[Linux - 리눅스 / Ubuntu - 우분투] 보안 관리 도구(1) - NMap

보안 관리 도구

- 로그 관리와 방화벽 설정은 리눅스의 보안을 위해 가장 기본적으로 사용하는 도구

- 네트워크 포트를 점검하는 도구인 NMap

- 사용자 인증 관련 기능인 PAM

NMap : 포트 스캔 도구 - NMap은 자신의 서버나 원격의 서버가 사용 중인 포트, 운영체재 등을 스캔하여 출력 - NMap은 네트워크 관리용으로도 사용 - 취약한 포트가 사용 중인지 확인이 가능하여 보안용으로도 사용 - 그러나 스캔하는 것만으로도 보안 침입을 위한 준비 과정으로 간주하므로   원격서버를 마구 스캔하면 안 됨

1) NMap 설치하기  * sudo apt-get install nap nmap  - 기능 : 네트워크를 탐색하고 보안을 점검 - 형식 : nmap [옵션] 목적지 주소 - 옵션 :   * '-sS' : TCP SYN을 스캔함  * '-sT' : TCP 연결을 스캔함  * '-sP' : ping을 스캔함  * '-sU' : UDP을 스캔함   * '-sO' : IP 프로토콜을 스캔함  * '-O' : 운영체제를 확인함  * '-v' : 스캔 결과를 상세하게 출력  * '-p 포트 번호' : 지정한 포트만 스캔( ex :  -p22; -p1-65535; -p U:53,111,T:21-25,80).  * '-F' : 빠른 모드(fast mode)로 기본 스캔 보다 적은 수의 포트만 스캔 - 사용예 : nmap 192.168.0.1, nmap -O 192.168.0.1, nmap -sT -O -v 192.168.0.1  2) 옵션없이 NMap 실행하기 - 아무 옵션 없이 NMap을 실행하면 지정한 호스트에서 현재 열려 있는 포트를 요약하여 출력 ===================================================================== [ mac : /var ] $ namp localhost -bash: namp: command not found [ mac : /var ] $ nmap localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-12 19:59 KST Nmap scan report for localhost (127.0.0.1) Host is up (0.00063s latency). Not shown: 973 closed ports, 26 filtered ports PORT STATE SERVICE 631/tcp open ipp Nmap done: 1 IP address (1 host up) scanned in 5.38 seconds [ mac : /var ] $ ===================================================================== 3) 특정 서버 스캔하기 - IP 주소를 사용하여 특정 서버를 지정 및 -O 옵션 지정 - 해당 시스템의 운영체제 정보를 알려주는 -O 옵션은 root 권한이 필요 ===================================================================== [ mac : /var ] $ sudo nmap -O 192.168.0.10 Password: Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-12 20:08 KST Nmap scan report for 192.168.0.10 Host is up (0.000096s latency). All 1000 scanned ports on 192.168.0.10 are closed (971) or filtered (29) Device type: media device|phone|general purpose Running: Apple iPhone OS 1.X|3.X, Apple Mac OS X 10.5.X|10.6.X|10.7.X|10.8.X, Apple iOS 4.X|5.X OS CPE: cpe:/o:apple:iphone_os:1 cpe:/o:apple:iphone_os:3 cpe:/o:apple:mac_os_x:10.5 cpe:/o:apple:mac_os_x:10.6 cpe:/o:apple:mac_os_x:10.7 cpe:/o:apple:iphone_os:4 cpe:/o:apple:mac_os_x:10.8 cpe:/o:apple:iphone_os:5 Too many fingerprints match this host to give specific OS details Network Distance: 0 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds [ mac : /var ] $ ===================================================================== 4) UDP 포트 스캔하기 - '-sU' 옵션을 사용 ===================================================================== [ mac : /var ] $ sudo nmap -sU -v localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-12 20:11 KST Initiating UDP Scan at 20:11 Scanning localhost (127.0.0.1) [1000 ports] Discovered open port 123/udp on 127.0.0.1 Completed UDP Scan at 20:11, 3.36s elapsed (1000 total ports) Nmap scan report for localhost (127.0.0.1) Host is up (0.000064s latency). Not shown: 500 closed ports, 499 open|filtered ports PORT STATE SERVICE 123/udp open ntp Read data files from: /usr/local/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds Raw packets sent: 1500 (43.186KB) | Rcvd: 2001 (71.262KB) [ mac : /var ] $  => 123 port가 열려 있음 ===================================================================== 5) 특정 네트워크를 대상으로 포트 스캔 - 네트워크 주소를 지정하면 특정 네트워크 전체를 스캔할 수 있음 - 네트워크에 연결되어 있는 전체 시스템의 포트 상태를 일괄적으로 점검 - 예를 들어 192.168.0.0 네트워크를 스캔 - '/24' 는 24비트임을 뜻함 - '192.168.0' 까지가 네트워크 주소임 ===================================================================== [ mac : /var ] $ sudo nmap -sT -O -v 192.168.0.0/24 Password: Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-12 20:18 KST Initiating ARP Ping Scan at 20:18 Scanning 255 hosts [1 port/host] Completed ARP Ping Scan at 20:18, 1.97s elapsed (255 total hosts) Initiating Parallel DNS resolution of 255 hosts. at 20:18 Completed Parallel DNS resolution of 255 hosts. at 20:18, 0.00s elapsed Nmap scan report for 192.168.0.0 [host down] Nmap scan report for 192.168.0.2 [host down] Nmap scan report for 192.168.0.3 [host down] Nmap scan report for 192.168.0.4 [host down] ... ... ... Nmap scan report for 192.168.0.254 [host down] Nmap scan report for 192.168.0.255 [host down] Initiating Parallel DNS resolution of 1 host. at 20:18 Completed Parallel DNS resolution of 1 host. at 20:18, 0.00s elapsed Initiating Connect Scan at 20:18 Scanning 3 hosts [1000 ports/host] Increasing send delay for 192.168.0.18 from 0 to 5 due to 11 out of 33 dropped probes since last increase. Discovered open port 2048/tcp on 192.168.0.1 Increasing send delay for 192.168.0.18 from 5 to 10 due to max_successful_tryno increase to 4 Discovered open port 55555/tcp on 192.168.0.1 Completed Connect Scan against 192.168.0.16 in 11.12s (2 hosts left) Completed Connect Scan against 192.168.0.1 in 16.24s (1 host left) Increasing send delay for 192.168.0.18 from 10 to 20 due to max_successful_tryno increase to 5 Increasing send delay for 192.168.0.18 from 20 to 40 due to max_successful_tryno increase to 6 Completed Connect Scan at 20:19, 38.11s elapsed (3000 total ports) Initiating OS detection (try #1) against 3 hosts Retrying OS detection (try #2) against 2 hosts Nmap scan report for 192.168.0.1 Host is up (0.0042s latency). Not shown: 998 filtered ports PORT STATE SERVICE 2048/tcp open dls-monitor 55555/tcp open unknown MAC Address: 00:08:9F:1A:E0:F8 (EFM Networks) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS details: D-Link DIR-100; DrayTek Vigor3300; or Netgear KWRGR614, RT614, or WG602 router (Linux 2.4), Linux 2.4.18 - 2.4.35 (likely embedded), Linux 2.4.21 - 2.4.27, Linux 2.4.32 (x86) Uptime guess: 36.931 days (since Sun Apr 5 21:58:59 2015) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=195 (Good luck!) IP ID Sequence Generation: All zeros Nmap scan report for 192.168.0.16 Host is up (0.012s latency). All 1000 scanned ports on 192.168.0.16 are closed MAC Address: D0:57:85:AE:04:77 (Pantech Co.) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.0.18 Host is up (0.13s latency). All 1000 scanned ports on 192.168.0.18 are closed MAC Address: C4:9A:02:7A:87:74 (Unknown) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Initiating Connect Scan at 20:19 Scanning 192.168.0.10 [1000 ports] Completed Connect Scan at 20:19, 5.40s elapsed (1000 total ports) Initiating OS detection (try #1) against 192.168.0.10 Nmap scan report for 192.168.0.10 Host is up (0.00019s latency). All 1000 scanned ports on 192.168.0.10 are closed (971) or filtered (29) Device type: media device|phone|general purpose Running: Apple iPhone OS 1.X|3.X, Apple Mac OS X 10.5.X|10.6.X|10.7.X|10.8.X, Apple iOS 4.X|5.X OS CPE: cpe:/o:apple:iphone_os:1 cpe:/o:apple:iphone_os:3 cpe:/o:apple:mac_os_x:10.5 cpe:/o:apple:mac_os_x:10.6 cpe:/o:apple:mac_os_x:10.7 cpe:/o:apple:iphone_os:4 cpe:/o:apple:mac_os_x:10.8 cpe:/o:apple:iphone_os:5 Too many fingerprints match this host to give specific OS details Network Distance: 0 hops Read data files from: /usr/local/bin/../share/nmap OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (4 hosts up) scanned in 49.36 seconds Raw packets sent: 571 (21.572KB) | Rcvd: 51 (5.190KB) [ mac : /var ] $ =====================================================================