Documentação da ferramenta:

Exemplo de uso do nmap

Varredura em modo detalhado ( -v), habilita detecção de sistema operacional, detecção de
versão, varredura de script e traceroute ( -A), com detecção de versão ( -sV) em relação ao IP
de destino ( 192.168.1.1):
root@kali:~# nmap -v -A -sV 192.168.1.1

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT

NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 18:40
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:40
Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed
Initiating SYN Stealth Scan at 18:40
Scanning router.localdomain (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 3001/tcp on 192.168.1.1

Exemplo de uso de nping

Usando o modo TCP ( –tcp) para testar a porta 22 ( -p 22) usando o sinalizador SYN ( –flags
syn) com um TTL de 2 ( –ttl 2) no host remoto ( 192.168.1.1):
root@kali:~# nping --tcp -p 22 --flags syn --ttl 2 192.168.1.1

Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2014-05-13 18:43 MDT

SENT (0.0673s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240
iplen=40 seq=1720523417 win=1480
RCVD (0.0677s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
iplen=44 seq=3377886789 win=5840 <mss 1460>
SENT (1.0678s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240
iplen=40 seq=1720523417 win=1480
RCVD (1.0682s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
iplen=44 seq=3393519366 win=5840 <mss 1460>
SENT (2.0693s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240
iplen=40 seq=1720523417 win=1480
RCVD (2.0696s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
iplen=44 seq=3409166569 win=5840 <mss 1460>
SENT (3.0707s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240
iplen=40 seq=1720523417 win=1480
RCVD (3.0710s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
iplen=44 seq=3424813300 win=5840 <mss 1460>
SENT (4.0721s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240
iplen=40 seq=1720523417 win=1480
RCVD (4.0724s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
iplen=44 seq=3440460772 win=5840 <mss 1460>

Max rtt: 0.337ms | Min rtt: 0.282ms | Avg rtt: 0.296ms

Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 4.13 seconds

Exemplo de uso de ndiff

Compare a varredura de porta de ontem ( yesterday.xml) com a varredura de hoje
( today.xml):
root@kali:~# ndiff yesterday.xml today.xml
-Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX
yesterday.xml 192.168.1.1
+Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX
today.xml 192.168.1.1

endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1):

-Not shown: 96 filtered ports
+Not shown: 97 filtered ports
PORT STATE SERVICE VERSION
-22/tcp open ssh

Exemplo de uso de ncat

Seja detalhado ( -v), execute /bin/bash na conexão ( –exec “/bin/bash”), permita apenas 1
endereço IP ( –allow 192.168.1.123), escute na porta TCP 4444 ( -l 4444) e mantenha o
ouvinte aberto na desconexão ( –keep-open):
root@kali:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444
--keep-open
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.123.
Ncat: Connection from 192.168.1.123:39501.
Ncat: Connection from 192.168.1.15.
Ncat: Connection from 192.168.1.15:60393.
Ncat: New connection denied: not allowed

Pacotes e binários:
não
ncat é uma reimplementação do Netcat pelo projeto NMAP, fornecendo a maioria dos recursos
presentes nas implementações originais, junto com alguns novos recursos como suporte a IPv6
e SSL. O suporte para varredura de portas foi removido.

Tamanho instalado: 587 KB

Como instalar: sudo apt install ncat

Dependências:
 




não

Concatenar e redirecionar soquetes

root@kali:~# ncat -h
Ncat 7.94 ( https://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append 'ms' for milliseconds,

's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
-4 Use IPv4 only
-6 Use IPv6 only
-U, --unixsock Use Unix domain sockets only
--vsock Use vsock sockets only
-C, --crlf Use CRLF for EOL sequence
-c, --sh-exec <command> Executes the given command via /bin/sh
-e, --exec <command> Executes the given command
--lua-exec <filename> Executes the given Lua script
-g hop1[,hop2,...] Loose source routing hop points (8 max)
-G <n> Loose source routing hop pointer (4, 8,
12, ...)
-m, --max-conns <n> Maximum <n> simultaneous connections
-h, --help Display this help screen
-d, --delay <time> Wait between read/writes
-o, --output <filename> Dump session data to a file
-x, --hex-dump <filename> Dump session data as hex to a file
-i, --idle-timeout <time> Idle read/write timeout
-p, --source-port port Specify source port to use
-s, --source addr Specify source address to use (doesn't
affect -l)
-l, --listen Bind and listen for incoming connections
-k, --keep-open Accept multiple connections in listen mode
-n, --nodns Do not resolve hostnames via DNS
-t, --telnet Answer Telnet negotiations
-u, --udp Use UDP instead of default TCP
--sctp Use SCTP instead of default TCP
-v, --verbose Set verbosity level (can be used several
times)
-w, --wait <time> Connect timeout
-z Zero-I/O mode, report connection status
only
--append-output Append rather than clobber specified
output files
--send-only Only send data, ignoring received; quit on
EOF
--recv-only Only receive data, never send anything
--no-shutdown Continue half-duplex when receiving EOF on
stdin
--allow Allow only given hosts to connect to Ncat
--allowfile A file of hosts allowed to connect to Ncat
--deny Deny given hosts from connecting to Ncat
 --denyfile A file of hosts denied from connecting to
Ncat
--broker Enable Ncat's connection brokering mode
--chat Start a simple Ncat chat server
--proxy <addr[:port]> Specify address of host to proxy through
--proxy-type <type> Specify proxy type ("http", "socks4",
"socks5")
--proxy-auth <auth> Authenticate with HTTP or SOCKS proxy
server
--proxy-dns <type> Specify where to resolve proxy destination
--ssl Connect or listen with SSL
--ssl-cert Specify SSL certificate file (PEM) for
listening
--ssl-key Specify SSL private key (PEM) for
listening
--ssl-verify Verify trust and domain name of
certificates
--ssl-trustfile PEM file containing trusted SSL
certificates
--ssl-ciphers Cipherlist containing SSL ciphers to use
--ssl-servername Request distinct server name (SNI)
--ssl-alpn ALPN protocol list to use
--version Display Ncat's version information and
exit

See the ncat(1) manpage for full options, descriptions and usage
examples

não
Ndiff é uma ferramenta para auxiliar na comparação de varreduras do Nmap. São necessários
dois arquivos de saída XML do Nmap e imprime as diferenças entre eles: hosts subindo e
descendo, portas sendo abertas ou fechadas e coisas assim. Ele pode produzir saída em texto
legível por humanos ou em formatos XML legíveis por máquina.

Tamanho instalado: 426 KB

Como instalar: sudo apt install ndiff

Dependências:



não

Utilitário para comparar os resultados das varreduras do Nmap

root@kali:~# ndiff -h
Usage: /usr/bin/ndiff [option] FILE1 FILE2
Compare two Nmap XML files and display a list of their differences.
Differences include host state changes, port state changes, and changes
to
service and OS detection.
 -h, --help display this help
-v, --verbose also show hosts and ports that haven't changed.
--text display output in text format (default)
--xml display output in XML format

nmap
Nmap é um utilitário para exploração de rede ou auditoria de segurança. Ele suporta varredura
de ping (determina quais hosts estão ativos), muitas técnicas de varredura de portas, detecção
de versão (determina protocolos de serviço e versões de aplicativos ouvindo atrás de portas) e
impressão digital TCP/IP (SO de host remoto ou identificação de dispositivo). O Nmap também
oferece especificação flexível de alvo e porta, varredura chamariz/stealth, varredura sunRPC e
muito mais. A maioria das plataformas Unix e Windows são suportadas nos modos GUI e linha
de comando. Vários dispositivos portáteis populares também são suportados, incluindo o
Sharp Zaurus e o iPAQ.

Tamanho instalado: 4.38 MB

Como instalar: sudo apt install nmap

Dependências:













nmap

Ferramenta de exploração de rede e scanner de segurança/porta

root@kali:~# nmap -h
Nmap 7.94 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
 -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given
ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from
scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms'
(milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>:
Specifies
probe round trip time.
 --max-retries <tries>: Caps number of port scan probe
retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4
proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to
HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and
traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND
EXAMPLES

nping
Ferramenta de geração de pacotes de rede/utilitário ping

root@kali:~# nping -h
Nping 0.7.94 ( https://nmap.org/nping )
Usage: nping [Probe mode] [Options] {target specification}

TARGET SPECIFICATION:
Targets may be specified as hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24
PROBE MODES:
--tcp-connect
mode.
--tcp
--udp
--icmp
--arp
--tr, --traceroute
with
TCP CONNECT MODE:
-p, --dest-port <port spec>
-g, --source-port <portnumber> : Try to use a custom source port.
TCP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec>
--seq <seqnumber>
--flags <flag list>
(ACK,PSH,RST,SYN,FIN...)
--ack <acknumber>
--win <size>
--badsum
UDP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec>
--badsum
ICMP PROBE MODE:
--icmp-type <type>
--icmp-code <code>
--icmp-id <id>
--icmp-seq <n>
--icmp-redirect-addr <addr>
--icmp-param-pointer <pnt>
--icmp-advert-lifetime <time>
--icmp-advert-entry <IP,pref>
--icmp-orig-time <timestamp>
--icmp-recv-time <timestamp>
--icmp-trans-time <timestamp>
ARP/RARP PROBE MODE:
--arp-type <type>
reply.
--arp-sender-mac <mac>
--arp-sender-ip <addr>
--arp-target-mac <mac>
--arp-target-ip <addr>
IPv4 OPTIONS:
-S, --source-ip
--dest-ip <addr>
as an
: Unprivileged TCP connect probe
: TCP probe mode.
: UDP probe mode.
: ICMP probe mode.
: ARP/RARP probe mode.
: Traceroute mode (can only be used
TCP/UDP/ICMP modes).
: Set destination port(s).
: Set destination port(s).
: Set sequence number.
: Set TCP flags
: Set ACK number.
: Set window size.
: Use a random invalid checksum.
: Set destination port(s).
: Use a random invalid checksum.
: ICMP type.
: ICMP code.
: Set identifier.
: Set sequence number.
: Set redirect address.
: Set parameter problem pointer.
: Set router advertisement lifetime.
: Add router advertisement entry.
: Set originate timestamp.
: Set receive timestamp.
: Set transmit timestamp.
: Type: ARP, ARP-reply, RARP, RARP-
: Set sender MAC address.
: Set sender IP address.
: Set target MAC address.
: Set target IP address.
: Set source IP address.
: Set destination IP address (used
 alternative to {target
specification} ).
--tos <tos> : Set type of service field (8bits).
--id <id> : Set identification field (16
bits).
--df : Set Don't Fragment flag.
--mf : Set More Fragments flag.
--evil : Set Reserved / Evil flag.
--ttl <hops> : Set time to live [0-255].
--badsum-ip : Use a random invalid checksum.
--ip-options <R|S [route]|L [route]|T|U ...> : Set IP options
--ip-options <hex string> : Set IP options
--mtu <size> : Set MTU. Packets get fragmented if
MTU is
small enough.
IPv6 OPTIONS:
-6, --IPv6 : Use IP version 6.
--dest-ip : Set destination IP address (used
as an
alternative to {target
specification}).
--hop-limit : Set hop limit (same as IPv4 TTL).
--traffic-class <class> : : Set traffic class.
--flow <label> : Set flow label.
ETHERNET OPTIONS:
--dest-mac <mac> : Set destination mac address.
(Disables
ARP resolution)
--source-mac <mac> : Set source MAC address.
--ether-type <type> : Set EtherType value.
PAYLOAD OPTIONS:
--data <hex string> : Include a custom payload.
--data-string <text> : Include a custom ASCII text.
--data-length <len> : Include len random bytes as
payload.
ECHO CLIENT/SERVER:
--echo-client <passphrase> : Run Nping in client mode.
--echo-server <passphrase> : Run Nping in server mode.
--echo-port <port> : Use custom <port> to listen or
connect.
--no-crypto : Disable encryption and
authentication.
--once : Stop the server after one
connection.
--safe-payloads : Erase application data in echoed
packets.
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms'
(milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m,
0.25h).
--delay <time> : Adjust delay between probes.
--rate <rate> : Send num packets per second.
MISC:
-h, --help : Display help information.
-V, --version : Display current version number.
-c, --count <n> : Stop after <n> rounds.
-e, --interface <name> : Use supplied network interface.
 -H, --hide-sent : Do not display sent packets.
-N, --no-capture : Do not try to capture replies.
--privileged : Assume user is fully privileged.
--unprivileged : Assume user lacks raw socket
privileges.
--send-eth : Send packets at the raw Ethernet
layer.
--send-ip : Send packets using raw IP sockets.
--bpf-filter <filter spec> : Specify custom BPF filter.
OUTPUT:
-v : Increment verbosity level by one.
-v[level] : Set verbosity level. E.g: -v4
-d : Increment debugging level by one.
-d[level] : Set debugging level. E.g: -d3
-q : Decrease verbosity level by one.
-q[N] : Decrease verbosity level N times
--quiet : Set verbosity and debug level to
minimum.
--debug : Set verbosity and debug to the max
level.
EXAMPLES:
nping scanme.nmap.org
nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
nping --icmp --icmp-type time --delay 500ms 192.168.254.254
nping --echo-server "public" -e wlan0 -vvv
nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

nmap-comum
Nmap é um utilitário para exploração de rede ou auditoria de segurança. Ele suporta varredura
de ping (determina quais hosts estão ativos), muitas técnicas de varredura de portas, detecção
de versão (determina protocolos de serviço e versões de aplicativos ouvindo atrás de portas) e
impressão digital TCP/IP (SO de host remoto ou identificação de dispositivo). O Nmap também
oferece especificação flexível de alvo e porta, varredura chamariz/stealth, varredura sunRPC e
muito mais. A maioria das plataformas Unix e Windows são suportadas nos modos GUI e linha
de comando. Vários dispositivos portáteis populares também são suportados, incluindo o
Sharp Zaurus e o iPAQ.

Este pacote contém os arquivos nmap compartilhados por todas as arquiteturas.

Tamanho instalado: 21.03 MB

Como instalar: sudo apt install nmap-common