An introduction to port scanning with nmap

Posted by Steve on Sat 9 Jul 2005 at 11:26

When you're interested in testing the security of your firewall, or generally monitoring the services you're exposing to the outside world a port scan can be a useful thing to run, to test that you're only exposing what you think you are.

A port scan is mostly what it's name suggests, a scan of all the ports open upon a system. Whilst there are many port scanning applications nmap is arguably the most popular.

The way a port-scanner typically works is to attempt to connect to each port upon a host, in turn, and then report the results.

For example a scanner could connect to:

  • port 1 - to see if tcpmux is running.
  • port 7 - to see if echo is running.
  • ..
  • port 22 - to see if openssh is available.
  • port 25 - to see if smtp is available.

(If you're interesting in identifying which services use a given port you can look at the file /etc/services - this has a port number, and an associated service name).

After connecting to each port and discovering whether a response is received the results can be displayed. nmap also allows you to do more than simply list open ports though.

  • Where possible it will identify the version of each identified service which is running. For example if it detects port 80 is open it will attempt to identify the name and version of the web server running.
  • It can also be used to identify the operating system the remote host is running, by examining the variations the way different network packets are handled.

Basic usage of nmap is simple, simply invoke it with a hostname, or IP address:

skx@mystery:~$ nmap  192.168.1.80
Interesting ports on mystery (192.168.1.80):
(The 1657 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
743/tcp  open  unknown
2049/tcp open  nfs
3632/tcp open  distccd
5900/tcp open  vnc
9999/tcp open  abyss

Nmap finished: 1 IP address (1 host up) scanned in 0.205 seconds

More complex examples include identifying the version number of running services with the -sV flag (for software version). As an example of the difference here's the previous scan repeated with that enabled.

skx@mystery:~$ nmap -sV  192.168.1.80
Interesting ports on mystery (192.168.1.80):
(The 1658 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 4.1p1 (protocol 2.0)
743/tcp  open  mountd   1-2 (rpc #100005)
2049/tcp open  nfs      2 (rpc #100003)
3632/tcp open  distccd?
9999/tcp open  abyss?

Nmap finished: 1 IP address (1 host up) scanned in 82.316 seconds

As you can see this run took significantly longer to finish.

There are a lot of different options you can invoke nmap with, and several of them will require the use of root privileges, such as the remote operating system detection.

To attempt to identify the remote operating system running as root and add the -O flag:

root@mystery:~# nmap -O localhost
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1655 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
743/tcp  open  unknown
2049/tcp open  nfs
3306/tcp open  mysql
3632/tcp open  distccd
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.3 - 2.6.8
Uptime 0.300 days (since Fri Jul  8 18:29:11 2005)

Nmap finished: 1 IP address (1 host up) scanned in 2.390 seconds

Interestingly the uptime output agrees with the current state of the system:

root@mystery:~# uptime
 01:44:38 up  7:20,  4 users,  load average: 0.04, 0.05, 0.07

As an example of a different machine entirely, here's it running against the new router I've just setup and installed, killing my desktop's uptime in the process:

root@mystery:~# nmap -O 192.168.1.1
Interesting ports on router (192.168.1.1):
(The 1662 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:xx:xx:xx:xx:xx (The Linksys Group)
Device type: broadband router|WAP
Running: D-Link embedded, US Robotics embedded
OS details: D-Link DI-804HV VPN Router or US-Robotics 8022 WAP, D-Link, SMC, Tonze, or US Robotics wireless broadband router

Nmap finished: 1 IP address (1 host up) scanned in 2.760 seconds

The manpage gives a more thorough example of the kind of options you can supply, and what they do. To read that invoke:

man nmap

Caution: When it comes to running port-scans you should be careful to run them only against hosts you control. Many people consider a port-scan an active attack scan, and as such a malicious act. Whilst a port scan itself isn't terribly dangerous, in general, some of the "aggressive" scanning modes can cause unpleasant side effects - I have a HP printer which will consistently lockup when scanned with nmap for example.

When it comes to being on the receiving side of port scans you can often spot them by examining your system logs. For example the scan conducted in these examples has triggered several warnings upon the host it was run against (this snippet from /var/log/auth.log):

 mystery sshd[6046]: Did not receive identification string from 192.168.1.80

Here we see a connection came into the running OpenSSH server, but didn't send the expected version string - instead it simply connected, recorded the success, and then immediately terminated.

By scanning logs you can detect these connection attempts using tools such as logcheck or logwatch.

The best defence against port-scans? Run a firewall and ensure that only services you explicitly desire to be externally accessible are. Security-sensitive services such as OpenSSH should be restricted only to the hosts which need to connect as well.

A more active defence can be achieved by running other tools such as portsentry which has the ability to recognise and drop incoming port scans. Other tools exist such as scandetd too.

 

 


Posted by hq4ever (87.69.xx.xx) on Tue 18 Apr 2006 at 13:46
This is a great atricle but I have a rather inverse question.

I have a host that sits behind my firewall.
I wish to test my firewall configurations from that host.

I use nmap to scan outside, i.e. from the LAN to the WAN(iNet).
This allows me to see what on what ports my host can get internet access to.

Today I mostly use rootshell.be as my scanning target (I hope that the guys there don't mind too much about that) but what I'm really looking for is a server that will report each port that I'm asking him as "open" i.e. return SYN ACK. I wouldn't mind setting up such a server myself - If someone could point me in the right direction; basically all that I need to get it up is a way to start some daemon in a mode that it listens to all the TCP & UDP range from 1 to 65535.

If OTOH such a service already exists somewhere over the net please be kind enough to post his IP address.

Thank you.
Maxim.

[ Parent | Reply to this comment ]

Posted by Steve (212.20.xx.xx) on Tue 18 Apr 2006 at 13:49
[ View Steve's Scratchpad | View Weblogs ]

You can install the portsentry package if you wish to create a server which "replies" to all ports whilst logging connection attempts.

Note that if you have normal deamons such as OpenSSH, Apache, etc, installed you'll not log thouse.

I'm not aware of any publically accessible hosts with many open ports. Maybe the Honeypot project would be good people to ask?

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (138.100.xx.xx) on Thu 3 Mar 2011 at 11:52
I prefer using nc. The following script does the work perfectly (to test my router open ports from inside my network):

#!/bin/bash

for i in {0..65535}
do
TEST=`nc -zv 192.168.2.1 "$i" 2>&1 `
logger -t "scan-ports" "$TEST"
done

# EOF

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 671 votes ~ 10 comments )

 

 

Related Links