mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #984 from PythonHacker24/patch-3
Updated nmap-summary-esp.md Replacing Spanish Language with English Language
This commit is contained in:
commit
bcc795bd4e
@ -63,171 +63,171 @@ By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
|
||||
* **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered.
|
||||
* **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.
|
||||
|
||||
### **Centrar análisis**
|
||||
### **Focus Analysis**
|
||||
|
||||
**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** (fast scan) analiza los 100 ppales. Con **--top-ports \<numero>** Analiza ese numero de ppales (de 1 hasta los 65335). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio \<ratio>** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1
|
||||
**-p:** Used to specify ports to scan. To select all 65,335 ports: **-p-** or **-p all**. Nmap has an internal classification based on popularity. By default, it uses the top 1000 ports. With **-F** (fast scan) it analyzes the top 100. With **--top-ports <number>** it analyzes that number of top ports (from 1 to 65,335). It checks ports in random order; to prevent this, use **-r**. We can also select specific ports: 20-30,80,443,1024- (the latter means to look from 1024 onwards). We can also group ports by protocols: U:53,T:21-25,80,139,S:9. We can also choose a range within Nmap's popular ports: -p [-1024] analyzes up to port 1024 from those included in nmap-services. **--port-ratio <ratio>** Analyzes the most common ports within a ratio between 0 and 1
|
||||
|
||||
**-sV** Escaneado de versión, se puede regular la intensidad de 0 a 9, por defecto 7.
|
||||
**-sV** Version scanning, intensity can be regulated from 0 to 9, default is 7.
|
||||
|
||||
**--version-intensity \<numero>** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP
|
||||
**--version-intensity <number>** We regulate the intensity, so that the lower it is, it will only launch the most probable probes, but not all. With this, we can considerably shorten UDP scanning time
|
||||
|
||||
**-O** Deteccion de os
|
||||
**-O** OS detection
|
||||
|
||||
**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os (ahorra tiempo)
|
||||
**--osscan-limit** For proper host scanning, at least one open port and one closed port are needed. If this condition isn't met and we've set this, it won't attempt OS prediction (saves time)
|
||||
|
||||
**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
|
||||
**--osscan-guess** When OS detection isn't perfect, this makes it try harder
|
||||
|
||||
**Scripts**
|
||||
|
||||
\--script _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_\[,...]
|
||||
--script _<filename>_|_<category>_|_<directory>_|_<expression>_[,...]
|
||||
|
||||
Para usar los de por efecto vale con -sC o --script=default
|
||||
To use default scripts, use -sC or --script=default
|
||||
|
||||
Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
|
||||
Available types are: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
|
||||
|
||||
* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación
|
||||
* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta
|
||||
* **Discovery:** recupera información del _target_ o víctima
|
||||
* **External:** _script_ para utilizar recursos externos
|
||||
* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_
|
||||
* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ (puertas traseras)
|
||||
* **Safe:** ejecuta _scripts_ que no son intrusivos
|
||||
* **Vuln:** descubre las vulnerabilidades más conocidas
|
||||
* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles
|
||||
* **Auth:** executes all available authentication scripts
|
||||
* **Default:** executes basic default tool scripts
|
||||
* **Discovery:** retrieves information from the target or victim
|
||||
* **External:** script for using external resources
|
||||
* **Intrusive:** uses scripts considered intrusive to the victim or target
|
||||
* **Malware:** checks for connections opened by malicious code or backdoors
|
||||
* **Safe:** executes non-intrusive scripts
|
||||
* **Vuln:** discovers the most known vulnerabilities
|
||||
* **All:** executes absolutely all available NSE extension scripts
|
||||
|
||||
Para buscar scripts:
|
||||
To search for scripts:
|
||||
|
||||
**nmap --script-help="http-\*" -> Los que empiecen por http-**
|
||||
**nmap --script-help="http-\*" -> Those starting with http-**
|
||||
|
||||
**nmap --script-help="not intrusive" -> Todos menos esos**
|
||||
**nmap --script-help="not intrusive" -> All except those**
|
||||
|
||||
**nmap --script-help="default or safe" -> Los que estan en uno o en otro o en ambos**
|
||||
**nmap --script-help="default or safe" -> Those in either or both**
|
||||
|
||||
**nmap --script-help="default and safe" --> Los que estan en ambos**
|
||||
**nmap --script-help="default and safe" --> Those in both**
|
||||
|
||||
**nmap --script-help="(default or safe or intrusive) and not http-\*"**
|
||||
|
||||
\--script-args _\<n1>_=_\<v1>_,_\<n2>_={_\<n3>_=_\<v3>_},_\<n4>_={_\<v4>_,_\<v5>_}
|
||||
--script-args _<n1>_=_<v1>_,_<n2>_={_<n3>_=_<v3>_},_<n4>_={_<v4>_,_<v5>_}
|
||||
|
||||
\--script-args-file _\<filename>_
|
||||
--script-args-file _<filename>_
|
||||
|
||||
\--script-help _\<filename>_|_\<category>_|_\<directory>_|_\<expression>_|all\[,...]
|
||||
--script-help _<filename>_|_<category>_|_<directory>_|_<expression>_|all[,...]
|
||||
|
||||
\--script-trace ---> Da info de como va elscript
|
||||
--script-trace ---> Provides info on how the script is progressing
|
||||
|
||||
\--script-updatedb
|
||||
--script-updatedb
|
||||
|
||||
**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --> Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
|
||||
**To use a script, just type: nmap --script Script_Name target** --> When using the script, both the script and scanner will execute, so scanner options can also be added. We can add **"safe=1"** to execute only safe ones.
|
||||
|
||||
**Control tiempo**
|
||||
**Time Control**
|
||||
|
||||
**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
|
||||
**Nmap can modify time in seconds, minutes, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
|
||||
|
||||
Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque (y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
|
||||
Nmap divides the total number of hosts to scan into groups and analyzes these groups in blocks, so it doesn't move to the next block until all have been analyzed (and the user doesn't receive any updates until the block has been analyzed). This way, it's more optimal for Nmap to use large groups. By default in class C, it uses 256.
|
||||
|
||||
Se puede cambiar con\*\*--min-hostgroup\*\* _**\<numhosts>**_**;** **--max-hostgroup** _**\<numhosts>**_ (Adjust parallel scan group sizes)
|
||||
This can be changed with **--min-hostgroup** _**<numhosts>**_**;** **--max-hostgroup** _**<numhosts>**_ (Adjust parallel scan group sizes)
|
||||
|
||||
Se puede controlar el numero de escaners en paralelo pero es mejor que no (nmpa ya incorpora control automatico en base al estado de la red): **--min-parallelism** _**\<numprobes>**_**;** **--max-parallelism** _**\<numprobes>**_
|
||||
You can control the number of parallel scanners but it's better not to (Nmap already incorporates automatic control based on network status): **--min-parallelism** _**<numprobes>**_**;** **--max-parallelism** _**<numprobes>**_
|
||||
|
||||
Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**\<time>**_**,** **--max-rtt-timeout** _**\<time>**_**,** **--initial-rtt-timeout** _**\<time>**_
|
||||
We can modify the RTT timeout, but it's usually not necessary: **--min-rtt-timeout** _**<time>**_**,** **--max-rtt-timeout** _**<time>**_**,** **--initial-rtt-timeout** _**<time>**_
|
||||
|
||||
Podemos modificar el numero de intentos:**--max-retries** _**\<numtries>**_
|
||||
We can modify the number of attempts: **--max-retries** _**<numtries>**_
|
||||
|
||||
Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**\<time>**_
|
||||
We can modify the scanning time of a host: **--host-timeout** _**<time>**_
|
||||
|
||||
Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**\<time>**_**;** **--max-scan-delay** _**\<time>**_
|
||||
We can modify the time between each test to slow it down: **--scan-delay** _**<time>**_**;** **--max-scan-delay** _**<time>**_
|
||||
|
||||
Podemos modificar el numero de paquetes por segundo: **--min-rate** _**\<number>**_**;** **--max-rate** _**\<number>**_
|
||||
We can modify the number of packets per second: **--min-rate** _**<number>**_**;** **--max-rate** _**<number>**_
|
||||
|
||||
Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
|
||||
Many ports take a long time to respond when filtered or closed. If we're only interested in open ones, we can go faster with: **--defeat-rst-ratelimit**
|
||||
|
||||
Para definir lo agresivo que queremos que sea nmap: -T paranoid|sneaky|polite|normal|aggressive|insane
|
||||
To define how aggressive we want Nmap to be: -T paranoid|sneaky|polite|normal|aggressive|insane
|
||||
|
||||
\-T (0-1)
|
||||
-T (0-1)
|
||||
|
||||
\-T0 --> Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
|
||||
-T0 --> Only scans 1 port at a time and waits 5min until the next
|
||||
|
||||
\-T1 y T2 --> Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
|
||||
-T1 and T2 --> Very similar but only wait 15 and 0.4sec respectively between each test
|
||||
|
||||
\-T3 --> Funcionamiento por defecto, incluye en paralelo
|
||||
-T3 --> Default operation, includes parallel scanning
|
||||
|
||||
\-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
|
||||
-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
|
||||
|
||||
\-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
|
||||
-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
|
||||
|
||||
**Firewall/IDS**
|
||||
|
||||
No dejan pasar a puertos y analizan paquetes.
|
||||
They don't allow access to ports and analyze packets.
|
||||
|
||||
**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu (con esto, no usar -f), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
|
||||
**-f** To fragment packets, by default fragments them into 8bytes after the header, to specify that size we use ..mtu (with this, don't use -f), the offset must be multiple of 8. **Version scanners and scripts don't support fragmentation**
|
||||
|
||||
**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:\<numero> Para generar \<numero> de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
|
||||
**-D decoy1,decoy2,ME** Nmap sends scanners but with other IP addresses as origin, this way they hide you. If you put ME in the list, Nmap will place you there, better to put 5 or 6 before you to completely mask you. Random IPs can be generated with RND:<number> To generate <number> of random IPs. They don't work with TCP version detectors without connection. If you're inside a network, you're interested in using active IPs, as otherwise it will be very easy to figure out that you are the only active one.
|
||||
|
||||
Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
|
||||
To use random IPs: nmap -D RND:10 Target_IP
|
||||
|
||||
**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
|
||||
**-S IP** For when Nmap doesn't catch your IP address you have to give it with this. Also serves to make them think another target is scanning them.
|
||||
|
||||
**-e \<interface>** Para elegir la interfaz
|
||||
**-e <interface>** To choose the interface
|
||||
|
||||
Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**\<portnumber>**_**;-g** _**\<portnumber>**_ _Son equivalentes_
|
||||
Many administrators leave entry ports open for everything to work correctly and it's easier for them than finding another solution. These can be DNS ports or FTP ports... to find this vulnerability Nmap incorporates: **--source-port** _**<portnumber>**_**;-g** _**<portnumber>**_ _They are equivalent_
|
||||
|
||||
**--data** _**\<hex string>**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
|
||||
**--data** _**<hex string>**_ To send hexadecimal text: --data 0xdeadbeef and --data \xCA\xFE\x09
|
||||
|
||||
**--data-string** _**\<string>**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
|
||||
**--data-string** _**<string>**_ To send normal text: --data-string "Scan conducted by Security Ops, extension 7192"
|
||||
|
||||
**--data-length** _**\<number>**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas (que se generaran aleatoriamente)
|
||||
**--data-length** _**<number>**_ Nmap only sends headers, with this we achieve adding a number of more bytes (which will be generated randomly)
|
||||
|
||||
Para configurar el paquete IP completamente usar **--ip-options**
|
||||
To configure the IP packet completely use **--ip-options**
|
||||
|
||||
If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
|
||||
|
||||
**--ttl** _**\<value>**_
|
||||
**--ttl** _**<value>**_
|
||||
|
||||
**--randomize-hosts** Para que el ataque sea menos obvio
|
||||
**--randomize-hosts** To make the attack less obvious
|
||||
|
||||
**--spoof-mac** _**\<MAC address, prefix, or vendor name>**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
|
||||
**--spoof-mac** _**<MAC address, prefix, or vendor name>**_ To change the MAC examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
|
||||
|
||||
**--proxies** _**\<Comma-separated list of proxy URLs>**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
|
||||
**--proxies** _**<Comma-separated list of proxy URLs>**_ To use proxies, sometimes a proxy doesn't maintain as many open connections as Nmap wants so parallelism would need to be modified: --max-parallelism
|
||||
|
||||
**-sP** Para descubrir host en la red en la que estamos por ARP
|
||||
**-sP** To discover hosts in our network by ARP
|
||||
|
||||
Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular (como el 20,53 y 67), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
|
||||
Many administrators create a firewall rule that allows all packets coming from a particular port to pass through (like 20,53 and 67), we can tell Nmap to send our packets from these ports: **nmap --source-port 53 IP**
|
||||
|
||||
**Salidas**
|
||||
**Outputs**
|
||||
|
||||
**-oN file** Salida normal
|
||||
**-oN file** Normal output
|
||||
|
||||
**-oX file** Salida XML
|
||||
**-oX file** XML output
|
||||
|
||||
**-oS file** Salida de script kidies
|
||||
**-oS file** Script kiddies output
|
||||
|
||||
**-oG file** Salida grepable
|
||||
**-oG file** Greppable output
|
||||
|
||||
**-oA file** Todos menos -oS
|
||||
**-oA file** All except -oS
|
||||
|
||||
**-v level** verbosity
|
||||
|
||||
**-d level** debugin
|
||||
**-d level** debugging
|
||||
|
||||
**--reason** Porqué del host y estado
|
||||
**--reason** Why of host and state
|
||||
|
||||
**--stats-every time** Cada ese tiempo nos dice como va
|
||||
**--stats-every time** Every that time tells us how it's going
|
||||
|
||||
**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
|
||||
**--packet-trace** To see which packets go out, filters can be specified like: --version-trace or --script-trace
|
||||
|
||||
**--open** muestra los abiertos, abiertos|filtrados y los no filtrados
|
||||
**--open** shows open, open|filtered and unfiltered
|
||||
|
||||
**--resume file** Saca un resumen
|
||||
**--resume file** Outputs a summary
|
||||
|
||||
**Miscelanea**
|
||||
**Miscellaneous**
|
||||
|
||||
**-6** Permite ipv6
|
||||
**-6** Allows IPv6
|
||||
|
||||
**-A** es lo mismo que -O -sV -sC --traceroute
|
||||
**-A** is the same as -O -sV -sC --traceroute
|
||||
|
||||
**Run time**
|
||||
|
||||
Mientras corre nmap podemos cambiar opciones:
|
||||
While Nmap is running we can change options:
|
||||
|
||||
v / V Increase / decrease the verbosity level
|
||||
|
||||
@ -239,9 +239,9 @@ p / P Turn on / off packet tracing
|
||||
|
||||
**Vulscan**
|
||||
|
||||
Script de nmap que mira las versiones de los servicios obtenidos en una base de datos offline (que descarga de otras muy importantes) y devuelve las posibles vulnerabilidades
|
||||
Nmap script that looks at versions of services obtained in an offline database (downloaded from other very important ones) and returns possible vulnerabilities
|
||||
|
||||
Las BD que usa son:
|
||||
The DBs it uses are:
|
||||
|
||||
1. Scipvuldb.csv | [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
|
||||
2. Cve.csv | [http://cve.mitre.org](http://cve.mitre.org/)
|
||||
@ -252,17 +252,18 @@ Las BD que usa son:
|
||||
7. Exploitdb.csv | [http://www.exploit-db.com](http://www.exploit-db.com/)
|
||||
8. Openvas.csv | [http://www.openvas.org](http://www.openvas.org/)
|
||||
|
||||
Para descargarlo e instalarlo en la carpeta de Nmap:
|
||||
To download and install in the Nmap folder:
|
||||
|
||||
wget http://www.computec.ch/projekte/vulscan/download/nmap\_nse\_vulscan-2.0.tar.gz && tar -czvf nmap\_nse\_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/
|
||||
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar -czvf nmap_nse_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/
|
||||
|
||||
También habría que descargar los paquetes de las BD y añadirlos a /usr/share/nmap/scripts/vulscan/
|
||||
You would also need to download the DB packages and add them to /usr/share/nmap/scripts/vulscan/
|
||||
|
||||
Uso:
|
||||
Usage:
|
||||
|
||||
Para usar todos: sudo nmap -sV --script=vulscan HOST\_A\_ESCANEAR
|
||||
To use all: sudo nmap -sV --script=vulscan HOST_TO_SCAN
|
||||
|
||||
To use a specific DB: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST_TO_SCAN
|
||||
|
||||
Para usar una BD específica: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST\_A\_ESCANEAR
|
||||
|
||||
## Speed Up Nmap Service scan x16
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user