourcus galit parsisi<73>sti i<>
.I ftp://ftp.ee.lbl.gov/libpcap.tar.Z
.Sp
.SH PABAIGAI
D<EFBFBD>iaugiuosi, kad pagaliau pasiek<65>te gal<61>. Dabar jau galite skaityti
save kvalifikuotu nmap'o guru.
.Sp
beje, jei norite k<> nors prid<69>ti ar pakeisti <20>iame dokumente,
arba (neduok Dieve) radot koki<6B> tai bug'u, ra<72>ykit man adresu,
pateiktu sekcijoje
.B i<EFBFBD>vert<EFBFBD>.
<EFBFBD>iaip <20>itas manualas abejoju ar bus atnaujinamas,
bet pa<70>i<EFBFBD> naujausi<73> nmap-lt-HOWTO visada galite
rasti mano puslapyje:
.Sp
.I http://crazy.lt/~inner

8
docs/nmap_manpage-de.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-es.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-fr.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-it.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-lt.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><META http-equiv="Content-Type" content="text/html; charset=windows-1257"><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-lv.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

8
docs/nmap_manpage-pt.html
View File

@@ -1,8 +0,0 @@
Content-type: text/html
<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
<BODY>
<H1>man2html: bad invocation</H1>
Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
or: man2html -r [filename]
</BODY></HTML>

1054
docs/nmap_manpage-ru.html
View File

File diff suppressed because it is too large Load Diff

2356
docs/nmap_manpage.html
View File

File diff suppressed because it is too large Load Diff

412
docs/nmap_portuguese.1
View File

@@ -1,412 +0,0 @@
.\"Traduzido para a lingua Portuguesa
.\"Ant<6E>nio Pires de Castro Jr. <apcastro@ic.unicamp.br>
.\"<apcastro@cultura.com.br>, <apcastro@ondefor.com.br>
.\"em 17/10/2000
.\"This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOME
nmap \- Ferramenta de explora<72><61>o de rede e scanner de seguran<61>a.
.SH SYNOPSIS
.B nmap
[Tipo(s) de Scan] [Op<4F><70>es] <computador ou rede #1 ... [#N]>
.SH DESCRICAO
.I Nmap
<EFBFBD> projetado para permitir aos administradores de sistemas e indiv<69>duos curiosos explorar grandes redes para determinar quais computadores est<73>o ativos e quais servi<76>os s<>o fornecidos.
.I Nmap
suporta um grande n<>mero de t<>cnicas de scan, como: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. Veja as se<73><65>es de
.I Tipos de Scan
para maiores detalhes. Nmap, tamb<6D>m, oferece um n<>mero de avan<61>adas caracter<65>sticas, como: detec<65><63>o remota do SO via TCP/IP fingerprinting, stealth scanning, dynamic delay e retransmission calculations, scanning paralelo, detec<65><63>o de hosts inativos atrav<61>s de pings paralelos, decoy scanning, detec<65><63>o de portas filtradas, scanning direto de RPC (n<>o-portmapper), fragmentation scanning e flexibilidade do alvo e especifica<63><61>o de porta.
.PP
Esfor<EFBFBD>os significantes tem sido gastos na performance do nmap para usu<73>rios comuns, usu<73>rios n<>o-root. Infelizmente, v<>rias interfaces cr<63>ticas do kernel (como os sockets raw) requerem privil<69>gios de root. Nmap deve ser executado como root sempre que poss<73>vel.
.PP
O resultado da execu<63><75>o do nmap <20> usualmente uma lista de portas
interessantes na(s) m<>quina(s) sendo explorada(s). Nmap sempre fornece o nome do servi<76>o, o n<>mero, o estado, e o protocolo das portas "bem conhecidas". O estado pode ser tanto 'aberto' (open), 'filtrado'(filtered) ou n<>o filtrado (unfiltered). Aberto significa que a m<>quina alvo aceitar<61> (accept()) conex<65>es na porta. Filtrado significa que o firewall, filtro ou outro obst<73>culo da rede est<73> cobrindo a porta e prevenindo o nmap de determinar quando a porta est<73> aberta. N<>o filtrado significa que a porta <20> conhecida pelo nmap para estar fechada e nenhum firewall/filtro parece estar interferindo com a tentativa de determina-l<> pelo nmap. Portas n<>o filtradas s<>o um caso comum e s<>o mostradas, somente, quando a maioria das portas exploradas est<73>o no estado filtrado.
.PP
Dependendo da op<6F><70>o usada, o nmap pode, tamb<6D>m, reportar as seguintes caracter<65>sticas do host remoto: SO em uso, sequenciabilidade do TCP, os nomes dos usu<73>rios executando os programas em determinadas portas, o nome DNS, quando um host tem um endereco de smurf, e v<>rias outras.
.SH OP<EFBFBD><EFBFBD>ES
Op<EFBFBD><EFBFBD>es que juntamente fazem sentido podem geralmente ser combinadas. V<>rias op<6F><70>es s<>o espec<65>ficas para certos modos de scan.
.I Nmap
tenta capturar e avisar o usu<EFBFBD>rio sobre erros ou combina<EFBFBD><EFBFBD>es n<EFBFBD>o suportadas de op<EFBFBD><EFBFBD>es.
.Sp
Se voc<6F> est<73> impaciente, voc<6F> pode ir direto para a se<73><65>o de
.I exemplos
no final, os quais demonstram o uso comum do nmap. Voc<6F> pode, tamb<6D>m, executar
.B nmap -h
para uma r<>pida p<>gina de refer<65>ncia, a qual lista todas as op<6F><70>es.
.TP
.B TIPOS DE SCAN
.TP
.B \-sT
TCP connect() scan: Esta <EFBFBD> a mais b<EFBFBD>sica forma de TCP scanning. A chamada de sistema, connect(), provida pelo seu sistema operacional <EFBFBD> usada para abrir uma conex<EFBFBD>o para toda porta interessante na m<EFBFBD>quina. Se a porta est<EFBFBD> no estado listening, connect() ir<EFBFBD> ter sucesso, por outro lado a porta n<EFBFBD>o ser<EFBFBD> alcan<EFBFBD>ada. Uma grande vantagem desta t<EFBFBD>cnica <EFBFBD> que voc<EFBFBD> n<EFBFBD>o precisa de nenhum privil<EFBFBD>gio especial. Qualquer usu<EFBFBD>rio em UNIX est<EFBFBD> livre para usar esta chamada.
.Sp
Este tipo de scan <20> facilmente detect<63>vel pelo log do host alvo, o qual mostrar<61> o grupo de conex<65>es e mensagens de erro para os servi<76>os os quais aceitam, accept(), a conex<65>o somente para t<>-la imediatamente desligada.
.TP
.B \-sS
TCP SYN scan: Esta t<>cnica <20> muito conhecida como "half-open" scanning,
porque n<>o abre uma conex<65>o TCP completa. <20> enviado um pacote com o flag SYN
setado, como se fosse abrir uma conex<65>o real e <20> esperado pela resposta. Uma
resposta SYN/ACK indica que a porta est<73> no estado listening. O flag RST <20>
uma indica<63><61>o de estado n<>o listening. Se o flag SYN/ACK <20> recebido, o flag
RST <20> imediatamente enviado para encerrar a conex<65>o (atualmente o n<>cleo do SO faz isso por n<>s). A principal vantagem desta t<>cnica de scanning <20> que poucos sites ir<69>o registra-l<> no arquivo de log. Desafortunadamente <20> necess<73>rio privil<69>gios de super usu<73>rio (root) para construir estes pacotes SYN customizados.
.TP
.B \-sF \-sX \-sN
Modos Stealth FIN, Xmas Tree, ou Null scan: Algumas vezes nem mesmo a
t<EFBFBD>cnica SYN scanning <20> clandestina suficiente. V<>rios firewalls e filtros de pacotes observam por SYNs para portas restritas, e programas como Synlogger e Courtney est<73>o dispon<6F>veis para detectar este tipo de scan. Por outro lado, scans avan<61>ados (stealth FIN, Xmas Tree, ou Null scan), podem ser capazes de passar atrav<61>s destes filtros sem serem molestados.
.Sp
A id<69>ia <20> que portas fechadas s<>o exigidas por responder aos pacotes de teste com um RST, enquanto portas abertas precisam ignorar os pacotes em quest<73>o (veja RFC 793 pp 64). A t<>cnica de scan FIN utiliza o limitado pacote FIN como teste, enquanto a t<>cnica de scan Xmas Tree seta os flags FIN, URG e PUSH. A t<>cnica de scan Null n<>o seta nenhum flag. Desafortunadamente a Microsoft (como usual) decidiu completamente ignorar o padr<64>o e faz as coisas do seu pr<70>prio jeito. Ent<6E>o este tipo de scan n<>o funcionar<61> contra sistemas executando Windows95/NT. Do lado positivo, est<73> <20> uma <20>tima maneira de distinguir entre duas plataformas. Se o scan encontrar portas abertas, <20> poss<73>vel saber que a m<>quina n<>o utiliza o Windows. Se as t<>cnicas de scan -sF, -sX ou -sN mostram todas as portas fechadas, mesmo assim a t<>cnica de scan SYN (-sS) mostra portas sendo abertas, voc<6F> poder<65> estar olhando para uma m<>quina Windows. Esta <20> a maneira menos usada pelo nmap para testar a detec<65><63>o do SO. Exitem, tamb<6D>m, alguns outros sistemas que s<>o descobertos da mesma maneira que descobrimos o windows. Estes incluem Cisco, BSDI, HP/UX, MVS, and IRIX. Todos acima enviam resets (RST) de portas abertas quando estes devem, somente, descartar o pacote.
.TP
.B \-sP
Ping scanning: Algumas vezes voc<6F> somente quer saber quais os hosts da rede
est<EFBFBD>o ativos. O Nmap pode fazer isso enviando um pacote de requisi<73><69>o ICMP
(ICMP echo request) para todo endere<72>o IP especificado da rede. Os hosts que
respondem est<73>o vivos. Desafortunadamente, v<>rios sites, como a
microsoft.com, bloqueiam pacotes de requisi<73><69>o ICMP (echo request). Ent<6E>o, o
nmap pode, tamb<6D>m, enviar um pacote ACK TCP para (por defini<6E><69>o) a porta 80.
Se n<>s pegarmos o flag RST novamente, a m<>quina esta viva. A terceira t<>cnica envolve o envio de pacotes SYN e a espera pelo pacote com o flag RST ou os flags SYN/ACK. O m<>todo connect() <20> usado por usu<73>rios comuns (n<>o root).
.Sp
Por defini<6E><69>o (para super usu<73>rios), o nmap usa tanto as t<>cnicas do ICMP e a do flag ACK em paralelo. Voc<6F> pode mudar as
.B \-P
op<EFBFBD><EFBFBD>es descritas mais a frente.
.Sp
Note que o ping, por defini<6E><69>o, <20> feito de qualquer forma, e somente os hosts que respondem s<>o scanneados. Somente use esta op<6F><70>o se voc<6F> desejar vasculhar
.B sem
fazer qualquer scan real de portas.
.TP
.B \-sU
UDP scans: Este m<>todo <20> usado para determinar quais portas UDP (User Datagram Protocol, RFC 768) est<73>o abertas no host. A t<>cnica implica em enviar 0 bytes de dados de pacotes UDP para cada porta da m<>quina alvo. Se n<>s recebermos uma mensagem de ICMP port unreachable (porta ICMP n<>o alcan<61>ada), ent<6E>o a porta est<73> fechada. Por outro lado n<>s assumimos que a porta est<73> aberta.
.Sp
V<EFBFBD>rias pessoas pensam que a t<>cnica UDP scanning <20> sup<75>rfluo. Eu, usualmente, lembro desta como uma recente falha no rpcbind do Solaris. O Rpcbind pode ser encontrado escondido em uma porta UDP n<>o documentada em algum lugar acima de 32770. Ent<6E>o n<>o importa que a porta 111 esteja bloqueada por um firewall. Por<6F>m, voc<6F> pode encontrar quais as portas altas, maiores de 30.000, que est<73>o no estado listening? Com o scanner UDP voc<6F> pode! Existe, tamb<6D>m, o programa cDc Back Orifice backdoor o qual se oculta em uma porta UDP configur<75>vel em m<>quinas Windows. Alguns servi<76>os comumente vulner<65>veis que utilizam o UDP s<>o: snmp, tftp, NFS, etc.
.Sp
Desafortunadamente UDP scanning <20> algumas vezes, dolorosamente, vagarosa desde que a maioria dos hosts implementam a sugest<73>o da RFC 1812 (se<73><65>o 4.3.2.8) de limitar a taxa de mensagens de erro ICMP. Por exemplo, o n<>cleo do Linux (em net/ipv4/icmp.h) limita a gera<72><61>o de mensagens de destination unreachable para 80 por 4 segundos, com 1/4 segundos de penalidade se esta for excedida. O Solaris tem um limite muito mais restrito (mais ou menos 2 mensagens por segundo) e assim gasta um tempo maior para realizar o scan.
.I Nmap
detecta esta taxa limitante e reduz conformemente, por outro lado inunda a rede com pacotes sem uso que ir<69>o ser ignorados pela m<>quina alvo.
.Sp
Como <20> t<>pico, a Microsoft ignorou a sugest<73>o da RFC e n<>o parece ter feito nenhuma taxa limitante por completo no Win95 e no NT. Ent<6E>o <20> poss<73>vel scannear,
.B rapidamente
, todas as portas de 64K das m<>quinas windows. Beleza!
.TP
.B \-sO
Scan do Protocolo IP: Este m<>todo <20> usado para determinar quais protocolos IPs s<>o usados no host. A t<>cnica consiste em enviar pacotes IP raw sem promover nenhum cabe<62>alho para cada protocolo espec<65>fico na m<>quina alvo. Se n<>s recebermos uma mensagem do protocolo ICMP unreachable, ent<6E>o o protocolo n<>o est<73> sendo usado. Por outro lado n<>s assumimos que est<73> aberto. Note que v<>rios hosts (AIX, HP-UX, Digital UNIX) e firewalls podem n<>o enviar mensagens de protocolo unreachable. Assim faz parecer que todos os protocolos est<73>o "abertos".
.Sp
Isso porque a t<>cnica implementada <20> muito similar ao scanning da porta UDP, onde a taxa limite de ICMP pode ser aplicada tamb<6D>m. Por<6F>m o campo do protocolo IP tem somente 8 bits, ent<6E>o no m<>ximo 256 protocolos podem ser testados, os quais devem ser poss<73>veis de serem testados em tempo razo<7A>vel.
.TP
.B \-sA
ACK scan: Este m<>todo avan<61>ado <20> usualmente usado para mapear o conjunto de regras de um firewall. Em particular, esta pode ajudar a determinar quando um firewall <20> stateful ou somente um filtro de pacotes simples que bloqueia pacotes SYN de chegada.
.Sp
Este tipo de scan envia pacotes com o flag ACK setado para uma porta espec<65>fica. Se um RST voltar, a porta <20> classificada como "n<>o filtrada". Se n<>o voltar nada ou um ICMP unreachable voltar, a porta <20> classificada como "filtrada". Note que o
.I nmap
usualmente n<>o imprime portas "n<>o filtradas", obtendo, assim,
.B nenhuma
porta mostrada na sa<73>da <20> usualmente um sinal que todos os testes foram suscedidos (e retornado RSTs). Esta t<>cnica de scan nunca ir<69>, obviamente, mostrar portas no estado "aberto".
.TP
.B \-sW
Window scan: Este scan avan<61>ado <20> muito similar ao ACK scan, exceto que as vezes pode ser poss<73>vel detectar portas abertas mesmo sendo filtradas, isso devido a anomalia do tamanho da janela TCP reportado por v<>rios sistemas operacionais. Sistemas vulner<65>veis para isso incluem no m<>nimo v<>rias vers<72>es do AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks. Vejam no arquivo, na lista de discuss<73>o nmap-hackers, a lista completa.
.TP
.B \-sR
RPC scan. Este m<EFBFBD>todo trabalha em combina<EFBFBD><EFBFBD>o com v<EFBFBD>rias t<EFBFBD>cnicas de scan de portas do Nmap. Ele pega todas as portas TCP/UDP encontradas abertas e inunda elas com comandos NULL de programas SunRPC numa tentativa de determinar quando elas s<EFBFBD>o portas RPC, e se s<EFBFBD>o, qual programa e vers<EFBFBD>o dos servi<EFBFBD>os. Com este m<EFBFBD>todo voc<EFBFBD> pode efetivamente obter a mesma informa<EFBFBD><EFBFBD>o como se usasse 'rpcinfo -p' mesmo se o portmapper alvo estiver atr<EFBFBD>s de um firewall (ou protegido pelo TCP wrappers). Decoy n<EFBFBD>o trabalha correntemente com RPC scan, em algum ponto eu posso adicionar o suporte decoy para UDP RPC scans.
.TP
.B \-b <ftp relay host>
FTP bounce attack: Uma interessante "caracter<65>stica" do protocolo ftp (RFC 959) <20> sustentada para conex<65>es ftp "proxy". Em outras palavras, eu devo ser capaz de conectar do evil.com para um servidor FTP, target.com, e requerer que o servidor envie um arquivo para qualquer lugar na internet! Isto pode ter sido explorado bem em 1985 quando a RFC foi escrita. Por<6F>m na internet hoje, n<>s n<>o podemos ter pessoas hijacking servidores ftp e requisitando que os dados sejam jogados para arbitr<74>rios pontos na internet. Como *Hobbit* escreveu em 1995, este protocolo torna in<69>til "pode ser usado para portar virtualmente n<>o determin<69>veis emails ou news, forjando em servidores v<>rios sites, preenchendo discos, tentando saltar firewalls, e geralmente sendo aborrecido, ficando, assim, dif<69>cil seguir a pista ao mesmo tempo." O que n<>s iremos explorar disto <20> o scan de portas TCP do servidor "proxy" de ftp. Ent<6E>o voc<6F> pode conectar a um servidor ftp atr<74>s do firewall, e ent<6E>o scannear portas que est<73>o mais prov<6F>velmente bloqueadas (139 <20> uma boa). Se o servidor ftp permitir ler de e escrever para algum diret<65>rio (como /incoming), voc<6F> pode enviar dados arbitr<74>rios para portas que voc<6F> achar abertas (nmap n<>o faz isso por voc<6F>).
.Sp
Os argumentos passados para a op<6F><70>o 'b' <20> o host que voc<6F> quer usar como proxy, na nota<74><61>o de padr<64>o URL. O formato <20>:
.I username:password@server:port.
Tudo, menos o
.I server
<EFBFBD> opcional. Para determinar quais servidores s<>o vulner<65>veis para este ataque, voc<6F> pode ver meu artigo em
.I Phrack
51. A vers<72>o atualizada est<73> dispon<6F>vel em
.I nmap
URL (http://www.insecure.org/nmap).
.TP
.B OP<EFBFBD><EFBFBD>ES GERAIS
Nenhuma destas s<>o requeridas, por<6F>m algumas podem ser absolutamente proveitosas.
.TP
.B \-P0
Pinga os hosts antes de scanne<6E>-los. Isto permite scannear as redes que n<>o permitem ICMP echo requests (ou responses) atrav<61>s dos seus firewalls. microsoft.com <20> um exemplo desta rede, e ent<6E>o voc<6F> deve sempre usar
.B \-P0
ou
.B \-PT80
quando portscanning microsoft.com.
.TP
.B \-PT
Use TCP "ping" para determinar quais hosts est<73>o ativos. Ao invez de enviar pacotes ICMP echo request e esperar pelas respostas, n<>s enviamos pacotes TCP ACK por toda parte na rede alvo (ou para uma simples m<>quina) e ent<6E>o esperamos por respostas. Hosts que est<73>o ativos devem responder com um RST. Esta op<6F><70>o preserva a efici<63>ncia de somente scannear hosts que est<73>o ativos, enquanto ainda permite scannear redes/hosts que bloquearam pacotes ping. Para usu<73>rios n<>o root, <20> usado o connect(). Para setar a porta destino dos pacotes de teste usem -PT<n<>mero da porta>. A porta default <20> 80, desde que est<73> porta <20> muitas vezes n<>o filtrada.
.TP
.B \-PS
Est<EFBFBD> op<6F><70>o usa pacotes com SYN (connection request) ao invez de pacotes com ACK para usu<73>rios root. Hosts que est<73>o ativos devem responder com RST (ou, raramente, um SYN|ACK).
.TP
.B \-PI
Est<EFBFBD> op<6F><70>o usa um pacote ping verdadeiro (ICMP echo request). Esta encontra os hosts que est<73>o ativos e tamb<6D>m procura por um endere<72>o de broadcast para a subrede da sua rede. Estes s<>o endere<72>os IPs que s<>o externamente alcan<61><6E>veis e traduzidos para broadcast de pacotes IP de chegada para uma subrede de computadores. Estes devem ser eliminados se encontrado, como ele permitem por numerosos ataques de nega<67><61>o de servi<76>o (DoS) (Smurf <20> o mais comum).
.TP
.B \-PB
Este <20> o tipo de ping default. Ele usa tanto pacotes com ACK (
.B \-PT
) e pacotes ICMP (
.B \-PI
) sweeps em paralelo. Desta maneira voc<6F> pode obter os firewalls que
filtram cada uma (por<6F>m n<>o ambas).
.TP
.B \-O
Esta op<6F><70>o ativa a identifica<63><61>o de hosts remotos via TCP/IP fingerprinting. Em outras palavras, ela usa uma grande quantidade de t<>cnicas para detectar sutilezas na pilha de rede do sistema operacional do computador que voc<6F> est<73> scanneando. Ele usa estas informa<6D><61>es para criar a 'fingerprint' a qual <20> comparada com sua base de dados de conhecidos fingerprints de SOs (o arquivo nmap-os-fingerprints) para decidir qual o tipo de sistema que voc<6F> est<73> escanneando.
.Sp
Se o Nmap est<73> desabilitado para resolver o SO da m<>quina, e as condi<64><69>es s<>o boas (ex. ao menos uma porta aberta), Nmap ir<69> prover a URL que voc<6F> pode usar para submeter a fingerprint se voc<6F> conhecer (com certeza) o SO sendo executado na m<>quina. Por fazer isso voc<6F> contribui para o conjunto de sistemas operacionais conhecidos pelo nmap e ent<6E>o ser<65> mais correto para todos.
.Sp
A op<6F><70>o \-O tamb<6D>m possibilita classificar e fazer o prognostico da
sequ<EFBFBD>ncia TCP. Esta <20> uma medida que descreve aproximadamente qual a
dificuldade em estabelecer uma conex<65>o TCP forjada contra um host remoto.
Esta <20> <20>til para explorar o IP de origem baseado na rela<6C><61>o de confian<61>a
(rlogin, firewall filters, etc) ou por esconder a origem do ataque. O n<>mero
difficulty mostrado <20> baseado em uma simples amostra estat<61>stica e pode
variar. Este n<>mero <20> geralmente melhor apresentado como uma frase em Ingl<67>s como "worthy challenge" ou "trivial joke".
.TP
.B \-I
Esta ativa o scanning do ident reverso TCP. Como notado por Dave Goldsmith em 1996 na mensagem para a Bugtraq, o protocolo ident (rfc 1413) permite revelar o username dos donos dos processos conectados via TCP, mesmo se estes processos n<>o iniciaram a conex<65>o. Ent<6E>o voc<6F> pode, por exemplo, conectar a porta http e ent<6E>o usar o identd para encontrar quando o servidor est<73> sendo executado como root. Isto pode somente ser feito com uma conex<65>o TCP completa para a porta alvo (ex.: a op<6F><70>o de scanning -sT). Quando
.B \-I
<EFBFBD> usada, o identd do host remoto <20> pesquisado para cada porta aberta encontrada. Obviamente isso n<>o funciona se o host n<>o estiver rodando o identd.
.TP
.B \-f
Esta op<6F><70>o requere os flags SYN, FIN, XMAS, ou NULL scan para usar cuidadosos pacotes IP fragmentados. A id<69>ia <20> dividir o cabe<62>alho TCP sobre v<>rios pacotes para ficar dif<69>cil para o filtro de pacotes, sistemas de detec<65><63>o de intrus<75>o, e outros aborrecimentos para detectar o que voc<6F> est<73> fazendo. Seja cuidadoso com isso! V<>rios programas tem preocupa<70><61>es lidando com estes cuidadosos pacotes. Enquanto este m<>todo n<>o obtem pacotes filtrados e firewalls que enfileram todos os fragmentos IP (como a op<6F><70>o CONFIG_IP_ALWAYS_DEFRAG no kernel do linux), v<>rias redes n<>o conseguem assegurar o golpe de performance que este fato causa, ent<6E>o <20> melhor deixar este desabilitado.
.Sp
Note que esta op<6F><70>o, ainda, n<>o esta funcionando em todos os sistemas. Esta
funciona bem para o Linux, FreeBSD, e OpenBSD e outras pessoas tem reportado
sucessos com outras varia<69><61>es *NIX.
.TP
.B \-v
Modo Verbose. Esta <20> uma op<6F><70>o altamente recomendada e fornece mais informa<6D><61>es sobre o que esta acontecendo. Voc<6F> pode us<75>-la duas vezes para um melhor efeito. Use
.B \-d
em conjunto se voc<6F> realmente quiser ficar louco com a quantidade de informa<6D><61>es na tela!
.TP
.B \-h
Esta c<>moda op<6F><70>o mostra uma r<>pida tela de refer<65>ncia das op<6F><70>es usadas no nmap. Como voc<6F> deve ter notado, est<73> man page n<>o <20> exatamente uma 'r<>pida refer<65>ncia' :o)
.TP
.B \-oN <logfilename>
Este log mostra o resultado do seu scan em uma forma
.B humanamente leg<EFBFBD>vel
no arquivo que voc<6F> especificou como argumento.
.TP
.B \-oX <logfilename>
Este log mostra o resultado do seu scan na forma de
.B XML
no arquivo que voc<6F> especificou como argumento. Isto permite aos programas facilmente capturar e interpretar os resultados do Nmap. Voc<6F> pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma sa<73>da normal ser<65> suprimida. Tomar cuidado para as mensagem de erro se voc<6F> esta usando esta (elas, ainda, ir<69>o para stderr). Tamb<6D>m, note que \'-v\' pode causar algumas informa<6D><61>es extras para ser impressas.
.TP
.B \-oG <logfilename>
Este log mostra o resultado do seu scan na forma do
.B grepable
no arquivo que voc<6F> especificou como argumento. Este simples formato prov<6F> todas as informa<6D><61>es em uma linha (ent<6E>o voc<6F> pode facilmente usar o grep para portas ou obter informa<6D><61>es de SOs e ver todos os endere<72>os IPs). Este <20> o mecanismo preferido pelos programas para interagir com o Nmap, por<6F>m agora <20> recomendado usar a sa<73>da em XML (-oX). Este simples formato pode n<>o conter tantas informa<6D><61>es quanto os outros formatos. Voc<6F> pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma sa<73>da normal ser<65> suprimida. Tomar cuidado para as mensagem de erro se voc<6F> esta usando esta (elas, ainda, ir<69>o para stderr). Tamb<6D>m, note que \'-v\' ir<69> fornecer v<>rias informa<6D><61>es extras para ser impressas.
.TP
.B \-oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a
.B s|<ipT kiDd|3
f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
stDouT!@!!
.TP
.B \--resume <logfilename>
O scan de rede que <20> cancelado devido a um control-C, interrup<75><70>o da rede, etc. pode ser resumido usando esta op<6F><70>o. O logfilename precisa ser normal (-oN) ou parsable na m<>quina (-oM) para registrar o scan abortado. Nenhuma outra op<6F><70>o pode ser usada. Nmap come<6D>ar<61> na m<>quina depois que a <20>ltima foi scanneada com sucesso e armazenada no arquivo de log.
.TP
.B \-iL <inputfilename>
<EFBFBD> feita a leitura de um arquivo alvo especificado na linha de comando. O arquivo deve conter uma lista de hosts ou express<73>es de rede separados por espa<70>os, tabs, ou novas linhas. Use o h<>fen (-) como
.I inputfilename
se voc<EFBFBD> quisesse que o nmap leia express<EFBFBD>es do hosts de stdin (como no final do pipe). Veja a se<EFBFBD><EFBFBD>o
.I especifica<EFBFBD><EFBFBD>o do alvo
para maiores informa<6D><61>es nas express<73>es que voc<6F> preencher<65> no arquivo.
.TP
.B \-iR
Esta op<6F><70>o fala para o Nmap para gerar seus pr<70>prios hosts para scannear, usando simplesmente n<>meros randomicos :o). Isso nunca ir<69> terminar. Isso pode ser muito <20>til para tirar amostras estat<61>sticas da internet para estimar v<>rias coisas. Se voc<6F> nunca estiver realmente entediado, tente
.I nmap \-sS \-iR \-p 80
para encontrar v<>rios servidores web para observar.
.TP
.B \-p <port ranges>
Esta op<6F><70>o especifica quais portas voc<6F> quer para descrever. Por exemplo '-p 23' ir<69> tentar somente a porta 23 do host(s) alvo. \'\-p 20-30,139,60000-\' ir<69> scannear portas entre 20 e 30, porta 139, e todas as portas maiores que 60000. Por defini<6E><69>o <20> para scannear todas as portas entre 1 e 1024 t<>o bem quanto qualquer porta listada no arquivo de servi<76>os o qual vem com o nmap. Para o scan de protocolos IP (-sO), especifica o n<>mero do protocolo que voc<6F> deseja para (0-255).
.TP
.B \-F Modo de scan r<EFBFBD>pido.
Especifica que voc<6F> somente deseja scannear por portas catalogadas no arquivo services o qual vem com o nmap (ou o arquivo de protocolos para -sO). Este <20> obviamente muito mais r<>pido do que scannear todas 65535 portas no host.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
O processo de decoy scan ser<65> executado fazendo ele mostrar-se para o host
remoto que o(s) host(s) que voc<6F> especificou como decoys est<73>o scanneando a rede alvo tamb<6D>m. Ent<6E>o seus IDS precisar<61>o reportar 5-10 scan de portas de um <20>nico endere<72>o IP, por<6F>m eles n<>o saber<65>o qual o endere<72>o IP que os estava scanneando e quais eram os decoys inocentes. Enquanto isto pode ser descoberto atrav<61>s de uma rota, respostas soltas, e outras mecanismos ativos, este <20> geralmente uma t<>cnica extremamente efetiva para esconder seu endere<72>o IP.
.Sp
Separando cada decoy host com v<>rgulas, voc<6F> pode usar opcionalmente 'ME' como um dos decoys para representar a posi<73><69>o que voc<6F> quer seu endere<72>o IP para ser usado. Se voc<6F> colocar 'ME' na sexta posi<73><69>o ou outra maior, v<>rias detectores comuns de scan de portas n<>o ser<65>o razo<7A>veis para mostrar seu endere<72>o IP por completo. Se voc<6F> n<>o usar 'ME', o nmap ir<69> colocar voc<6F> em uma posi<73><69>o randomica.
.Sp
Note que os hosts que voc<6F> usa como decoys devem estar ativos ou voc<6F> precisar<61> acidentalmente inundar com pacotes SYN seu alvo. Tamb<6D>m, ele ser<65> muito f<>cil para determinar quais hosts est<73>o scanneando se somente um est<73> atualmente ativo na rede. Voc<6F> dever<65> querer usar o endere<72>o IP ao invez de nomes (ent<6E>o redes decoy n<>o ir<69>o ver voc<6F> em seus nameserver logs).
.Sp
Tamb<EFBFBD>m, note que v<>rios (est<73>pidos) "detectores de scan de portas" ir<69>o firewall/deny roteamento para hosts que tentam fazer o scan de portas. Ent<6E>o voc<6F> precisa descuidadosamente causar a perda de conex<65>o da m<>quina que voc<6F> est<73> scanneando com a m<>quina decoy que voc<6F> esta usando. Isto pode causar maiores problemas para a m<>quina alvo se o decoy est<73> sendo usado, digo, seu internet gateway ou at<61> "localhost". Ent<6E>o voc<6F> pode querer ser cuidadoso com esta op<6F><70>o. A real moral da hist<73>ria <20> que os detectores de scan de portas spoofable n<>o devem gastar a<><61>es contra a m<>quina que parece estar scanneando suas portas. Este pode ser somente um decoy, ou seja, uma isca, uma armadilha!
.Sp
Decoys s<>o usados tanto em ping scan inicial (usando ICMP, SYN, ACK, ou o que seja) e durante a fase de atual scanneamento de porta. Decoy s<>o tamb<6D>m usados durante a detec<65><63>o remota de SO (
.B \-O
).
.Sp
Este <20> um digno registrador que usa v<>rios decoys que podem atrasar seu scan e potencialmente at<61> fazer este menos preciso. Tamb<6D>m, v<>rios ISPs filtram pacotes spoofed, embora v<>rios (correntemente a maioria) n<>o restrigem pacotes IP spoofed por inteiro.
.TP
.B \-S <IP_Address>
Em v<>rias circunst<73>ncias,
.I nmap
pode n<>o ser capaz de determinar seu endere<72>o de origem (
.I nmap
ir<EFBFBD> avis<EFBFBD>-lo se este <EFBFBD> o caso). Nesta situa<EFBFBD><EFBFBD>o, use
\-S com seu endere<72>o IP (atrav<61>s da interface que voc<6F> deseja enviar pacotes).
.Sp
Outro poss<73>vel uso deste flag <20> para spoofar o scan para fazer o alvo pensar que
.B algu<EFBFBD>m mais
est<EFBFBD> scanneando. Imagine uma companhia sendo repetidamente port scanned pelo seu competidor! Este n<>o <20> um uso suportado (ou o principal prop<6F>sito) deste flag. Eu penso somente que isso levanta uma interessante discuss<73>o, em que as pessoas devem estar cientes antes que elas acusem outras pessoas de estar scanneando suas portas.
.B \-e
geralmente ser<65> requerida para este tipo de uso.
.TP
.B \-e <interface>
Fala para o nmap qual interface enviar e receber pacotes. Nmap deve ser capaz de detectar isto, por<6F>m este contar<61> para voc<6F> se n<>o puder.
.TP
.B \-g <portnumber>
Conjunto de n<>meros de portas de origens usadas no scan. V<>rios ing<6E>nuos firewalls e filtros de pacotes instalados fazem uma exce<63><65>o em seus conjuntos de regras para permitir pacotes DNS (53) ou FTP-DATA (20) para entrar e estabelecer a conex<65>o. Obviamente isto contesta completamente as vantagens de seguran<61>a do firewall desde que intrusos podem somente mascarar como FTP ou DNS por modificar suas portas de origem. Obviamente para UDP scan voc<6F> deve tentar 53 primeiro e TCP scans devem tentar 20 antes da porta 53. Note que isso <20> somente uma requisi<73><69>o -- nmap honrar<61> isso somente quando esta estiver h<>bil para. Por exemplo, voc<6F> n<>o pode amostrar todo TCP ISN de um host:porta para um host:porta, ent<6E>o nmap muda a porta de origem mesmo que seja usado -g.
.Sp
Seja ciente que existe uma penalidade na performance em v<>rios scans por usar esta op<6F><70>o, porque eu algumas vezes armazeno informa<6D><61>es <20>teis no n<>mero da porta de origem.
.TP
.B \-r
Fala para o Nmap para
.B N<EFBFBD>O
randomizar a ordem na qual as portas ser<65>o scanneada.
.TP
.B \-\-randomize_hosts
Fala para o Nmap para embaralhar cada grupo acima de 2048 hosts antes de scanne<6E>-los. Isto pode fazer o scan menos evidente para v<>rios sistemas de monitora<72><61>o de rede, especialmente quando voc<6F> combina estes com as op<6F><70>es de baixo tempo (slow timing) (veja abaixo).
.TP
.B \-M <max sockets>
Conjunto m<>ximo de n<>meros de sockets que ser<65> usado em paralelo pelo TCP connect() scan (por defini<6E><69>o). Esta <20> <20>til para diminuir um pouco o scan e anular a possibilidade de travar a m<>quina remota. Outra aproxima<6D><61>o <20> para usar \-sS, a qual <20> geralmente f<>cil para as m<>quinas descreverem.
.TP
.B OP<EFBFBD><EFBFBD>ES DE TEMPO
Geralmente o Nmap faz um bom trabalho em ajustar para as caracter<65>sticas da rede um tempo de execu<63><75>o e scanning t<>o r<>pido quanto poss<73>vel enquanto minimiza as chances do hosts/portas serem n<>o detectadas. Entretanto, existem v<>rios casos onde a pol<6F>tica de tempo default do Nmap pode n<>o encontrar seus objetivos. As seguintes op<6F><70>es prov<6F>em um fino n<>vel de controle sobre o tempo de scan:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Estas s<>o pol<6F>ticas de tempo preservados para convenientemente expressar suas prioridades para o Nmap.
.B Paranoid
modo de scan
.B muito
lento na esperan<61>a de prevenir a detec<65><63>o pelo sistema IDS. Este serializa todos os scans (scanning n<>o paralelo) e geralmente espera no m<>nimo 5 minutos entre o envio de pacotes.
.B Sneaky
<EFBFBD> similar, exceto que somente espera 15 segundos entre o envio de pacotes.
.B Polite
tem o significado para facilitar a carga na rede e reduzir as chances de travar a m<>quina. Ele serializa os testes e espera
.B no m<EFBFBD>nimo
0.4 segundos entre eles.
.B Normal
<EFBFBD> o comportamento default do Nmap, o qual tenta executar t<>o r<>pido quanto poss<73>vel sem sobrecarregar a rede ou perder hosts/portas.
.B Aggressive
esse modo adiciona um timeout de 5 minutos por host e nunca espera mais que 1.25 segundos para testar as respostas.
.B Insane
<EFBFBD> somente adequando para redes muito r<EFBFBD>pidas ou onde voc<EFBFBD> n<EFBFBD>o se importa em perder algumas informa<EFBFBD><EFBFBD>es. Nesta op<EFBFBD><EFBFBD>o o timeout dos hosts acontecem em 75 segundos e espera somente 0.3 segundos por teste individual. Esta possibilita, de qualquer forma, uma varredura extremamente r<EFBFBD>pida na rede :o). Voc<EFBFBD> pode tamb<EFBFBD>m referenciar isso por n<EFBFBD>meros (0-5). Por exemplo, \'-T 0\' fornece para voc<EFBFBD> o modo Paranoid e \'-T 5\' <EFBFBD> o modo Insane.
.Sp
Estes modos, para preservar o tempo, N<>O devem ser usados em combina<6E><61>o com controles de baixo n<>vel, como os fornecidos abaixo.
.TP
.B --host_timeout <milliseconds>
Especifica a soma de tempo que o Nmap permite para gastar scanneando um simples host antes de desistir daquele IP. O modo de tempo default n<>o tem o timeout do host.
.TP
.B --max_rtt_timeout <milliseconds>
Especifica a soma m<>xima de tempo do Nmap tem permitido para esperar pela resposta de teste antes de retransmitir ou ocorrer um timeout de um particular teste. O modo default seta este valor em 9000.
.TP
.B --min_rtt_timeout <milliseconds>
Quando um host alvo come<6D>a a estabelecer um padr<64>o de resposta muito r<>pido, Nmap ir<69> contrair a soma de tempo fornecida por teste. Isto aumenta a velocidade do scan, por<6F>m pode levar a perder pacotes quando a resposta gasta mais tempo que o usual. Com este par<61>metro voc<6F> pode garantir que o Nmap ir<69> esperar ao menos a soma de tempo fornecida antes de abrir m<>o do teste.
.TP
.B --initial_rtt_timeout <milliseconds>
Especifica o timeout do teste inicial. Isto <20> geralmente <20>til quando scanning firewalled hosts com -P0. Normalmente o Nmap pode obter boas estimativas RTT do ping e dos primeiros testes. O modo default usa 6000.
.TP
.B --max_parallelism <number>
Especifica o n<>mero m<>ximo de Nmap scans permitidos para serem performados em paralelo. Ajustando este para 1 significa que o Nmap nunca ir<69> tentar scannear mais que uma porta por vez. Este, tamb<6D>m, afeta outros scans paralelos como o ping sweep, RPC scan, etc.
.TP
.B --scan_delay <milliseconds>
Especifica a
.B m<EFBFBD>nima
soma de tempo que o Nmap precisa esperar entre testes. Este <20>, na maioria das vezes, <20>til para reduzir a carga da rede ou para diminuir a maneira de scan para esquivar-se do IDS.
.SH ESPECIFICA<EFBFBD><EFBFBD>O DO ALVO
Tudo que n<>o <20> uma op<6F><70>o (ou argumento de op<6F><70>o) no nmap <20> tratado como especifica<63><61>o do host alvo. No caso mais simples s<>o registrados simples hostnames ou endere<72>os IPs na linha de comando. Se voc<6F> quiser scannear uma subrede de endere<72>os IPs, voc<6F> pode anexar
.B '/mask'
para o hostname ou endere<EFBFBD>o IP.
.B mask
precisa estar entre 0 (faz o scan de toda internet) e 32 (faz o scan de um simples host especificado). Use /24 para scannear a classe de endere<EFBFBD>o 'C' e /16 para a classe de endere<EFBFBD>o 'B'.
.Sp
Nmap, tamb<6D>m, tem a mais poderosa nota<74><61>o a qual permite voc<6F> especificar um
endere<EFBFBD>o IP usando uma lista/fileira para cada elemento. Ent<6E>o voc<6F> pode scannear todo o endere<72>o classe 'B' da rede 192.168.*.* especificando '192.168.*.*' ou '192.168.0-255.0-255' ou at<61> '192.168.1-50,51-255.1,2,3,4,5-255'. E <20> claro, voc<6F> pode usar a nota<74><61>o de m<>scara: '192.168.0.0/16'. Estes todos s<>o equivalentes.
.Sp
Outra coisa interessante para fazer <20> dividir em peda<64>os a Internet de outra maneira. Ao invez de scannear todos os hosts da classe 'B', scan '*.*.5.6-7' com o objetivo de explorar todos os endere<72>os IPs que terminam em .5.6 ou .5.7 escolhendo seus pr<70>prios n<>meros. Para mais informa<6D><61>es dos hosts espec<65>ficos para scannear, veja a se<73><65>o de
.I exemplos.
.SH EXEMPLOS
Aqui existem v<>rios exemplos de uso do nmap, do simples e normal para um pouco mais complexo/esot<6F>rico. Note que n<>meros atuais e v<>rios nomes de dom<6F>nios atuais s<>o usados para tornar as coisas mais concretas. Em seus lugares voc<6F> deve substituir por endere<72>os/nomes da
.B sua pr<EFBFBD>pria rede.
Eu n<>o penso que scannear portas de outras rede <20> ilegal; nem deve o scanneamento de portas ser feito por outros como um ataque. Eu tenho scanneado centenas de milhares de m<>quinas e tenho recebido somente uma reclama<6D><61>o. Por<6F>m eu n<>o sou advogado e alguma pessoa pode estar irritado pelos testes do
.I nmap
. Primeiramente, obtenha permiss<EFBFBD>o ou use sobre seu pr<EFBFBD>prio risco.
.Sp
.B nmap -v target.example.com
.Sp
Esta op<6F><70>o faz o scan de todas as portas TCP reservadas na m<>quina target.example.com. A op<6F><70>o \-v significa ligar o modo verbose.
.Sp
.B nmap -sS -O target.example.com/24
.Sp
Lan<EFBFBD>a um stealth SYN scan contra cada m<>quina que est<73> ativa, abrangendo todas as 255 m<>quinas de classe 'C' onde target.example.com reside. Este exemplo, tamb<6D>m, tenta determinar o sistema operacional que esta executando em cada host que esta ativo. Este requere privil<69>gios de root (super usu<73>rio) por causa da t<>cnica SYN scan e da detec<65><63>o de SOs.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Envia um Xmas tree scan para a primeira metade de cada uma das 255 possibilidades de subredes de 8 bit no espa<70>o de endere<72>os classe 'B' em 198.116. N<>s estamos testando quando o sistema executa sshd, DNS, pop3d, imapd, ou a porta 4564. Note que o Xmas scan n<>o trabalha com a Microsoft devido a sua deficiente pilha TCP. O mesmo acontece com CISCO, IRIX, HP/UX, e BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Em lugar de focar somente um espec<65>fico IP, <20> interessante, algumas vezes, abranger um fatia de toda a internet e fazer o scan de um pequena amostra de cada fatia. Este comando encontra todos os servidores web em m<>quinas com endere<72>os IPs terminando em .2.3, .2.4, ou .2.5. Se voc<6F> <20> super usu<73>rio (root) voc<6F> pode adicionar -sS. Tamb<6D>m, voc<6F> ir<69> encontrar mais m<>quinas interessantes come<6D>ando com 127., ent<6E>o voc<6F> pode querer usar '127-222' ao invez dos primeiros aster<65>sticos porque essa parte tem uma alta densidade de m<>quinas interessantes
(IMHO).
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fazer uma transfer<65>ncia de zona de DNS para encontrar hosts em company.com e ent<6E>o alimentar os endere<72>os IPs para o
.I nmap.
Os comandos acima s<>o para minha caixa GNU/Linux. Voc<6F> pode precisar de diferentes comandos/op<6F><70>es em outros sistemas operacionais.
.SH BUGS
Bugs? O que <EFBFBD> bugs? Envie-me os bugs que voc<EFBFBD> encontrar. Patches s<EFBFBD>o uma boa tamb<EFBFBD>m :o) Lembrem-se de, tamb<EFBFBD>m, enviar novos SO fingerprints para que possamos aumentar nossa base de dados. O Nmap ir<EFBFBD> fornecer para voc<EFBFBD> uma URL de submiss<EFBFBD>o quando um apropriado fingerprint for encontrado.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH TRADUTOR
.Sp
Ant<EFBFBD>nio Pires de Castro Jr
.I <apcastro@ic.unicamp.br>; <apcastro@ondefor.com.br>
Texto traduzido em 17 de Outubro de 2000.
.SH NOTA DO TRADUTOR
.Sp
Esta tradu<64><75>o foi realizada usando a man page oficial do nmap (NMAP 2.54BETA7), e n<>o possui nenhum compromisso com www.insecure.org. Este trabalho foi realizado pela livre e expont<6E>nea vontade do tradutor. Qualquer corre<72><65>o desta pode ser feita enviando um email para o tradutor.
.SH DISTRIBUI<EFBFBD><EFBFBD>O
A mais nova vers<72>o do
.I nmap
pode ser obtida em
.I http://www.insecure.org/nmap/
.Sp
.I nmap
(C) 1997,1998,1999,2000 por Fyodor (fyodor@insecure.org)
.Sp
.I libpcap
<EFBFBD>, tamb<6D>m, distribu<62>da junto com nmap. Esta <20> uma copyrighted por Van Jacobson, Craig Leres and Steven McCanne, todos do Laborat<61>rio Nacional de Lawrence em Berkeley, University of California, Berkeley, CA. A vers<72>o distribu<62>da com o nmap pode ser modificada, a fonte original est<73> dispon<6F>vel em ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Este programa <20> um software livre; voc<6F> pode redistribu<62>-lo e/ou modific<69>-lo sobre os termos da Licen<65>a P<>blica Geral GNU como publicado pelo Free Software Foundation; Vers<72>o 2. Esta garante seu direito de usar, modificar e redistribuir o Nmap sobre certas condi<64><69>es. Se esta licen<65>a for inaceit<69>vel para voc<6F>, o Insecure.Org pode estar querendo negociar alternativas licen<65>as (entre em contato com fyodor@insecure.org).
.Sp
O c<>digo de origem <20> fornecido para este software porque n<>s acreditamos que os usu<73>rios tem o direito de conhecer exatamente qual o programa ele ir<69> usar antes de execut<75>-lo. Isto, tamb<6D>m, permite voc<6F> auditar o software para furos de seguran<61>a (nenhum foi encontrado).
.Sp
O c<>digo de origem tamb<6D>m permite voc<6F> portar o Nmap para novas plataformas, consertar bugs, e adicionar novas caracter<65>sticas. Voc<6F> esta altamente encorajado para enviar suas mudan<61>as para fyodor@insecure.org para poss<73>veis encorpora<72><61>es em sua principal distribui<75><69>o. Por enviar estas mudan<61>as para Fyodor ou uma das listas de discuss<73>o dos desenvolvedores insecure.org, ser<65> assumido que voc<6F> est<73> oferecendo nenhum limite a Fyodor, n<>o-exclusivo direito de reusar, modificar, e relicenciar o c<>digo. Isto <20> importante por causa da incapacidade para relicenciar c<>digos, isso tem causado devastadores problemas para outros projetos de software livres (como KDE e NASM). O c<>digo fonte do Nmap sempre estar<61> dispon<6F>vel. Se voc<6F> desejar especificar especiais condi<64><69>es de licen<65>a das suas contribui<75><69>es, somente diga quando voc<6F> as enviar.
.Sp
Este programa <20> distribu<62>do na esperan<61>a de ser <20>til, por<6F>m
.B SEM NENHUMA GARANTIA;
sem mesmo implicar garantia de
.B COMERCIABILIDADE
ou
.B ADAPTA<EFBFBD><EFBFBD>O PARA UM PROP<EFBFBD>SITO PARTICULAR.
Veja a Licen<65>a P<>blica Geral GNU por mais detalhes (esta est<73> no arquivo COPYING da distribui<75><69>o do
.I nmap
).
.Sp
Tamb<EFBFBD>m deve ser notado que o Nmap tem sido conhecido por travar certas aplica<63><61>es pobremente escritas, pilhas TCP/IP, e mesmo certos sistemas operacionais.
.B O Nmap nunca deve ser executado contra sistemas cr<EFBFBD>ticos de miss<EFBFBD>o ao menos que voc<EFBFBD> esteja preparado para sofrer com o tempo ocioso. N<EFBFBD>s reconhecemos aqui que o Nmap pode travar seu sistema ou rede e n<EFBFBD>s renunciamos todas responsabilidades por qualquer dano ou problemas que o Nmap possa causar.
.Sp
Por menosprezar os riscos de travar e por causa de v<>rios usu<73>rios mal<61>ciosos gostarem de usar o Nmap para fazer o levantamento topol<6F>gico da rede antes de atacar o sistema, existem administradores que est<73>o preocupados e podem reclamar quando seus sistemas s<>o scanneados. Por isso, <20> muitas vezes conveniente requerer permiss<73>o antes de fazer, mesmo que seja, um simples scan na rede.
.Sp
O Nmap nunca deve ser executado com privil<69>gios (ex.: suid root) por raz<61>es de seguran<61>a.
.Sp
Todas as vers<72>es do Nmap igual <20> ou maiores que 2.0 s<>o acreditadas n<>o ter problemas, em todos os aspectos, com o bug do ano 2000 (Y2K). Por<6F>m, n<>o existe raz<61>o para acreditar que vers<72>es anteriores a 2.0 s<>o suscept<70>veis a problemas, por<6F>m n<>s n<>o as testamos.

1020
docs/nmap_russian.1
View File

File diff suppressed because it is too large Load Diff

549
docs/nmap_spanish.1
View File

@@ -1,549 +0,0 @@
.\"Traducido al espa<70>ol por
.\"Antonio Aneiros <aneiros@ctv.es>
.\"el 04-08-1999
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOMBRE
nmap \- Herramienta de exploraci<63>n de red y esc<73>ner de seguridad.
.SH SINOPSIS
.B nmap
[Tipos(s)de escaneo] [Opciones] <servidor o red #1 ... [#N]>
.SH DESCRIPCI<EFBFBD>N
.I Nmap
ha sido dise<73>ado para permitir a administradores de sistemas y gente curiosa
en general el escaneo de grandes redes para determinar qu<71> servidores se
encuentran activos y qu<71> servicios ofrecen.
.I nmap
es compatible con un gran n<>mero de t<>cnicas de escaneo como: UDP, TCP connect(),
TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping
sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. V<>ase la secci<63>n
.I Tipos de Escaneo
para m<>s detalles.
.I nmap
proporciona tambi<62>n caracter<65>sticas avanzadas como la detecci<63>n remota del
sistema operativo por medio de huellas TCP/IP , escaneo tipo stealth (oculto),
retraso din<69>mico y c<>lculos de retransmisi<73>n, escaneo paralelo, detecci<63>n de
servidores inactivos por medio de pings paralelos, escaneo con se<73>uelos,
detecci<EFBFBD>n de filtrado de puertos, escaneo por fragmentaci<63>n y especificaci<63>n
flexible de destino y puerto.
.PP
Se han hecho grandes esfuerzos encaminados a proporcionar un rendimiento
decente para usuarios normales (no root). Por desgracia, muchos de los
interfaces cr<63>ticos del kernel ( tales como los raw sockets) requieren
privilegios de root.
Deber<EFBFBD>a ejecutarse
.I nmap
como root siempre que sea posible.
.SH OPCIONES
En general, pueden combinarse aquellas opciones que tengan sentido en conjunto.
Algunas de ellas son espec<65>ficas para ciertos modos de escaneo.
.I nmap
trata de detectar y advertir al usuario sobre el uso de combinaciones de
opciones sic<69>ticas o no permitidas.
.Sp
Si usted es una persona impaciente, puede pasar directamente a la secci<63>n
.I ejemplos
al final de este documento, donde encontrar<61> ejemplos de los usos m<>s
corrientes. Tambi<62>n puede ejecutar el comando
.B nmap -h
para una p<>gina de referencia r<>pida con un listado de todas las opciones.
.TP
.B Tipos de Escaneo
.TP
.B \-sT
Escaneo TCP connect(): Es la forma m<>s b<>sica de escaneo TCP. La llamada de
sistema connect() proporcionada por nuestro sistema operativo se usa para
establecer una conexi<78>n con todos los puertos interesantes de la m<>quina. Si
el puerto est<73> a la escucha, connect() tendr<64> <20>xito, de otro modo, el puerto
resulta inalcanzable. Una ventaja importante de esta t<>cnica es que no resulta
necesario tener privilegios especiales. Cualquier usuario en la mayor<6F>a de los
sistemas UNIX tiene permiso para usar esta llamada.
.Sp
Este tipo de escaneo resulta f<>cilmente detectable dado que los registros del
servidor de destino muestran un mont<6E>n de conexiones y mensajes de error para
aquellos servicios que accept() (aceptan) la conexi<78>n para luego cerrarla
inmediatamente.
.TP
.B \-sS
Escaneo TCP SYN: A menudo se denomina a esta t<>cnica escaneo "half open" (medio
abierto), porque no se abre una conexi<78>n TCP completa. Se env<6E>a un paquete
SYN, como si se fuese a abrir una conexi<78>n real y se espera que llegue una
respuesta. Un SYN|ACK indica que el puerto est<73> a la escucha. Un RST es
indicativo de que el puerto no est<73> a la escucha. Si se recibe un SYN|ACK, se
env<EFBFBD>a un RST inmediatamente para cortar la conexi<78>n (en realidad es el kernel
de nuestro sistema operativo el que hace esto por nosotros). La ventaja
principal de esta t<>cnica de escaneo es que ser<65> registrada por muchos menos
servidores que la anterior. Por desgracia se necesitan privilegios de root
para construir estos paquetes SYN modificados.
.TP
.B \-sF \-sX \-sN
Modos Stealth FIN, Xmas Tree o Nul scan: A veces ni siquiera el escaneo SYN
resulta lo suficientemente clandestino. Algunas firewalls y filtros de
paquetes vigilan el env<6E>o de paquetes SYN a puertos restringidos, y programas
disponibles como Synlogger y Courtney detectan este tipo de escaneo. Estos
tipos de escaneo avanzado, sin embargo, pueden cruzar estas barreras sin ser
detectados.
.Sp
La idea es que se requiere que los puertos cerrados respondan a nuestro
paquete de prueba con un RST, mientras que los puertos abiertos deben ignorar
los paquetes en cuesti<74>n (v<>ase RFC 794 pp 64). El escaneo FIN utiliza un
paquete FIN vac<61>o (sorpresa) como prueba, mientras que el escaneo Xmas tree
activa las flags FIN, URG y PUSH. El escaneo NULL desactiva todas las flags.
Por desgracia Microsoft (como de costumbre) decidi<64> ignorar el est<73>ndar
completamente y hacer las cosas a su manera. Debido a esto, este tipo de
escaneo no funcionar<61> con sistemas basados en Windows95/NT. En el lado
positivo, esta es una buena manera de distinguir entre las dos plataformas. Si
el escaneo encuentra puertos cerrados, probablemente se trate de una m<>quina
UNIX, mientras que todos los puertos abiertos es indicativo de Windows.
Excepcionalmente, Cisco, BSDI, HP/UX, MVS, y IRIX tambi<62>n env<6E>an RSTs en vez
de desechar el paquete.
.TP
.B \-sP
Escaneo ping: A veces <20>nicamente se necesita saber qu<71> servidores en una red
se encuentran activos. Nmap puede hacer esto enviando peticiones de respuesta
ICMP a cada direcci<63>n IP de la red que se especifica. Aquellos servidores que
responden se encuentran activos. Desafortunadamente, algunos sitios web como
microsoft.com bloquean este tipo de paquetes. Nmap puede enviar
tambi<EFBFBD>n un paquete TCP ack al puerto 80 (por defecto). Si se obtiene por
respuesta un RST, esa m<>quina est<73> activa. Una tercera t<>cnica implica el
env<EFBFBD>o de un paquete SYN y la espera de de un RST o un SYN/ACK. Para usuarios
no root se usa un m<>todo connect().
.Sp
Por defecto (para usuarios no root), nmap usa las t<>cnicas ICMP y ACK en
paralelo. Se puede cambiar la opci<63>n
.B \-p
descrita m<>s adelante.
.Sp
N<EFBFBD>tese que el envio de pings se realiza por defecto de todas maneras y que
s<EFBFBD>lamente se escanean aquellos servidores de los que se obtiene respuesta. Use
esta opci<63>n s<>lamente en el caso de que desee un ping sweep (barrido ping)
.B sin
hacer ning<6E>n tipo de escaneo de puertos.
.TP
.B \-sU
Escaneo Udp: Este m<>todo se usa para saber qu<71> puertos UDP (Protocolo de
Datagrama de Usuario, RFC 768) est<73>n abiertos en un servidor. La t<>cnica
consiste en enviar paquetes UCP de 0 bytes a cada puerto de la m<>quina
objetivo. Si se recibe un mensaje ICMP de puerto no alcanzable, entonces el
puerto est<73> cerrado. De lo contrario, asumimos que est<73> abierto.
.Sp
Alguna gente piensa que el escaneo UDP no tiene sentido. Normalmente les
recuerdo el reciente agujero Solaris rcpbind. Puede encontrarse a rcpbind
escondido en un puerto UDP no documentado en alg<6C>n lugar por encima del 32770.
Por lo tanto, no importa que el 111 est<73> bloqueado por la firewall.
Pero, <20>qui<75>n puede decir en cual de los m<>s de 30000 puertos altos se
encuentra a la escucha el programa? <20>Con un esc<73>ner UDP se puede! Tenemos
tambi<EFBFBD>n el programa de puerta trasera cDc Back Orifice que se oculta en un
puerto UDP configurable en las m<>quinas Windows, por no mencionar los muchos
servicios frecuentemente vulnerables que usan UDP como snmp, tftp, NFS, etc.
.Sp
Por desgracia, el escaneo UDP resulta a veces tremendamente lento debido a que
la mayor<6F>a de los servidores implementan una sugerencia recogida en el RFC
1812 (secci<63>n 4.3.2.8) acerca de la limitaci<63>n de la frecuencia de mensajes de
error ICMP. Por ejemplo, el kernel de Linux (en /ipv4/icmp.h) limita la
generaci<EFBFBD>n de mensajes de destino inalcanzable a 80 cada cuatro segundos, con
una penalizaci<63>n de 1/4 de segundo si se rebasa dicha cantidad. Solaris tiene
unos l<>mites mucho m<>s estrictos (m<>s o menos 2 mensajes por segundo) y por lo
tanto lleva m<>s tiempo hacerle un escaneo.
.I nmap
detecta este l<>mite de frecuencia y se ralentiza en consecuencia, en vez de
desbordar la red con paquetes in<69>tiles que la m<>quina destino ignorar<61>.
.Sp
Como de costumbre, Microsoft ignor<6F> esta sugerencia del RFC y no parece que
haya previsto ning<6E>n tipo de l<>mite de frecuencia para las m<>quinas Windows.
Debido a esto resulta posible escanear los 65K puertos de una m<>quina Windows
.B muy
r<EFBFBD>pidamente. <20>Woop!
.TP
.B \-b <ftp relay host>
Ataque de rebote FTP: Una caracter<65>stica "interesante" del protocolo FTP (FRC
959) es la posibilidad de realizar conexiones ftp tipo "proxy". En otras
palabras, <20>me resultar<61>a posible conectarme desde malvado.com al servidor ftp
de destino.com y pedirle a ese servidor que enviase un archivo a CUALQUIER
PARTE de Internet! Aun as<61>, esto podr<64>a haber funcionado bien en 1985 cuando
se escribi<62> el RFC, pero en la Internet actual, no podemos permitir que la
gente vaya por ah<61> asaltando servidores ftp y pidi<64>ndoles que escupan sus
datos a puntos arbitrarios de Internet. Tal y como escribi<62> *Hobbit* en 1985,
este defecto del protocolo "puede usarse para enviar mensajes de correo y
noticias cuyo rastro ser<65> virtualmente imposible de seguir, machacar
servidores en varios sitios web, llenar discos, tratar de saltarse firewalls y
, en general, resultar molesto y dif<69>cil de detectar al mismo tiempo." Nosotros
explotaremos este defecto para (sorpresa, sorpresa) escanear puertos TCP desde
un servidor ftp "proxy". De este modo nos podr<64>amos conectar a un servidor ftp
tras una firewall, y luego escanear aquellos puertos que con m<>s probabilidad
se encuentren bloqueados (el 139 es uno bueno). Si el servidor ftp permite la
lectura y escritura en alg<6C>n directorio (como por ejemplo /incoming), se
pueden enviar datos arbitrarios a puertos que se encuentren abiertos (aunque
nmap no realiza esta funci<63>n por s<> mismo).
.Sp
El argumento que se pasa a la opci<63>n 'b' es el host que se pretende usar como
proxy, en notaci<63>n URL est<73>ndar. El formato es:
.I nombre_de_usuario:password@servidor:puerto.
Todo excepto
.I servidor
es opcional. Para determinar qu<71> servidores son vulnerables a este ataque,
v<EFBFBD>ase mi art<72>culo en
.I Phrack
51. Se encuentra disponible una versi<73>n actualizada en la URL de
.I nmap
(http://www.insecure.org/nmap).
.TP
.B Opciones Generales
No se requiere ninguna pero algunas de ellas pueden resultar de gran utilidad.
.TP
.B \-p0
No intenta hacer ping a un servidor antes de escanearlo. Esto permite el
escaneo de redes que no permiten que pasen peticiones (o respuestas)de ecos
ICMP a trav<61>s de su firewall. microsoft.com es un ejemplo de una red de este
tipo, y, por lo tanto, deber<65>a usarse siempre
.B \-p0
o
.B \-PT80
al escanear microsoft.com.
.TP
.B \-PT
Usa el ping TCP para determinar qu<71> servidores est<73>n activos. En vez de enviar
paquetes de petici<63>n de ecos ICMP y esperar una respuesta, se lanzan paquetes
TCP ACK a trav<61>s de la red de destino (o a una sola m<>quina) y luego se espera
a que lleguen las respuestas. Los servidores activos responden con un RST.
Esta opci<63>n mantiene la eficiencia de escanear <20>nicamente aquellos servidores
que se encuentran activos y la combina con la posibilidad de escanear
redes/servidores que bloquean los paquetes ping. Para los usuarios no root
se usa connect(). Para establecer el puerto de destino de los paquetes de
prueba use -PT <n<>mero de puerto). El puerto por defecto es el 80, dado que
normalmente este puerto no es un puerto filtrado.
.TP
.B \-PS
Esta opci<63>n usa paquetes SYN (petici<63>n de conexi<78>n) en vez de los paquetes ACK
para usuarios root. Los servidores activos deber<65>an responder con un RST (o,
en raras ocasiones, un SYN|ACK).
.TP
.B \-PI
Esta opci<63>n usa un paquete ping (petici<63>n de eco ICMP) verdadero. Encuentra
servidores que est<73>n activos y tambi<62>n busca direcciones de broadcast
dirigidas a subredes en una red. Se trata de direcciones IP
alcanzables desde el exterior que env<6E>an los paquetes IP entrantes a una subred
de servidores. Estas direcciones deber<65>an eliminarse, si se encontrase alguna,
dado que suponen un riesgo elevado ante numerosos ataques de denegaci<63>n de
servicio (el m<>s corriente es Smurf).
.TP
.B \-PB
Este es el tipo de ping por defecto. Usa los barridos ACK (
.B \-PT
) e ICMP (
.B \-PI
) en paralelo. De este modo se pueden alcanzar firewalls que filtren uno de los
dos (pero no ambos).
.TP
.B \-O
Esta opci<63>n activa la detecci<63>n remota del sistema operativo por medio de la
huella TCP/IP. En otras palabras, usa un pu<70>ado de t<>cnicas para detectar
sutilezas en la pila de red subyacente del sistema operativo de los servidores
que se escanean. Usa esta informaci<63>n para crear una 'huella' que luego
compara con una base de datos de huellas de sistemas operativos conocidas (el
archivo nmap-os-fingerprints) para decidir qu<71> tipo de sistema se est<73>
escaneando.
.Sp
Si encuentra una m<>quina diagnosticada err<72>neamente que tenga por lo menos un
puerto abierto, me ser<65>a de gran utilidad que me enviase los detalles en un
email (es decir, se encontr<74> la versi<73>n xxx de tal cosa y se detect<63> este u
otro sistema operativo..). Si encuentra una m<>quina con al menos un puerto
abierto de la cual nmap le informe "sistema operativo desconocido",
le estar<61>a agradecido si me enviase la direcci<63>n IP junto con el nombre del
sistema operativo y el n<>mero de su versi<73>n. Si no me puede enviar la
direcci<EFBFBD>n IP, una alternativa ser<65>a ejecutar nmap con la opci<63>n
.B \-d
y enviarme las tres huellas que obtendr<64>a como resultado junto con el nombre
del sistema operativo y el n<>mero de versi<73>n. Al hacer esto, est<73>
contribuyendo a aumentar el n<>mero importante de sistemas operativos conocidos
por namp y de este modo el programa resultar<61> m<>s exacto para todo el mundo.
.TP
.B \-I
Esta opci<63>n activa el escaneo TCP de identificaci<63>n contraria. Tal y como
comenta Dave Goldsmith en un correo Bugtrat de 1996, el protocolo ident (rfc
1413) permite la revelaci<63>n del nombre del usuario propietario de cualquier
proceso conectado v<>a TCP, incluso aunque ese proceso no haya iniciado la
conexi<EFBFBD>n. De este modo se puede, por ejemplo, conectar con el puerto http y
luego usar identd para descubrir si el servidor est<73> ejecut<75>ndose como root.
Esto s<>lo se puede hacer con una conexi<78>n TCP completa con el puerto de
destino (o sea, la opci<63>n de escaneo -sT).
Cuando se usa
.B \-I,
se consulta al identd del servidor remoto sobre cada uno de los puertos
abiertos encontrados en el sistema. Por supuesto, esto no funcionar<61> si el
servidor en cuesti<74>n no est<73> ejecutando identd.
.TP
.B \-f
Esta opci<63>n hace que el escaneo solicitado de tipo SYN, FIN, XMAS, o NULL use
peque<EFBFBD>os paquetes IP fragmentados. La idea consiste en dividir la cabecera TCP
en varios paquetes para pon<6F>rselo m<>s dif<69>cil a los filtros de paquetes,
sistemas de detecci<63>n de intrusi<73>n y otras inconveniencias por el estilo que
tratan de saber lo uno est<73> haciendo. <20>Tenga cuidado con esto! Algunos
programas tienen problemas a la hora de manejar estos paquetes tan peque<75>os.
Mi sniffer favorito produjo un error de segmentaci<63>n inmediatamente despu<70>s de
recibir el primer fragmento de 36 bytes. <20>Despu<70>s de este viene uno de 24
bytes! Mientras que este m<>todo no podr<64> con filtros de paquetes y firewalls
que ponen en cola todos los fragmentos IP (como en el caso de la opci<63>n
CONFIG_IP_ALWAYS_DEFRAG en la configuraci<63>n del kernel de Linux), tambi<62>n
es verdad que algunas redes no pueden permitirse el efecto negativo que esta
opci<EFBFBD>n causa sobre su rendimiento y por lo tanto la dejan desactivada.
.Sp
N<EFBFBD>tese que no he coseguido que esta opci<63>n funcione con todos los sistemas.
Funciona bien con mis sistemas Linux, FreeBSD y OpenBSD y algunas personas
han informado de <20>xitos con otras variantes *NIX.
.TP
.B \-v
Modo de informaci<63>n ampliada. Esta opci<63>n resulta muy recomendable y
proporciona gran cantidad de informaci<63>n sobre lo que est<73> sucediendo. Puede
usarla dos veces para un efecto mayor. <20>Use
.B \-d
un par veces si lo que quiere es volverse loco haciendo scroll en su pantalla!
.TP
.B \-h
Esta opci<63>n tan pr<70>ctica muestra una pantalla de referencia r<>pida sobre las
opciones de uso de nmap. Quiz<69>s haya notado que esta p<>gina de manual no es
precisamente una "referencia r<>pida" :)
.TP
.B \-o <nombre_de_archivo_de_registro>
Esta opci<63>n guarda los resultados de sus escaneos en forma
.B humanamente inteligible
en el archivo especificado como argumento.
.TP
.B \-m <nombre_de_archivo_de_registro>
Esta opci<63>n guarda los resultados de sus escaneos en un formato
.B comprensible para una m<EFBFBD>quina
en el archivo especificado como argumento.
.TP
.B \-i <nombre_de_archivo_de_entrada>
Lee especificaciones de servidores o redes de destino a partir del archivo
especificado en vez de hacerlo de la l<>nea de comandos. El archivo debe
contener una lista de expresiones de servidores o redes separadas por
espacios, tabuladores o nuevas l<>neas. Use un gui<75>n (-) como
.I nombre_de_archivo_de_entrada
si desea que nmap tome las expresiones de servidores de stdin. V<>ase la secci<63>n
.I Especificaci<EFBFBD>n de Objetivo
para m<>s informaci<63>n sobre expresiones con las que poder completar este
archivo.
.TP
.B \-p <rango de puertos>
Esta opci<63>n determina los puertos que se quieren especificar. Por ejemplo, '-p
23' probar<61> solo el puerto 23 del servidor(es) objetivo. '-p
20-30,139,60000-' escanea los puertos del 20 al 30, el puerto 139 y todos los
puertos por encima de 60000. Por defecto se escanean todos los puertos entre
el 1 y el 1024 as<61> como los que figuran en el archivo /etc/services.
.TP
.B \-F Modo de escaneo r<EFBFBD>pido.
Implica que s<>lo se desean escanear aquellos puertos que figuran en
/etc/services. Obviamente esto resulta mucho m<>s r<>pido que escanear cada uno
de los 65535 puertos de un servidor.
.TP
.B \-D <se<73>uelo1 [,se<73>uelo2][,ME],...>
Especifica que se desea efectuar un escaneo con se<73>uelos, el cual hace que el
servidor escaneado piense que la red destino del escaneo est<73> siendo escaneada
tambi<EFBFBD>n por el servidor(es) especificados como se<73>uelos. As<41>, sus IDs pueden
informar de entre 5 y 10 escaneos procedentes de direcci<63>nes IP <20>nicas, pero
no sabr<62>n que direcci<63>n IP les estaba escaneando realmente y c<>ales eran
se<EFBFBD>uelos inocentes.
.Sp
Separe cada servidor se<EFBFBD>uelo con comas, y puede usar opcionalmente 'ME' como
se<EFBFBD>uelo que representa la posici<63>n que quiere que ocupe su direcci<63>n IP. Si
coloca 'ME' en la sexta posici<63>n o superior, es muy poco probable que algunos
esc<EFBFBD>neres de puertos comunes (como el excelente scanlogd de Solar Designer)
lleguen incluso a mostrar su direcci<63>n IP. Si no se usa 'ME', nmap le colocar<61>
a usted en una posici<63>n aleatoria.
.Sp
N<EFBFBD>tese que aquellos servidores usados como se<73>uelos deben escontrarse activos,
o, de lo contrario podr<64>a provocar un desbordamiento (flood) SYN en su
objetivo. Por otra parte, resultar<61> bastante f<>cil saber qu<71> servidor est<73>
escaneando si <20>nicamente hay uno activo en la red.
.Sp
N<EFBFBD>tese tambi<62>n que algunos (est<73>pidos) "detectores de esc<73>neres de puertos"
opondr<EFBFBD>n una firewall o bien denegar<61>n el rutaje a aquellos servidores que
intenten escanear sus puertos. De este modo se podr<64>a provocar
inadvertidamente que la m<>quina que se est<73> intentando escanear perdiese
contacto con los servidores usados como se<73>uelos. Esto podr<64>a causarles a los
servidores escaneados verdaderos problemas si los servidores se<73>uelo fuesen,
por ejemplo, su gateway a internet o incluso "localhost". Deber<65>a usarse esta
opci<EFBFBD>n con extremo cuidado. La verdadera moraleja de este asunto es que un
detector de escaneos de puertos que aparenten tener intenciones poco
amistosas no deber<65>a llevar a cabo acci<63>n alguna contra la m<>quina que
aparentemente le est<73> escaneando. <20>Podr<64>a no ser m<>s que un se<73>uelo!
.Sp
Los se<73>uelos se usan tanto en el escaneo ping inicial (usando ICMP, SYN, ACK,
o lo que sea) como en la fase de escaneo de puertos propiamente dicha. Tambi<62>n
se usan los se<73>uelos en la fase de detecci<63>n remota del sistema operativo (
.B \-O
).
.Sp
Vale la pena destacar que el uso de demasiados se<73>uelos puede ralentizar el
proceso de escaneo y, potencialmente, hacer que sea menos exacto. Por otra
parte, algunos ISPs filtrar<61>n los paquetes manipulados y los desechar<61>n,
aunque muchos (actualmente la mayor<6F>a) no ponen restricciones a este tipo de
paquetes.
.TP
.B \-S <Direcci<63>n_IP>
En determinadas circunstancias, es posible que
.I nmap
no sea capaz de determinar su (de usted) direcci<63>n IP de origen (
.I nmap
se lo har<61> saber si este es el caso). En este caso, use -S con su direcci<63>n IP
(del interfaz a trav<61>s del cual desea enviar los paquetes).
.Sp
Otro posible uso de esta opci<63>n es el de manipular el escaneo para hacer creer
a los servidores de destino que
.B alguien m<EFBFBD>s
les est<73> escaneando. <20>Imag<61>nese a una compa<70><61>a escaneada repetidamente por una
compa<EFBFBD><EFBFBD>a rival! Esta no es la funci<63>n para la que se ha dise<73>ado esta opci<63>n
(ni su prop<6F>sito principal). Simplemente pienso que revela una posibilidad que
la gente deber<65>a tener en cuenta antes de acusar a los dem<65>s de escanear sus
puertos.
La opci<63>n
.B \-e
ser<EFBFBD> necesaria en general para este tipo de uso.
.TP
.B \-e <interfaz>
Le dice a nmap qu<71> interfaz ha de usar para enviar y recibir paquetes. El
programa deber<65>a detectar esto por s<> mismo, pero le informar<61> si no es as<61>.
.TP
.B \-g <n<>mero_de_puerto>
Establece el n<>mero de puerto de origen a usar en los escaneos. Muchas
instalaciones de firewalls y filtros de paquetes inocentes hacen una excepci<63>n
en sus reglas para permitir que las atraviesen y establezcan una conexi<78>n
paquetes DNS (53) o FTP-DATA (20). Evidentemente esto contraviene
completamente las ventajas en materia de seguridad que comporta una firewall
dado que los intrusos pueden enmascararse como DNS o FTP con una simple
modificaci<EFBFBD>n de su puerto de origen. Por supuesto, deber<65>a probarse primero
con el puerto 53 para un escaneo UDP y los escaneos TCP deber<65>an probar el 20
antes del 53.
.Sp
N<EFBFBD>tese que el uso de esta opci<63>n penaliza levemente el rendimiento del
escaneo, porque a veces se almacena informaci<63>n <20>til en el n<>mero de puerto
de origen.
.TP
.B \-M <max sockets>
Establece el n<>mero m<>ximo de sockets que se usar<61>n en paralelo para un
escaneo TCP connect() (escaneo por defecto). Resulta <20>til a la hora de
ralentizar ligeramente el proceso de escaneo con el fin de evitar que
la m<>quina de destino se cuelgue. Otra manera de hacerlo es usar \-sS, que
normalmente les resulta m<>s f<>cil de asumir a las m<>quinas de destino.
.TP
.B Especificaci<EFBFBD>n de Objetivo
Cualquier cosa que no es una opci<63>n (o el argumento de una opci<63>n) en namp se
trata como una especificaci<63>n de servidor de destino. El caso m<>s simple
consiste en especificar servidores aislados o direcciones IP en la l<>nea de
comandos. Si pretende escanear una subred de direcciones IP, entonces se puede
a<EFBFBD>adir
.B '/mask'
a la direcci<63>n IP o al nombre del servidor.
.B mask
debe estar entre 0 (escanea toda Internet) y 32 (escanea <20>nicamente el
servidor especificado). Use /24 para escanear una direcci<63>n de clase 'C' y /16
para la clase 'B'.
.Sp
Nmap dispone tambi<62>n de una notaci<63>n mucho m<>s potente que permite la
especificaci<EFBFBD>n de direcciones IP usando listas/rangos para cada elemento. De
este modo, se puede escanear la red de clase 'B' completa 128.210.*.*
especificando '128.210.*.*' o '128.210.0-255.0-255' o incluso
'128.210.1-50,51-255.1,2,3,4,5-255'. Y, por supuesto, se puede usar la
notaci<EFBFBD>n de m<>scara: '128.210.0.0/16'. Todas ellas son equivalentes. Si se
usan asteriscos ('*'), ha de tenerse en cuenta que la mayor<6F>a de los shells
requieren que se salga de ellos con caracteres / o que se les proteja con
comillas.
.Sp
Otra posibilidad interesante consiste en dividir Internet en el otro sentido.
En vez de escanear todos los servidores en una clase 'B', se puede
escanear '*.*.5.6-7' para escanear todas las direcciones IP terminadas en .5.6 o .5.7
Escoja sus propios n<>meros. Para m<>s informaci<63>n sobre la especificaci<63>n de
servidores a escanear, v<>ase la secci<63>n
.I ejemplos
a continuaci<63>n.
.SH EJEMPLOS
A continuaci<63>n se muestran algunos ejemplos del uso de nmap que abarcan desde
los usos m<>s normales y frecuentes a los m<>s complejos o incluso esot<6F>ricos.
N<EFBFBD>tese que se han incluido direciones IP y nombres de dominio reales para hacer
las cosas m<>s concretas. Usted deber<65>a sustituirlos por n<>meros y direcciones
de su
.B propia red.
No creo que escanear otras redes sea ilegal; ni se deber<65>an considerar los
escaneos de puertos como ataques. He escaneado cientos de miles de m<>quinas y
tan s<>lo he recibido una queja. Pero no soy abogado y es posible que los
intentos de
.I nmap
lleguen a molestar a alguna gente. Obtenga primero el permiso para hacerlo o
h<EFBFBD>galo bajo su propia responsabilidad.
.Sp
.B nmap -v objetivo.ejemplo.com
.Sp
Esta opci<63>n escanea todos los puertos TCP reservados en la m<>quina
objetivo.ejemplo.com. La \-v implica la activaci<63>n del modo de informaci<63>n
ampliada.
.Sp
.B nmap -sS -O objetivo.ejemplo.com/24
.Sp
Lanza un escaneo SYN oculto contra cada una de las m<>quinas activas de las 255
m<EFBFBD>quinas de la classe 'C' donde se aloja objetivo.ejemplo.com. Tambi<62>n trata
de determinar el sistema operativo usado en cada una de las m<>quinas activas.
Este escaneo requiere privilegios de roor a causa del escaneo SYN y la
detecci<EFBFBD>n del sistema operativo.
.Sp
.B nmap -sX -p 22,53,110,143 "128.210.*.1-127"
.Sp
Env<EFBFBD>a un escaneo Xmas tree a la primera mitad de cada una de las 255 posibles
subredes de 8 bits en el espacio de direcciones clase 'B' 128.210 . Se trata
de comprobar si los sistemas ejecutan sshd, DNS, pop3d, imapd o el puerto
4564. N<>tese que el escaneo Xmas no funciona contra servidores ejecutando
cualquier sistema operativo de Microsoft debido a una pila TCP deficiente. Lo
mismo se aplica a los sistemas CISCO, IRIX, HP/UX, y BSDI.
.Sp
.B nmap -v -p 80 '*.*.2.3-5'
.Sp
En vez de centrarse en un rango espec<65>fico de direcciones IP, resulta a veces
interesante dividir Internet en porciones y escanear una peque<75>a muestra de
cada porci<63>n. Este comando encuentra todos los servidores web en m<>quinas
cuyas direcciones IP terminen en .2.3, .2.4, o .2.5 . Si usted es root podr<64>a
a<EFBFBD>adir tambi<62>n -sS. Tambi<62>n encontrar<61> m<>quinas mucho m<>s interesantes
si empieza en 127. as<61> que es posible que desee usar '127-222' en vez de el
primer asterisco dado que esa secci<63>n tiene una densidad mucho mayor de
m<EFBFBD>quinas interesantes (IMHO).
.Sp
.B host -l compa<EFBFBD><EFBFBD>a.com | cut '-d ' -f 4 | ./nmap -v -i -
.Sp
Hace una transferencia de DNS de zona para descubrir los servidores en
compa<EFBFBD><EFBFBD>a.com y luego pasar las direcciones IP a
.I nmap.
Los comandos arriba indicados son para mi sistema Linux. Es posible que se
necesiten comandos/opciones diferentes para otros sistemas operativos.
.SH BUGS
<EFBFBD>Bugs? <20>Qu<51> bugs? Por favor, env<6E>eme cualquier bug que descubra. Los parches
tampoco estar<61>an mal :) Recuerde enviar tambi<62>n nuevas huellas de sistemas
operativos para que podamos ampliar nuestra base de datos.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>Tipos de Escaneo
.SH DISTRIBUCI<EFBFBD>N
La <20>ltima versi<73>n de
.I nmap
se puede obtener en
.I http://www.insecure.org/nmap
.Sp
.I nmap
es (C) 1997,1998 de Fyodor (fyodor@insecure.org, fyodor@insecure.org)
.Sp
Este programa es software libre; puede redistribuirse y/o modificarse bajo los
t<EFBFBD>rminos de la Licencia P<>blica General GNU tal y como la publica la Fundaci<63>n
de Software Libre; Versi<73>n 2.
.Sp
Este programa se distribuye con la esperanza de que pueda resultar de
utilidad, pero SIN NING<4E>N TIPO DE GARANT<4E>A; sin tan siquiera la garant<6E>a e ser
apto para su COMECIALIZACI<43>N o ADECUADO PARA UN PROP<4F>SITO EN PARTICULAR. V<>ase
la Licencia P<>blica General GNU para m<>s detalles (est<73> en el archivo COPYING
de la distribuci<63>n de
.I nmap
).

2
nmap.spec.in
View File

@@ -55,7 +55,7 @@ be installed before installing nmap-frontend.
%build
export CFLAGS="$RPM_OPT_FLAGS"
export CXXFLAGS="$RPM_OPT_FLAGS"
./configure --prefix=%{prefix} --mandir=%{prefix}/share/man --without-openssl
./configure --prefix=%{prefix} --mandir=%{prefix}/share/man --without-openssl --without-umit
%if "%{static}" == "1"
make static
%else

24
nse_nmaplib.cc
View File

@@ -399,18 +399,18 @@ static int l_set_port_version(lua_State* l, Target* target, Port* port) {
}
static int l_print_debug_unformatted(lua_State *l) {
int verbosity=1, stack_counter(1);
const char *out;
if (lua_gettop(l) != 2) return luaL_error(l, "Incorrect number of arguments\n");
verbosity = luaL_checkinteger(l, 1);
if (verbosity > o.verbose) return 0;
out = luaL_checkstring(l, 2);
log_write(LOG_STDOUT, "%s DEBUG: %s\n", SCRIPT_ENGINE, out);
return 0;
int verbosity=1;
const char *out;
if (lua_gettop(l) != 2) return luaL_error(l, "Incorrect number of arguments\n");
verbosity = luaL_checkinteger(l, 1);
if (verbosity > o.verbose) return 0;
out = luaL_checkstring(l, 2);
log_write(LOG_STDOUT, "%s DEBUG: %s\n", SCRIPT_ENGINE, out);
return 0;
}
static int l_exc_finalize(lua_State *l) {

8
nselib/Makefile.in
View File

@@ -1,16 +1,10 @@
PLATFORM=@host@
#ugly hack to get the includes right
ifeq ($(LIBLUA_LIBS),$(LIBLUADIR)/liblua.a)
LIBLUA_INCLUDE= -I../$(LIBLUADIR)
endif
LIBSUFFIX=@LIBSUFFIX@
CC = @CC@
CXX = @CXX@
CCOPT =
DBGFLAGS =
# LIBPCREDIR = @LIBPCREDIR@
SHTOOL = ../shtool
INSTALL = $(SHTOOL) install
@@ -21,7 +15,7 @@ LTFLAGS = --tag=CC --silent
all: bit.so
bit.so: bit.c @LIBTOOL_DEPS@
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) $(LIBLUA_INCLUDE) $(CFLAGS) -c bit.c
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) @LUAINCLUDE@ $(CFLAGS) -c bit.c
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -avoid-version -module -rpath /usr/local/lib -o bit.la bit.lo
mv .libs/bit.so bit.so

185
nselib/configure vendored
View File

@@ -836,6 +836,7 @@ FFLAGS
ac_ct_F77
LIBTOOL
LIBTOOL_DEPS
LUAINCLUDE
LIBOBJS
LTLIBOBJS'
ac_subst_files=''
@@ -3630,7 +3631,7 @@ ia64-*-hpux*)
;;
*-*-irix6*)
# Find out which ABI we are using.
echo '#line 3633 "configure"' > conftest.$ac_ext
echo '#line 3634 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -6252,11 +6253,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:6255: $lt_compile\"" >&5)
(eval echo "\"\$as_me:6256: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:6259: \$? = $ac_status" >&5
echo "$as_me:6260: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -6520,11 +6521,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:6523: $lt_compile\"" >&5)
(eval echo "\"\$as_me:6524: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:6527: \$? = $ac_status" >&5
echo "$as_me:6528: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -6624,11 +6625,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:6627: $lt_compile\"" >&5)
(eval echo "\"\$as_me:6628: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:6631: \$? = $ac_status" >&5
echo "$as_me:6632: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -8921,7 +8922,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 8924 "configure"
#line 8925 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -9021,7 +9022,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF
#line 9024 "configure"
#line 9025 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -11361,11 +11362,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:11364: $lt_compile\"" >&5)
(eval echo "\"\$as_me:11365: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:11368: \$? = $ac_status" >&5
echo "$as_me:11369: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -11465,11 +11466,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:11468: $lt_compile\"" >&5)
(eval echo "\"\$as_me:11469: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:11472: \$? = $ac_status" >&5
echo "$as_me:11473: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -13026,11 +13027,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:13029: $lt_compile\"" >&5)
(eval echo "\"\$as_me:13030: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:13033: \$? = $ac_status" >&5
echo "$as_me:13034: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -13130,11 +13131,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:13133: $lt_compile\"" >&5)
(eval echo "\"\$as_me:13134: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:13137: \$? = $ac_status" >&5
echo "$as_me:13138: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -15321,11 +15322,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15324: $lt_compile\"" >&5)
(eval echo "\"\$as_me:15325: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:15328: \$? = $ac_status" >&5
echo "$as_me:15329: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -15589,11 +15590,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15592: $lt_compile\"" >&5)
(eval echo "\"\$as_me:15593: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
echo "$as_me:15596: \$? = $ac_status" >&5
echo "$as_me:15597: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -15693,11 +15694,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:15696: $lt_compile\"" >&5)
(eval echo "\"\$as_me:15697: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
echo "$as_me:15700: \$? = $ac_status" >&5
echo "$as_me:15701: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -18386,6 +18387,141 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
# needed for lua-includes
if test "${ac_cv_header_lua_h+set}" = set; then
{ echo "$as_me:$LINENO: checking for lua.h" >&5
echo $ECHO_N "checking for lua.h... $ECHO_C" >&6; }
if test "${ac_cv_header_lua_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_lua_h" >&5
echo "${ECHO_T}$ac_cv_header_lua_h" >&6; }
else
# Is the header compilable?
{ echo "$as_me:$LINENO: checking lua.h usability" >&5
echo $ECHO_N "checking lua.h usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <lua.h>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
{ echo "$as_me:$LINENO: checking lua.h presence" >&5
echo $ECHO_N "checking lua.h presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <lua.h>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null && {
test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
test ! -s conftest.err
}; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: lua.h: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: lua.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: lua.h: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: lua.h: present but cannot be compiled" >&5
echo "$as_me: WARNING: lua.h: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: lua.h: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: see the Autoconf documentation" >&5
echo "$as_me: WARNING: lua.h: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: lua.h: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: lua.h: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: lua.h: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: lua.h: in the future, the compiler will take precedence" >&2;}
;;
esac
{ echo "$as_me:$LINENO: checking for lua.h" >&5
echo $ECHO_N "checking for lua.h... $ECHO_C" >&6; }
if test "${ac_cv_header_lua_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_cv_header_lua_h=$ac_header_preproc
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_lua_h" >&5
echo "${ECHO_T}$ac_cv_header_lua_h" >&6; }
fi
if test $ac_cv_header_lua_h = yes; then
:
else
{ echo "$as_me:$LINENO: using lua-includefiles provided with nmap" >&5
echo "$as_me: using lua-includefiles provided with nmap" >&6;};LUAINCLUDE=-I../liblua/
fi
ac_config_files="$ac_config_files Makefile"
@@ -19086,11 +19222,12 @@ FFLAGS!$FFLAGS$ac_delim
ac_ct_F77!$ac_ct_F77$ac_delim
LIBTOOL!$LIBTOOL$ac_delim
LIBTOOL_DEPS!$LIBTOOL_DEPS$ac_delim
LUAINCLUDE!$LUAINCLUDE$ac_delim
LIBOBJS!$LIBOBJS$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 71; then
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 72; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

3
nselib/configure.ac
View File

@@ -15,6 +15,9 @@ AC_SUBST(LIBTOOL_DEPS)
AC_CANONICAL_HOST
# needed for lua-includes
AC_CHECK_HEADER([lua.h],,[AC_MSG_NOTICE(using lua-includefiles provided with nmap);[LUAINCLUDE=-I../liblua/]],)
AC_SUBST(LUAINCLUDE)
AC_CONFIG_FILES([Makefile])
AC_OUTPUT

2
osscan.cc
View File

@@ -120,6 +120,8 @@
# endif
#endif
#include <list>
extern NmapOps o;
/* Note that a sport of 0 really will (try to) use zero as the source

2
output.cc
View File

@@ -115,6 +115,8 @@
#include "utils.h"
#include <string>
#include <vector>
#include <list>
/* Workaround for lack of namespace std on HP-UX 11.00 */
namespace std {};

2
traceroute.h
View File

@@ -101,6 +101,8 @@
#include "Target.h"
#include <vector>
/* Probe types */
#define PROBE_TRACE 0
#define PROBE_TTL 1