Découverte de Réseau

Les principes clés à assimiler :

Nmap, pour Network Mapper, est un outil inestimable pour ceux qui œuvrent dans la cybersécurité et la gestion de réseaux. Sa principale force réside dans sa capacité à effectuer une découverte de réseau complète, identifiant non seulement les hôtes actifs mais aussi les services qu'ils fournissent, tout en mettant en lumière les vulnérabilités potentielles. Grâce à sa polyvalence et sa robustesse, Nmap se révèle être un outil indispensable pour les audits de sécurité, contribuant efficacement à la sécurisation des infrastructures réseau.

La découverte de réseau avec Nmap ouvre la porte à des inspections réseau exhaustives et fines. Doté d'une large gamme de fonctionnalités et d'options personnalisables, Nmap permet de conduire des évaluations de sécurité approfondies. Il facilite ainsi l'identification des vulnérabilités et l'application des correctifs nécessaires pour renforcer la sécurité réseau.

Aircrack-ng

2.0 - Découverte de Réseau

Nous aborderons la découverte de réseau avec Nmap, utilisant des commandes spécifiques pour détecter les hôtes actifs sans scanner leurs ports. Ces techniques incluent la découverte basée sur ARP, le ping TCP SYN, et le ping ICMP echo, ainsi qu'un traceroute pour visualiser les chemins réseau. Cette approche initiale est cruciale pour comprendre la structure du réseau et identifier les dispositifs connectés, jetant les bases pour des audits de sécurité plus détaillés.

Hannah Swann nmap / nmap Bonsaiviking

Astuce : Utilisez l'option -A avec Nmap pour effectuer une analyse approfondie qui inclut la détection de système d'exploitation, de version des services, l'exécution de scripts NSE, et le traceroute. Cette commande fournit une vue d'ensemble complète des hôtes scannés, ce qui est essentiel pour identifier les failles potentielles et comprendre la configuration du réseau.

Exclusivement sur : spear-phishing.com Plus de détails

Aircrack-ng

2.1 Préparation

Avant de débuter, assurez-vous que Nmap est installé sur votre système. Sur Kali Linux, Nmap est déjà inclus; pour d'autres systèmes, une installation manuelle pourrait être nécessaire. Vérifiez aussi que vous avez l'autorisation pour scanner le réseau ciblé, évitant ainsi des ennuis légaux. Pour des détails sur l'installation ou l'utilisation de Nmap, référez-vous au site officiel de Nmap.

Astuce : Pour minimiser la détection de vos scans par des systèmes de prévention d'intrusion ou des journaux de réseau, utilisez l'option-T0 avec Nmap. Cela ralentit considérablement le scan, le rendant moins intrusif et plus discret, idéal pour des environnements hautement surveillés.

Exclusivement sur : spear-phishing.com Plus de détails

        
sudo apt update && sudo apt upgrade

        
sudo apt install nmap

        
nmap --version

Aircrack-ng

2.2 Découverte de Réseau

Pour commencer l'exploration et l'analyse de votre réseau avec Nmap, la première étape consiste à comprendre et à utiliser diverses commandes de découverte de réseau.


        
nmap -sn 192.168.1.0/24
Starting Nmap 7.94 (https://nmap.org) at 2024-03-15 10:20 CET
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Nmap scan report for 192.168.1.15
Host is up (0.0021s latency).
Nmap scan report for 192.168.1.25
Host is up (0.0045s latency).
Nmap scan report for 192.168.1.105
Host is up (0.0010s latency).
Nmap scan report for 192.168.1.142
Host is up (0.0010s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.21 seconds

Aircrack-ng

2.3 - Découverte basée sur ARP

La découverte basée sur ARP constitue une stratégie clé pour identifier discrètement les hôtes actifs sur un réseau local, en contournant les limitations des pings ICMP. Elle offre un aperçu fiable de l'environnement réseau, essentiel pour les audits de sécurité précis.


        
nmap -PR 10.0.1.0/22
Starting Nmap 7.93 (https://nmap.org) at 2024-03-15 15:56 EDT
Nmap scan report for 10.0.1.5
Host is up (0.016s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
880/tcp open  unknown
MAC Address: 18:8f:d8:11:cf:50 (Microsoft)
Nmap scan report for [REDACTED_DOMAIN_1] 10.0.1.7
Host is up (0.017s latency).
Not shown: 995 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
4242/tcp open  vrml-multi-use
MAC Address: 82:b9:b5:0d:e2:99 (Super Micro Computer)
Nmap scan report for 10.0.1.38
Host is up (0.058s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
9009/tcp open  pichat
MAC Address: 32:c7:51:aa:7b:bd (Hangzhou Hikvision Digital Technology)
Nmap scan report for 10.0.1.41
Host is up (0.017s latency).
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT      STATE SERVICE
1100/tcp  open  mctp
10010/tcp open  rxapi
MAC Address: 92:60:62:e6:c1:67 (Netgear)
Nmap scan report for 10.0.1.53
Host is up (0.017s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT    STATE SERVICE
443/tcp open  https
MAC Address: 29:a9:58:ee:99:0b (Europlex Technologies)
Nmap scan report for 10.0.1.59
Host is up (0.017s latency).
Not shown: 995 filtered tcp ports (no-response), 3 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
80/tcp   open  http
9009/tcp open  pichat
MAC Address: 91:6e:37:a5:6f:cb (Fanvil Technology)
Nmap scan report for 10.0.1.78
Host is up (0.017s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3333/tcp open  dec-notes
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi
MAC Address: 38:88:93:90:49:a5 (snom technology GmbH)
Nmap scan report for 10.0.1.83
Host is up (0.016s latency).
Not shown: 990 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
161/tcp   open  snmp
445/tcp   open  microsoft-ds
1935/tcp  open  rtmp
3260/tcp  open  iscsi
5000/tcp  open  upnp
50001/tcp open  unknown
MAC Address: cc:8a:f9:10:9d:27 (Netgear)
Nmap scan report for 10.0.1.88
Host is up (0.016s latency).
Not shown: 998 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
5900/tcp open  vnc
MAC Address: b7:58:72:4d:de:4c (Microsoft)
Nmap scan report for 10.0.1.110
Host is up (0.020s latency).
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
80/tcp   open  http
5900/tcp open  vnc
MAC Address: 89:bc:9b:f6:71:cd (Yealink(Xiamen) Network Technology)
Nmap scan report for 10.0.1.111
Host is up (0.016s latency).
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 53:64:28:8e:f3:04 (Unknown)
Nmap scan report for 10.0.2.8
Host is up (0.016s latency).
Not shown: 997 filtered tcp ports (no-response), 1 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
554/tcp  open  rtsp
8000/tcp open  http-alt
MAC Address: 9f:dd:28:d3:36:1a (Unknown)
Nmap scan report for 10.0.2.9
Host is up (0.018s latency).
Not shown: 993 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
554/tcp  open  rtsp
8000/tcp open  http-alt
8443/tcp open  https-alt
MAC Address: 6a:f7:9f:6a:03:ab (Fanvil Technology)
Nmap scan report for 10.0.2.110
Host is up (0.017s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: d8:f0:20:56:03:6d (Apple)
Nmap scan report for [REDACTED_DOMAIN_2] (10.0.2.248)
Host is up (0.019s latency).
Not shown: 985 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
161/tcp  open  snmp
443/tcp  open  https
445/tcp  open  microsoft-ds
548/tcp  open  afp
3260/tcp open  iscsi
3261/tcp open  winshadow
5357/tcp open  wsdapi
5510/tcp open  secureidprop
5550/tcp open  sdadmind
5566/tcp open  westec-connect
MAC Address: f9:4e:ab:c0:aa:41 (Hewlett Packard)
Nmap scan report for [REDACTED_DOMAIN_3] (10.0.2.249)
Host is up (0.017s latency).
Not shown: 996 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp
MAC Address: 94:6d:e0:77:73:5b (Samsung Electronics)
Nmap done: 1024 IP addresses (16 hosts up) scanned in 847.94 seconds

Aircrack-ng

2.4 - Découverte basée sur le TCP SYN Ping

La découverte par TCP SYN Ping, méthode efficace pour identifier les hôtes actifs en envoyant des paquets SYN sans finaliser la connexion TCP. Cela permet une détection discrète des appareils sur le réseau, idéale pour les audits de sécurité en minimisant les traces.


        
nmap -PS 10.0.1.0/22
Starting Nmap 7.93 (https://nmap.org) at 2024-03-15 15:56 EDT
Nmap scan report for 10.0.1.5
Host is up (0.016s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
880/tcp open  unknown
Nmap scan report for [REDACTED_DOMAIN_1] 10.0.1.7
Host is up (0.017s latency).
Not shown: 995 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
4242/tcp open  vrml-multi-use
Nmap scan report for 10.0.1.38
Host is up (0.058s latency).
Not shown: 998 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT     STATE SERVICE
9009/tcp open  pichat
Nmap scan report for 10.0.1.41
Host is up (0.017s latency).
Not shown: 997 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT      STATE SERVICE
1100/tcp  open  mctp
10010/tcp open  rxapi
Nmap scan report for 10.0.1.53
Host is up (0.017s latency).
Not shown: 999 closed tcp ports (reset)
PORT    STATE SERVICE
443/tcp open  https
Nmap scan report for 10.0.1.59
Host is up (0.017s latency).
Not shown: 995 closed tcp ports (reset), 3 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
9009/tcp open  pichat
Nmap scan report for 10.0.1.78
Host is up (0.017s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
3333/tcp open  dec-notes
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi
Nmap scan report for 10.0.1.83
Host is up (0.016s latency).
Not shown: 990 closed tcp ports (reset), 2 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  HTTP
161/tcp   open  snmp
445/tcp   open  microsoft-ds
1935/tcp  open  rtmp
3260/tcp  open  iscsi
5000/tcp  open  upnp
50001/tcp open  unknown
Nmap scan report for 10.0.1.88
Host is up (0.016s latency).
Not shown: 998 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT     STATE SERVICE
5900/tcp open  vnc
Nmap scan report for 10.0.1.110
Host is up (0.020s latency).
Not shown: 997 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
5900/tcp open  vnc
Nmap scan report for 10.0.1.111
Host is up (0.016s latency).
Not shown: 997 closed tcp ports (reset), 1 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
Nmap done: 1024 IP addresses (16 hosts up) scanned in 847.94 seconds

Aircrack-ng

2.5 - Découverte basée sur ICMP

La découverte basée sur ICMP envoie des pings ICMP à tous les hôtes d'un réseau. Cela révèle les appareils actifs en traversant les sous-réseaux, grâce à l'acceptation générale du protocole ICMP par les pare-feux. Utile pour les audits de sécurité initiaux et la cartographie réseau, cette technique fournit une vue d'ensemble rapide des hôtes disponibles.


        
nmap -PE 10.0.1.0/22
Starting Nmap 7.93 (https://nmap.org) at 2024-03-15 15:56 EDT
Nmap scan report for 10.0.1.5
Host is up (0.016s latency).
Nmap scan report for 10.0.1.7
Host is up (0.017s latency).
Nmap scan report for 10.0.1.38
Host is up (0.058s latency).
Nmap scan report for 10.0.1.41
Host is up (0.017s latency).
Nmap scan report for 10.0.1.53
Host is up (0.017s latency).
Nmap scan report for 10.0.1.59
Host is up (0.017s latency).
Nmap scan report for 10.0.1.78
Host is up (0.017s latency).
Nmap scan report for 10.0.1.83
Host is up (0.016s latency).
Nmap scan report for 10.0.1.88
Host is up (0.016s latency).
Nmap scan report for 10.0.1.110
Host is up (0.020s latency).
Nmap scan report for 10.0.1.111
Host is up (0.016s latency).
Nmap done: 1024 IP addresses (16 hosts up) scanned in 847.94 seconds

Aircrack-ng

2.6 - Traceroute Réseau avec Nmap

Cette fonctionnalité de Nmap permet de visualiser le trajet des paquets, offrant ainsi aux administrateurs réseau une compréhension approfondie des chemins empruntés par les données, facilitant l'identification des composants du réseau et d'éventuels problèmes de connectivité.


        
nmap --traceroute 10.0.1.0/22
Starting Nmap 7.93 (https://nmap.org) at 2024-03-15 15:56 EDT
Nmap scan report for 10.0.1.5
Host is up (0.016s latency).
TRACEROUTE (10.0.1.5)
HOP RTT     ADDRESS
1   0.010 ms 10.0.0.1
2   0.015 ms 10.0.1.5
Nmap scan report for 10.0.1.7
Host is up (0.017s latency).
TRACEROUTE (10.0.1.7)
HOP RTT     ADDRESS
1   0.011 ms 10.0.0.1
2   0.017 ms 10.0.1.7
Nmap scan report for 10.0.1.38
Host is up (0.058s latency).
TRACEROUTE (10.0.1.38)
HOP RTT     ADDRESS
1   0.020 ms 10.0.0.1
2   0.040 ms 10.0.0.2
3   0.058 ms 10.0.1.38
Nmap scan report for 10.0.1.41
Host is up (0.017s latency).
TRACEROUTE (10.0.1.41)
HOP RTT     ADDRESS
1   0.012 ms 10.0.0.1
2   0.017 ms 10.0.1.41
Nmap scan report for 10.0.1.138
Host is up (0.013s latency).
TRACEROUTE (10.0.1.138)
HOP RTT     ADDRESS
1   0.006 ms 10.0.0.1
2   0.010 ms 10.0.0.2
3   0.013 ms 10.0.1.138
Nmap done: 1024 IP addresses (16 hosts up) scanned in 847.94 seconds

Semblable à traceroute sur Linux, tracert sur Windows trace également le chemin des paquets vers une destination réseau spécifiée. Il affiche chaque saut que les paquets font en chemin vers la destination, aidant à identifier les points où les paquets sont retardés ou perdus.

Exclusivement sur : spear-phishing.com Plus de détails

        
nmap -h
Starting Nmap 7.93 (https://nmap.org) at 2024-03-18 03:24 EDT
Nmap scan report for 192.168.233.8
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports sequentially - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s| kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --noninteractive: Disable runtime interactions via keyboard
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Scantype Q not supported



Page suivante

Scans de Ports