Xarxes de Computadors II - 10
Diversas pruebas con nmap para comprobar la fiabilidad
1. Windows 2000 SP4
2. Linux 2.6.16
3. Router 3COM
4. Router-Wireless USRobotics
5. Google
Conclusiones
1. Windows 2000 SP4
K7LINUX ~ # nmap -O -v 192.168.123.13
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-05-24 20:53 CEST
Initiating ARP Ping Scan against 192.168.123.13 [1 port] at 20:53
The ARP Ping Scan took 0.02s to scan 1 total hosts.
DNS resolution of 1 IPs took 0.06s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against 192.168.123.13 [1672 ports] at 20:53
Discovered open port 445/tcp on 192.168.123.13
Discovered open port 139/tcp on 192.168.123.13
Discovered open port 1025/tcp on 192.168.123.13
Discovered open port 135/tcp on 192.168.123.13
The SYN Stealth Scan took 1.48s to scan 1672 total ports.
For OSScan assuming port 135 is open, 1 is closed, and neither are firewalled
Host 192.168.123.13 appears to be up ... good.
Interesting ports on 192.168.123.13:
(The 1668 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:C0:49:DB:39:F6 (U.S. Robotics)
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP
TCP Sequence Prediction: Class=random positive increments
Difficulty=5232 (Worthy challenge)
IPID Sequence Generation: Incremental
Nmap finished: 1 IP address (1 host up) scanned in 2.899 seconds
Raw packets sent: 1694 (75KB) | Rcvd: 1687 (77.7KB)
K7LINUX ~ #
Correcto, se trata de un Windows 2000 SP4. Parece ser que Windows arrastra la misma pila TCP/IP (y los mismos errores) desde el 95 al XP, sobretodo en los 3 modelos que ha dado de resultado. Cabe mencionar que sabe que no es un 2000 Home, lo que me lleva a plantear, ¿la versión home es aún peor?
2. Linux 2.6.16
K7LINUX ~ # nmap -O -v 127.0.0.1
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-05-24 21:14 CEST
DNS resolution of 0 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 0, CN: 0]
Initiating SYN Stealth Scan against localhost (127.0.0.1) [1672 ports] at 21:14
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 445/tcp on 127.0.0.1
Discovered open port 139/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 10000/tcp on 127.0.0.1
The SYN Stealth Scan took 0.36s to scan 1672 total ports.
For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
Host localhost (127.0.0.1) appears to be up ... good.
Interesting ports on localhost (127.0.0.1):
(The 1666 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
10000/tcp open snet-sensor-mgmt
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7
Uptime 9.933 days (since Sun May 14 22:51:23 2006)
TCP Sequence Prediction: Class=random positive increments
Difficulty=4770486 (Good luck!)
IPID Sequence Generation: All zeros
Nmap finished: 1 IP address (1 host up) scanned in 2.667 seconds
Raw packets sent: 1687 (74.7KB) | Rcvd: 3384 (143KB)
K7LINUX ~ #
Si es Linux, pero la versión no la detecta. Quizá porque es demasiado nueva.
3. Router 3COM
K7LINUX ~ # nmap -O -v 192.168.1.1
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-05-24 21:00 CEST
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against 192.168.1.1 [1672 ports] at 21:00
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
The SYN Stealth Scan took 0.96s to scan 1672 total ports.
For OSScan assuming port 23 is open, 1 is closed, and neither are firewalled
Host 192.168.1.1 appears to be up ... good.
Interesting ports on 192.168.1.1:
(The 1670 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
Device type: terminal server|CSUDSU|switch|broadband router
Running: 3Com embedded, Kentrox embedded, US Robotics embedded
OS details: 3Com SuperStack II RAS remote access server, Kentrox DataSMART 656 CSU/DSU, USR NETserver/16, or 3Com OfficeConnect ADSL router
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=0 (Trivial joke)
IPID Sequence Generation: Incremental
Nmap finished: 1 IP address (1 host up) scanned in 2.058 seconds
Raw packets sent: 1688 (74.7KB) | Rcvd: 1687 (77.6KB)
K7LINUX ~ #
Correcto, es un 3Com OfficeConnect 812
4. Router-Wireless USRobotics
K7LINUX ~ # nmap -O -v 192.168.123.254
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-05-24 20:54 CEST
Initiating ARP Ping Scan against 192.168.123.254 [1 port] at 20:54
The ARP Ping Scan took 0.01s to scan 1 total hosts.
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 2, OK: 0, NX: 0, DR: 1, SF: 0, TR: 4, CN: 0]
Initiating SYN Stealth Scan against 192.168.123.254 [1672 ports] at 20:54
Discovered open port 80/tcp on 192.168.123.254
The SYN Stealth Scan took 0.32s to scan 1672 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host 192.168.123.254 appears to be up ... good.
Interesting ports on 192.168.123.254:
(The 1671 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:C0:49:E1:41:35 (U.S. Robotics)
Device type: WAP
Running: Linksys embedded, D-Link embedded
OS details: Linksys, D-Link, or Planet WAP
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=0 (Trivial joke)
IPID Sequence Generation: Incremental
Nmap finished: 1 IP address (1 host up) scanned in 15.948 seconds
Raw packets sent: 1688 (74.8KB) | Rcvd: 1686 (77.6KB)
K7LINUX ~ #
No del todo correcto; es un router USRobotics realmente raro, un USR8054, actualizado. Supongo que usará piezas genéricas que también usan D-Link y Linksys.
5. Google
K7LINUX ~ # nmap -O -v www.google.es
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-05-24 20:50 CEST
DNS resolution of 1 IPs took 0.17s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against 66.249.93.104 [1672 ports] at 20:50
Discovered open port 443/tcp on 66.249.93.104
Discovered open port 80/tcp on 66.249.93.104
SYN Stealth Scan Timing: About 20.16% done; ETC: 20:52 (0:02:00 remaining)
Increasing send delay for 66.249.93.104 from 0 to 5 due to 11 out of 27 dropped probes since last increase.
SYN Stealth Scan Timing: About 51.53% done; ETC: 20:55 (0:02:21 remaining)
Increasing send delay for 66.249.93.104 from 5 to 10 due to 11 out of 21 dropped probes since last increase.
The SYN Stealth Scan took 296.96s to scan 1672 total ports.
For OSScan assuming port 80 is open, 113 is closed, and neither are firewalled
Insufficient responses for TCP sequencing (2), OS detection may be less accurate
For OSScan assuming port 80 is open, 113 is closed, and neither are firewalled
For OSScan assuming port 80 is open, 113 is closed, and neither are firewalled
Host 66.249.93.104 appears to be up ... good.
Interesting ports on 66.249.93.104:
(The 1669 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
113/tcp closed auth
443/tcp open https
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.01%P=i686-pc-linux-gnu%D=5/24%Tm=4474AC24%O=80%C=113)
T1(Resp=N)
TSeq(Class=TR%IPID=RD%TS=U)
T2(Resp=N)
T1(Resp=Y%DF=N%W=1FFE%ACK=S++%Flags=AS%Ops=ME)
T3(Resp=N)
T2(Resp=N)
T4(Resp=N)
T3(Resp=Y%DF=N%W=1FFE%ACK=S++%Flags=AS%Ops=ME)
T5(Resp=N)
T4(Resp=N)
T6(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T7(Resp=N)
T6(Resp=N)
PU(Resp=N)
T7(Resp=N)
PU(Resp=N)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Randomized
Nmap finished: 1 IP address (1 host up) scanned in 315.580 seconds
Raw packets sent: 3459 (155KB) | Rcvd: 2555 (118KB)
K7LINUX ~ #
¡Parece ser que Google tiene buen sistema!
Conclusiones
Bien, nmap es un buen sistema para identificar hosts remotos estándard e incluso elementos comunes como routers. Pero es comprensible que no pueda identificar routers raros (como el USRobotics), sistemas operativos nuevos -o kernels nuevos- o sistemas modificados.
Es curioso el resultado de
Google; es un sistema que se identifica aleatoriamente como cualquier
sistema operativo y tiene además el mejor generador de números de
secuéncia.
Fuentes:
Consola de linux y a 'picar'....