comportamento diferente: “sudo nmap” vs apenas “nmap”?

4

Estou tentando fazer uma varredura de porta simples com o nmap:

$ nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Nmap scan report for 192.168.56.101
Host is up (0.0048s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
5555/tcp  open  freeciv
24800/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Mas quando eu tento o mesmo com sudo , ele falha ao afirmar que o host está inativo:

$ sudo nmap 192.168.56.101

Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-10 19:30 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.48 seconds



NOTA:
Eu estou no OS X Yosemite.
GNU bash, versão 3.2.57 (1) -release (x86_64-apple-darwin14)

Obrigado.

    
por thedp 10.03.2015 / 18:38

3 respostas

3

Eu notei o mesmo comportamento no meu Mac. É muito estranho.

Parece que o NMAp com privilégios sudo obtém algumas informações do cache ARP. E assim, se você verificar um dispositivo desconectado da rede, mas ainda estiver no cache do ARP (o cache é atualizado após 2 ou 3 minutos no computador), ele aparecerá como on-line para o NMAP.

Da página man do NMAP:

If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery. (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call.. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.

    
por 25.08.2015 / 23:32
6

Por padrão, uma varredura sem privilégios usa -sT (TCP Connect) enquanto privilegiada (root) usa -sS (TCP SYN Stealth).

TCP Connect (-sT) A verificação de conexão usa a chamada do sistema com o mesmo nome para verificar as máquinas, em vez de depender de pacotes brutos, como acontece com a maioria dos outros métodos. Ele é normalmente usado por usuários Unix privilegiados e contra alvos de 1Pv6, porque a varredura de SYN não funciona nesses casos.

TCP SYN Stealth (-sS) Este é, de longe, o tipo de scan mais popular, pois é a maneira mais rápida de varrer as portas do protocolo mais popular (TCP). Ele é mais furtivo que o scan de conexão e funciona contra todas as pilhas TCP funcionais (ao contrário de algumas digitalizações especiais, como a digitalização FIN).

1) Para descobrir o que está acontecendo com sua máquina, sugiro usar o modo verbose extra ( -vv ) ou - packet-trace para ver o que acontece.

$ sudo nmap --packet-trace -vv 192.168.56.101

2) Outra abordagem seria forçar uma varredura sem privilégios como usuário privilegiado usando os seguintes comandos e ver o resultado.

$ sudo nmap -sT -vv 192.168.56.101
$ sudo nmap --unprivileged -vv 192.168.56.101

3) Finalmente, o motivo pelo qual o nmap pára a varredura é porque o tipo 8 de IMCP (echo a.k.a ping) não retorna um tipo 0 de ICMP (resposta de eco). Este comando ignora o ping e mantém a varredura:

$ sudo nmap -PN 192.168.56.101

Você pode por favor experimentar esses comandos e postar a saída?

    
por 27.08.2015 / 02:55
1

Basicamente, por padrão:

  • Um usuário privilegiado executa uma -sS (verificação TCP SYN).
    Esse tipo de verificação requer privilégios de soquete bruto / pacote bruto.
  • Um usuário unprivileged executa uma -sT (verificação de conexão TCP).
    Esse tipo de verificação não requer privilégios de soquete bruto / pacote bruto.

Adaptado dos documentos oficiais do Nmap:


PORT SCANNING TECHNIQUES
Most of the scan types are only available to privileged users. This is because they are able to send and receive raw packets, which requires root access on Unix systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have always-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible.


--privileged (Assume that the user is fully privileged).
Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix systems. By default, Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may be configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, OS detection, etc). The NMAP_PRIVILEGED environment variable may be set as an equivalent alternative to --privileged.

-sS (TCP SYN Scan).
TCP SYN Scan is the default scan option for privileged users. It can be performed quickly, scanning thousands of ports per second; when on a fast network, not hampered by any restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. A TCP SYN Scan works against any compliant TCP stack rather than depending on the idiosyncrasies of specific platforms (as Nmap's other scans do). It allows clear, reliable differentiation between the (open), (closed), and (filtered) states.
This technique is often referred to as a Half-Open Scan, because it doesn't open a full TCP connection. You send a SYN packet, as if you are going to (open) a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener (closed). If a SYN/ACK is received, a RST is immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. If no response is received after several retransmissions, the port is marked as (filtered). The port is also marked (filtered) if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered (open) if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous (open) or split handshake connection. (https://nmap.org/misc/split-handshake.pdf)


--unprivileged (Assume that the user lacks raw socket privileges).
This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful if testing, debugging, or the raw network functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to —unprivileged.

-sT (TCP Connect Scan).
TCP Connect Scan is the default TCP scan type for unprivileged users. This is the most basic form of TCP scanning. The connect() system call, provided by your operating system is used to (open) a connection to some interesting ports on the machine. If the port is (listening), then connect() will succeed, otherwise the port is (filtered). One strong advantage to this technique is that it doesn't require any special privileges. Usually, on most UNIX boxes, any user can make this call because it doesn't involve writing raw packets like most other scan types do. This connect() call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.
When the TCP SYN Scan is available, it is usually a better choice. Nmap has less control over the high level connect() call than with raw packets, making it less efficient. Rather than performing the half-open (reset) that a SYN Scan does, the connect() system call makes complete connections to (open) target ports. This not only takes longer, it requires sending more packets to obtain the same information, and target machines are more likely to log the connection. A decent IDS will catch either. Most machines, however, have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been TCP Connect Scanned.

    
por 10.12.2015 / 23:47