Nmap - Comandos úteis para um administrador de sistemas Linux

diegomrodrigues

O Nmap é um programa que permite fazer um scan completo em uma rede, ou hosts, para podermos obter informações como: quais hosts estão ativos, quais portas estão abertas, dentre outras. O scan pode determinar as portas abertas em um IP, qual o sistema operacional dele, se ele possui ou não um firewall e assim por diante. Esse é um verdadeiro canivete suíço para os administradores de servidores.

[ Hits: 12.517 ]

Por: Diego Mendes Rodrigues em 05/05/2020 | Blog: https://www.linkedin.com/in/diegomendesrodrigues/

7 0

Denuncie Favoritos Indicar Impressora

Introdução

O Nmap é um programa que permite fazer um scan completo em uma rede, ou em um host, para podermos obter informações como: quais hosts estão ativos, quais portas estão abertas, dentre outras. O scan pode determinar as portas abertas em um IP, qual o sistema operacional dele, se ele possui ou não um firewall e assim por diante. Esse é um verdadeiro canivete suíço para os administradores de servidores, de redes, ou desenvolvedores.

O Nmap pode ser instalado no Linux, MacOS ou no Windows, sendo multiplataforma. Pode ser ser executado através de linha de comando, como iremos demonstrar nesse artigo, ou através de interfaces gráficas.

Aproveite esse material e deixe seus servidores mais seguros.

Instalar o Nmap

Caso você não tenha o Nmap instalado e utilize o Debian, ou derivados, pode instalar com o seguinte comando:

# apt install nmap

Scan de um host ou endereço IP

Execute:

# nmap 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 13:35 -03
Nmap scan report for 192.168.0.28
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Observe que o servidor possui os serviços de ssh, http e MySQL instalados, com as portas 22, 80 e 3306 abertas no protocolo TCP. Caso essa máquina estivesse conectada direto na internet, todos esses serviços estariam expostos diretamente para qualquer tipo de tentativa de invasão.

Scan de múltiplos hosts ou vários endereços IP

Execute:

# nmap 192.168.0.1 192.168.0.28 192.168.0.222

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 13:41 -03
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.013s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
8080/tcp open     http-proxy
8081/tcp filtered blackice-icecap
8090/tcp filtered opsmessaging
8888/tcp filtered sun-answerbook

Nmap scan report for 192.168.0.28
Host is up (0.00015s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap scan report for 192.168.0.222
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap done: 3 IP addresses (3 hosts up) scanned in 2.91 seconds

Scan de uma sub-rede

Irei buscar todos os computadores que estão na sub-rede 192.168.0.0/24, ou seja, a sub-rede inteira.

# nmap 192.168.0.*
ou
# nmap 192.168.0.0/24

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 13:45 -03
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.014s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
8080/tcp open     http-proxy
8081/tcp filtered blackice-icecap
8090/tcp filtered opsmessaging
8888/tcp filtered sun-answerbook

Nmap scan report for 192.168.0.10
Host is up (0.024s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 192.168.0.28
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap scan report for 192.168.0.177
Host is up (0.00023s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql

Nmap scan report for 192.168.0.218
Host is up (0.022s latency).
All 1000 scanned ports on 192.168.0.218 are closed

Nmap scan report for 192.168.0.219
Host is up (0.012s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
23/tcp   open     telnet
80/tcp   open     http
902/tcp  filtered iss-realsecure
5440/tcp filtered unknown
7103/tcp filtered unknown
9878/tcp filtered kca-service

Nmap scan report for 192.168.0.222
Host is up (0.0049s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
23/tcp open  telnet
80/tcp open  http

Nmap done: 256 IP addresses (7 hosts up) scanned in 33.04 seconds

Detectar os serviços em um servidor

Execute:

# nmap -A 192.168.0.28

Exemplo de retorno:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 13:56 -03 Nmap scan report for 192.168.0.28 Host is up (0.00099s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.17.10 (Ubuntu) |_http-server-header: nginx/1.17.10 (Ubuntu) |_http-title: Welcome to nginx! 3306/tcp open mysql? | fingerprint-strings: | NULL: |_ Host '192.168.0.177' is not allowed to connect to this MariaDB server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=5/2%Time=5EADA62F%P=x86_64-pc-linux-gnu%r(NUL SF:L,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.177'\x20is\x20not\x20allo SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds

Observe que no servidor acima está instalado o Ubuntu, com o SSH, Nginx e o MariaDB em execução.

Caso seja necessário descobrir também as versões, adicione o parâmetro -v.

# nmap -v -A 192.168.0.28

Exemplo de retorno:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 13:56 -03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Initiating Ping Scan at 13:56 Scanning 192.168.0.28 [2 ports] Completed Ping Scan at 13:56, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:56 Completed Parallel DNS resolution of 1 host. at 13:56, 0.00s elapsed Initiating Connect Scan at 13:56 Scanning 192.168.0.28 [1000 ports] Discovered open port 80/tcp on 192.168.0.28 Discovered open port 22/tcp on 192.168.0.28 Discovered open port 3306/tcp on 192.168.0.28 Completed Connect Scan at 13:56, 0.03s elapsed (1000 total ports) Initiating Service scan at 13:56 Scanning 3 services on 192.168.0.28 Completed Service scan at 13:56, 6.01s elapsed (3 services on 1 host) NSE: Script scanning 192.168.0.28. Initiating NSE at 13:56 Completed NSE at 13:56, 0.17s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.01s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Nmap scan report for 192.168.0.28 Host is up (0.00062s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.17.10 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.17.10 (Ubuntu) |_http-title: Welcome to nginx! 3306/tcp open mysql? | fingerprint-strings: | NULL, RPCCheck: |_ Host '192.168.0.177' is not allowed to connect to this MariaDB server 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3306-TCP:V=7.80%I=7%D=5/2%Time=5EADA650%P=x86_64-pc-linux-gnu%r(NUL SF:L,4C,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.177'\x20is\x20not\x20allo SF:wed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,4C SF:,"H\0\0\x01\xffj\x04Host\x20'192\.168\.0\.177'\x20is\x20not\x20allowed\ SF:x20to\x20connect\x20to\x20this\x20MariaDB\x20server"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Initiating NSE at 13:56 Completed NSE at 13:56, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds

Observe no resultado acima que a versão do servidor de ssh é OpenSSH 8.2p1 e a versão no Nginx é nginx/1.17.10.

Verificar se um host está protegido por um firewall

Execute:

# nmap 192.168.0.28

Exemplo de resultado:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:03 -03
Nmap scan report for 192.168.0.28
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.0.28 are unfiltered
MAC Address: 08:00:27:CF:C7:BE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

Observe que esse servidor não está protegido por um firewall, devido à seguinte mensagem que está no retorno do Nmap:

"All 1000 scanned ports on 192.168.0.28 are unfiltered"

ou seja, todas as 1000 portas escaneadas não estão sendo filtradas.

Agora ativei o firewall do servidor 192.168.0.28:

# nmap 192.168.0.28

Exemplo de resultado:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:08 -03
Nmap scan report for 192.168.0.28
Host is up (0.00031s latency).
All 1000 scanned ports on 192.168.0.28 are filtered
MAC Address: 08:00:27:CF:C7:BE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds

Observe que agora esse servidor está protegido por um firewall, devido à seguinte mensagem que está no retorno do Nmap:

"All 1000 scanned ports on 192.168.0.28 are filtered"

ou seja, todas as 1000 portas escaneadas estão sendo filtradas pelo firewall.

Scan quando o host está protegido por um firewall

Execute:

# nmap -PN 192.168.0.28

Exemplo de resultado:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:12 -03
Nmap scan report for 192.168.0.28
Host is up (0.074s latency).
All 1000 scanned ports on 192.168.0.28 are filtered

Nmap done: 1 IP address (1 host up) scanned in 191.52 seconds

Scan para descobrir quais servidores e dispositivos estão funcionando em uma sub-rede

Execute:

# nmap -sP 192.168.0.0/24

Exemplo de resultado:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:21 -03
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.12s latency).
Nmap scan report for 192.168.0.10
Host is up (0.12s latency).
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.00052s latency).
Nmap scan report for 192.168.0.223
Host is up (0.048s latency).
Nmap scan report for 192.168.0.225
Host is up (0.13s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 16.76 seconds

Executar um scan rápido e simples em um IP

Execute:

# nmap -F 192.168.0.0/24

Exemplo de resultado:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:23 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.00010s latency).
Not shown: 98 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Exibir a interface de rede e as rotas dos hosts

Esse é um comando útil para detectar problemas na rede.

# nmap -iflist

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:26 -03
************************INTERFACES************************
DEV    (SHORT)  IP/MASK                                  TYPE        UP   MTU   MAC
wlp2s0 (wlp2s0) 192.168.0.28/24                          ethernet    up   1500  5C:C9:D3:66:43:6E
wlp2s0 (wlp2s0) fe80::747a:93a9:9c2e:2aca/64             ethernet    up   1500  5C:C9:D3:66:43:6E
wlp2s0 (wlp2s0) 2804:14c:48b:41b2::1/128                 ethernet    up   1500  5C:C9:D3:66:43:6E
wlp2s0 (wlp2s0) 2804:14c:48b:41b2:c581:f4ec:2ca6:2bf9/64 ethernet    up   1500  5C:C9:D3:66:43:6E
wlp2s0 (wlp2s0) 2804:14c:48b:41b2:40c1:626:6d1d:897c/64  ethernet    up   1500  5C:C9:D3:66:43:6E
gpd0   (gpd0)   (none)/0                                 point2point down 1500
lo     (lo)     127.0.0.1/8                              loopback    up   65536
lo     (lo)     ::1/128                                  loopback    up   65536
enp1s0 (enp1s0) (none)/0                                 ethernet    up   1500  1C:39:47:56:D8:A4

**************************ROUTES**************************
DST/MASK                                  DEV    METRIC GATEWAY
192.168.0.0/24                            wlp2s0 600
169.254.0.0/16                            wlp2s0 1000
0.0.0.0/0                                 wlp2s0 600    192.168.0.1
::1/128                                   lo     0
2804:14c:48b:41b2::1/128                  wlp2s0 0
2804:14c:48b:41b2:40c1:626:6d1d:897c/128  wlp2s0 0
2804:14c:48b:41b2:c581:f4ec:2ca6:2bf9/128 wlp2s0 0
fe80::747a:93a9:9c2e:2aca/128             wlp2s0 0
::1/128                                   lo     256
2804:14c:48b:41b2::1/128                  wlp2s0 600
2804:14c:48b:41b2::/64                    wlp2s0 600    fe80::2a32:c5ff:fe53:b0a7
fe80::/64                                 wlp2s0 600
ff00::/8                                  wlp2s0 256
::/0                                      wlp2s0 600    fe80::2a32:c5ff:fe53:b0a7

Especificar em qual porta o scan será realizado

Execute:

# nmap -p 80 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:31 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.00013s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds

Caso queira especificar mais de uma porta, separe elas com vírgulas.

# nmap -p 21,80,443 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:32 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.000078s latency).

PORT    STATE  SERVICE
21/tcp  closed ftp
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Caso queira realizar o scan nas portas mais conhecidas e utilizadas atualmente na internet, utilize o parâmetro --top-ports <quantidade>, como por exemplo:

# nmap --top-ports 10 192.168.0.28
ou
# nmap --top-ports 20 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:34 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.000078s latency).

PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   open   http
110/tcp  closed pop3
111/tcp  closed rpcbind
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
993/tcp  closed imaps
995/tcp  closed pop3s
1723/tcp closed pptp
3306/tcp open   mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Descobrir as portas abertas nos computadores de uma rede de forma rápida

Execute:

# nmap -T5 192.168.0.0/24

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:38 -03
Warning: 192.168.0.10 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.223 giving up on port because retransmission cap hit (2).
Warning: 192.168.0.225 giving up on port because retransmission cap hit (2).
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.0066s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
80/tcp   open     http
8080/tcp open     http-proxy
8081/tcp filtered blackice-icecap
8090/tcp filtered opsmessaging
8888/tcp filtered sun-answerbook

Nmap scan report for 192.168.0.10
Host is up (0.033s latency).
Not shown: 831 closed ports, 168 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql

Nmap scan report for 192.168.0.223
Host is up (0.0046s latency).
Not shown: 983 closed ports
PORT      STATE    SERVICE
4/tcp     filtered unknown
23/tcp    open     telnet
42/tcp    filtered nameserver
80/tcp    open     http
444/tcp   filtered snpp
801/tcp   filtered device
1051/tcp  filtered optima-vnet
1052/tcp  filtered ddt
1066/tcp  filtered fpo-fns
1187/tcp  filtered alias
2702/tcp  filtered sms-xfer
2967/tcp  filtered symantec-av
4002/tcp  filtered mlchat-proxy
8082/tcp  filtered blackice-alerts
8300/tcp  filtered tmi
9900/tcp  filtered iua
49154/tcp filtered unknown

Nmap scan report for 192.168.0.225
Host is up (0.0020s latency).
Not shown: 986 closed ports
PORT      STATE    SERVICE
23/tcp    open     telnet
80/tcp    open     http
700/tcp   filtered epp
1023/tcp  filtered netvenuechat
1069/tcp  filtered cognex-insight
1080/tcp  filtered socks
1085/tcp  filtered webobjects
1124/tcp  filtered hpvmmcontrol
3517/tcp  filtered 802-11-iapp
3827/tcp  filtered netmpi
7070/tcp  filtered realserver
8045/tcp  filtered unknown
26214/tcp filtered unknown
57797/tcp filtered unknown

Nmap scan report for 192.168.0.226
Host is up (0.00019s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 256 IP addresses (6 hosts up) scanned in 23.44 seconds

Detectar o sistema operacional de um servidor

Execute:

# nmap -O 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:42 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds

Observe que o sistema operacional detectado no servidor é o Ubuntu em Nmap scan report for ubuntu (192.168.0.28).

Scan utilizando o ping

Execute:

# nmap -PO www.vivaolinux.com.br

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:46 -03
Nmap scan report for www.vivaolinux.com.br (104.24.99.136)
Host is up (0.17s latency).
Other addresses for www.vivaolinux.com.br (not scanned): 2606:4700:3030::6818:6288 2606:4700:3030::6818:6388 104.24.98.136
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 24.32 second

Scan utilizando o ping UDP

Execute:

# nmap -PU 192.168.0.28

Exemplo de retorno:


Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 14:49 -03
Nmap scan report for ubuntu (192.168.0.28)
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

Conclusão

Espero que você tenha gostado do Nmap, esse canivete suíço para os administradores de redes e de servidores Linux e para os desenvolvedores.

O site oficial dele é: https://nmap.org/

Páginas do artigo

1. Introdução

Outros artigos deste autor

Sistema de Informações Geográficas - Softwares Livres ou Proprietários?

Instalar o Microsoft SQL Server no Debian e no Ubuntu

MultiCD - Diversas Distribuições no mesmo DVD/Pendrive

dstat - Ferramenta de Monitoramento no Linux

Storj - Armazenamento na Nuvem utilizando a tecnologia Blockchain

Leitura recomendada

SAMSB - Snort + Apache2 + MySQL + Snorby e BarnYard2 no Debian

Recuperação do arquivo sudoers - comandos su e sudo não funcionam mais [Resolvido]

Firefox 2 e seu recurso de proteção contra Web Phishing