Vous allez relever les services (ports) ouverts et actifs sur votre machine (ou une autre peu importe).
Détection des services sur la machine cible (avec nmap) :
vanvincq@CP2L ~ $ sudo nmap -sV 127.0.0.1 Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 19:55 CET Interesting ports on CP2L (127.0.0.1): Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Exim smtpd 4.72 111/tcp open rpcbind 631/tcp open ipp CUPS 1.4 Service Info: OSs: Unix, Linux Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds
vanvincq@CP2L ~ $ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 127.0.0.1 Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 19:59 CET NSE: Loaded 30 scripts for scanning. Initiating SYN Stealth Scan at 19:59 Scanning CP2L (127.0.0.1) [1000 ports] Discovered open port 23/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 111/tcp on 127.0.0.1 Discovered open port 25/tcp on 127.0.0.1 Discovered open port 21/tcp on 127.0.0.1 Discovered open port 631/tcp on 127.0.0.1 Completed SYN Stealth Scan at 19:59, 0.04s elapsed (1000 total ports) Initiating Service scan at 19:59 Scanning 6 services on CP2L (127.0.0.1) Completed Service scan at 19:59, 6.00s elapsed (6 services on 1 host) Initiating OS detection (try #1) against CP2L (127.0.0.1) Retrying OS detection (try #2) against CP2L (127.0.0.1) Retrying OS detection (try #3) against CP2L (127.0.0.1) Retrying OS detection (try #4) against CP2L (127.0.0.1) Retrying OS detection (try #5) against CP2L (127.0.0.1) NSE: Script scanning 127.0.0.1. NSE: Starting runlevel 1 scan Initiating NSE at 19:59 Completed NSE at 19:59, 5.11s elapsed NSE: Script Scanning completed. Host CP2L (127.0.0.1) is up (0.000015s latency). Interesting ports on CP2L (127.0.0.1): Not shown: 994 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0) | ssh-hostkey: 1024 12:e8:74:93:e7:26:3a:6b:80:20:e4:da:2c:e6:a4:3b (DSA) |_ 2048 2c:74:6f:16:59:12:24:d0:40:1c:03:c9:aa:ce:80:b0 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Exim smtpd 4.72 | smtp-commands: EHLO CP2L Hello cp2l [127.0.0.1], SIZE 52428800, PIPELINING, HELP |_ HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 111/tcp open rpcbind | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 59641/udp status | 100000 2 111/tcp rpcbind |_ 100024 1 50769/tcp status 631/tcp open ipp CUPS 1.4 No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.00%D=2/20%OT=21%CT=1%CU=34969%PV=N%DS=0%G=Y%TM=4F42980F%P=x86_6 OS:4-unknown-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=8)SEQ(SP= OS:102%GCD=2%ISR=10C%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M400CST11NW7%O2=M400CST11NW OS:7%O3=M400CNNT11NW7%O4=M400CST11NW7%O5=M400CST11NW7%O6=M400CST11)WIN(W1=8 OS:000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M OS:400CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y% OS:DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%W OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.029 days (since Mon Feb 20 19:17:25 2012) Network Distance: 0 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.96 seconds Raw packets sent: 1095 (51.990KB) | Rcvd: 2211 (98.764KB)
Après le scan, on peut affirmer que les ports (TCP) 21, 22, 23, 25, 111, 631 et 50769 sont ouverts (dumoins, pour un scan local via l'interface lo).
Réessayons en passant par eth0 :
vanvincq@CP2L ~ $ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.10 Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 20:07 CET NSE: Loaded 30 scripts for scanning. Initiating Parallel DNS resolution of 1 host. at 20:07 Completed Parallel DNS resolution of 1 host. at 20:07, 0.03s elapsed Initiating SYN Stealth Scan at 20:07 Scanning 192.168.1.10 [1000 ports] Discovered open port 23/tcp on 192.168.1.10 Discovered open port 21/tcp on 192.168.1.10 Discovered open port 111/tcp on 192.168.1.10 Discovered open port 22/tcp on 192.168.1.10 Completed SYN Stealth Scan at 20:07, 0.04s elapsed (1000 total ports) Initiating Service scan at 20:07 Scanning 4 services on 192.168.1.10 Completed Service scan at 20:07, 6.00s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 192.168.1.10 Retrying OS detection (try #2) against 192.168.1.10 Retrying OS detection (try #3) against 192.168.1.10 Retrying OS detection (try #4) against 192.168.1.10 Retrying OS detection (try #5) against 192.168.1.10 NSE: Script scanning 192.168.1.10. NSE: Starting runlevel 1 scan Initiating NSE at 20:07 Completed NSE at 20:07, 5.10s elapsed NSE: Script Scanning completed. Host 192.168.1.10 is up (0.000014s latency). Interesting ports on 192.168.1.10: Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3a 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0) | ssh-hostkey: 1024 12:e8:74:93:e7:26:3a:6b:80:20:e4:da:2c:e6:a4:3b (DSA) |_ 2048 2c:74:6f:16:59:12:24:d0:40:1c:03:c9:aa:ce:80:b0 (RSA) 23/tcp open tcpwrapped 111/tcp open rpcbind | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 59641/udp status | 100000 2 111/tcp rpcbind |_ 100024 1 50769/tcp status No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.00%D=2/20%OT=21%CT=1%CU=40425%PV=Y%DS=0%G=Y%TM=4F4299F3%P=x86_6 OS:4-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=8)OPS(O1= OS:M400CST11NW7%O2=M400CST11NW7%O3=M400CNNT11NW7%O4=M400CST11NW7%O5=M400CST OS:11NW7%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)E OS:CN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+% OS:F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW7 OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W= OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.035 days (since Mon Feb 20 19:17:24 2012) Network Distance: 0 hops TCP Sequence Prediction: Difficulty=256 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.93 seconds Raw packets sent: 1095 (51.990KB) | Rcvd: 2209 (98.676KB)
Dans ce cas de figure, le ports 631 n'est plus visible.
Vous allez ensuite référencer tous les services que vous devez ou que vous pouvez conserver actifs et là vous fermerez les autres. Là encore vous noterez toutes les procédures que vous utilisez pour arriver au résultat.
Port 21 (FTP) : Ce port a été ouvert au cours d'un précédent TP. Je n'en ai plus besoin pour le moment.
Port 22 (SSH) : Je suis seul sur mon ordinateur, pas besoin d'y accéder d'une autre machine. Je ferme le port.
Port 23 (TELNET) : Idem que pour le port 21. Je n'en ai plus besoin.
Port 111 (PORTMAP / RPCBIND) : RPC (Remote Procedure Call) est un protocole réseau permettant de faire des appels de procédures sur un ordinateur distant à l'aide d'un serveur d'applications. Ce protocole est utilisé dans le modèle client-serveur et permet de gérer les différents messages entre ces entités (source: Wikipédia). Durant ma première année de Master, j'ai eu l'occasion d'utiliser le RPC dans des programmes en C. J'avoue qu'après avoir testé le Java RMI c'est dur de s'y replonger xD.
Récapitulatif de la situation avant intervention :
vanvincq@CP2L ~ $ sudo netstat -atup | grep LISTEN tcp 0 0 *:sunrpc *:* LISTEN 1108/portmap tcp 0 0 *:50769 *:* LISTEN 1120/rpc.statd tcp 0 0 *:ftp *:* LISTEN 1578/inetd tcp 0 0 *:ssh *:* LISTEN 2161/sshd tcp 0 0 CP2L:ipp *:* LISTEN 1905/cupsd tcp 0 0 *:telnet *:* LISTEN 1578/inetd tcp 0 0 CP2L:smtp *:* LISTEN 1912/exim4 tcp6 0 0 [::]:ssh [::]:* LISTEN 2161/sshd tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN 1905/cupsd tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN 1912/exim4
Pour les ports 21 et 22, on modifie le fichier /etc/inetd.conf et on commente les lignes correspondantes. Pour le port 23, on désactive le lancement du deamon sshd avec la commande de son choix. J'utilise pour ce coup-ci sysv-rc-conf (une version améliorée de rcconf).
Après intervention :
vanvincq@CP2L ~ $ sudo netstat -atup | grep LISTEN tcp 0 0 *:sunrpc *:* LISTEN 1146/portmap tcp 0 0 *:45968 *:* LISTEN 1158/rpc.statd tcp 0 0 CP2L:ipp *:* LISTEN 1834/cupsd tcp 0 0 CP2L:smtp *:* LISTEN 1938/exim4 tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN 1834/cupsd tcp6 0 0 ip6-localhost:smtp [::]:* LISTEN 1938/exim4
Trois ports ont ainsi été fermés !