FORUM DARKERS

Como o povo brasileiro tem PENA de distribuir conteudo de qualidade, um povinho que so faz o basico e o inutil.

Aqui vai um post mais avancado do nmap, com algumas tecnicas muito utilizadas por defacers (falei defacers nao pseudo-defacers) em busca por exemplo de outros sites em um host de um webserver...

Topico retirado da comunidade darkc0de.

_________________________________________________________

Use nmap as a host discovery tool.

Citar
linuxbox:/home/d3hydr8 # nmap -sL 128.230.18.30-35

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 22:41 EST
Host npropane.syr.edu (128.230.18.30) not scanned
Host helpeiam1.syr.edu (128.230.18.31) not scanned
Host tracker5-18.syr.edu (128.230.18.32) not scanned
Host mirage2.syr.edu (128.230.18.33) not scanned
Host backup01-18.syr.edu (128.230.18.34) not scanned
Host cwis01.syr.edu (128.230.18.35) not scanned
Nmap done: 6 IP addresses (0 hosts up) scanned in 6.628 seconds

Use nmap as a banner scanner, scan an ip range for open port 25
running Imail.

Citarlinuxbox:/home/d3hydr8 # nmap -sV 12.150.145.135-139 -p25 | grep IMail -B 3

Interesting ports on 138.145.static.conninc.com (12.150.145.138):
PORT   STATE SERVICE VERSION
25/tcp open  smtp    IMail NT-ESMTP 6.06 28262-4
--

Interesting ports on 139.145.static.conninc.com (12.150.145.139):
PORT   STATE SERVICE VERSION
25/tcp open  smtp    IMail NT-ESMTP 6.06 28263-5

Use nmap as a banner scanner, scan an ip range for open port 25
running Imail and send output to a file.

Citarlinuxbox:/home/d3hydr8 # nmap -sV 12.150.145.137-139 -p25 | grep IMail -B 3 >> nmap.txt
linuxbox:/home/d3hydr8 # cat nmap.txt

Interesting ports on 138.145.static.conninc.com (12.150.145.138):
PORT   STATE SERVICE VERSION
25/tcp open  smtp    IMail NT-ESMTP 6.06 29384-6
--

Interesting ports on 139.145.static.conninc.com (12.150.145.139):
PORT   STATE SERVICE VERSION
25/tcp open  smtp    IMail NT-ESMTP 6.06 29385-7

Use the more intensive version check option.

Citar
linuxbox:/home/d3hydr8 # nmap -sV --version-all 128.230.18.35 -p 80

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 22:37 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd

Use nmap as a banner scanner, scan random ips for open port 21
running ProFTPD.

Citar
linuxbox:/home/d3hydr8 # nmap -sV -iR 1500 -p21 | grep ProFTPD -B 3
Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 17:41 EST
Interesting ports on www.buford-thompson.net (161.58.19.143):
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD

Use nmap to scan an ip address and get (guess) the OS being used.

Citarlinuxbox:/home/d3hydr8 # nmap -PN -O --osscan-limit 38.117.198.214 | grep Running
Running (JUST GUESSING) : ZyXEL ZyNOS (96%)

Using nmap for a traceroute, finds an open port and counts the hops.

Citar
linuxbox:/home/d3hydr8 # nmap --traceroute 128.230.18.35

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 22:27 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
Not shown: 1656 closed ports, 49 filtered ports
PORT      STATE SERVICE
80/tcp    open  http

TRACEROUTE (using port 80/tcp)
HOP RTT   ADDRESS
1   2.89  192.168.1.1
2   12.18 10.114.0.1
3   9.52  172.22.5.13
4   12.33 172.22.5.69
5   10.86 172.22.33.73
6   12.48 172.22.32.106
7   15.21 12.86.87.29
8   41.73 tbr2.attga.ip.att.net (12.122.96.74)
9   41.78 tbr1.dlstx.ip.att.net (12.122.2.89)
10  73.50 ggr3.dlstx.ip.att.net (12.123.16.201)
11  42.87 br2-a3120s2.attga.ip.att.net (192.205.33.206)
12  66.36 66.192.240.226
13  74.74 64-132-176-170.static.twtelecom.net (64.132.176.170)
14  77.85 128.230.61.1
15  74.08 c6509r-srv.syr.edu (128.230.61.58)
16  73.36 cwis01.syr.edu (128.230.18.35)

Nmap done: 1 IP address (1 host up) scanned in 111.295 seconds

Use nmap to test the reason why a port is in a specific state.

Citarlinuxbox:/home/d3hydr8 # nmap --reason 128.230.18.35 -p 21

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 22:31 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
PORT   STATE    SERVICE REASON
21/tcp filtered ftp     no-response

Nmap done: 1 IP address (1 host up) scanned in 1.247 seconds

Use nmap with a spoofed MAC address.

Citarlinuxbox:/home/d3hydr8 # nmap --spoof-mac 08:00:69:02:01:FC -iR 3

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 22:51 EST
Spoofing MAC address 08:00:69:02:01:FC (Silicon Graphics)
Nmap done: 3 IP addresses (0 hosts up) scanned in 3.387 seconds

Use nmap with cloaked decoys. You can use my script for creating
a list of ips to use. http://www.darkc0de.com/misc/ipgen1.1.py

Citarlinuxbox:/home/d3hydr8 # nmap -D 198.162.1.100,198.162.1.101 -iR 3

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-17 23:22 EST
Nmap done: 3 IP addresses (0 hosts up) scanned in 3.082 seconds

Muito legal saiu o livro do Nmap "NMAP Network Scanning" muito interessante.

Hi

Já fiz uma tradução (http://0fx66.com/blog/pentest/um-pouco-mais-sobre-nmap/) deste mesmo artigo,d3hydr8 foi muito criativo,nesse artigo principalmente na parte do spoof :)

[]'s

Muito bom, adorei.

Show de bola !!!

eu tenho ele aqui e da para fazer mais coisas..
mais essa aí é bom  :)

bom mesmo..

mandou bem ; )

Sempre uso o Nmap para descobrir informações sobre determinado host na rede(internet),como:sistema operacional;portas abertas;localidade;etc.
Muito bom esse tópico.