An introduction to port scanning with nmap
Posted by Steve on Sat 9 Jul 2005 at 11:26
When you're interested in testing the security of your firewall, or generally monitoring the services you're exposing to the outside world a port scan can be a useful thing to run, to test that you're only exposing what you think you are.
A port scan is mostly what it's name suggests, a scan of all the ports open upon a system. Whilst there are many port scanning applications nmap is arguably the most popular.
The way a port-scanner typically works is to attempt to connect to each port upon a host, in turn, and then report the results.
For example a scanner could connect to:
- port 1 - to see if tcpmux is running.
- port 7 - to see if echo is running.
- ..
- port 22 - to see if openssh is available.
- port 25 - to see if smtp is available.
(If you're interesting in identifying which services use a given port you can look at the file /etc/services - this has a port number, and an associated service name).
After connecting to each port and discovering whether a response is received the results can be displayed. nmap also allows you to do more than simply list open ports though.
- Where possible it will identify the version of each identified service which is running. For example if it detects port 80 is open it will attempt to identify the name and version of the web server running.
- It can also be used to identify the operating system the remote host is running, by examining the variations the way different network packets are handled.
Basic usage of nmap is simple, simply invoke it with a hostname, or IP address:
skx@mystery:~$ nmap 192.168.1.80 Interesting ports on mystery (192.168.1.80): (The 1657 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 743/tcp open unknown 2049/tcp open nfs 3632/tcp open distccd 5900/tcp open vnc 9999/tcp open abyss Nmap finished: 1 IP address (1 host up) scanned in 0.205 seconds
More complex examples include identifying the version number of running services with the -sV flag (for software version). As an example of the difference here's the previous scan repeated with that enabled.
skx@mystery:~$ nmap -sV 192.168.1.80 Interesting ports on mystery (192.168.1.80): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.1p1 (protocol 2.0) 743/tcp open mountd 1-2 (rpc #100005) 2049/tcp open nfs 2 (rpc #100003) 3632/tcp open distccd? 9999/tcp open abyss? Nmap finished: 1 IP address (1 host up) scanned in 82.316 seconds
As you can see this run took significantly longer to finish.
There are a lot of different options you can invoke nmap with, and several of them will require the use of root privileges, such as the remote operating system detection.
To attempt to identify the remote operating system running as root and add the -O flag:
root@mystery:~# nmap -O localhost Interesting ports on localhost.localdomain (127.0.0.1): (The 1655 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 743/tcp open unknown 2049/tcp open nfs 3306/tcp open mysql 3632/tcp open distccd Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.3 - 2.6.8 Uptime 0.300 days (since Fri Jul 8 18:29:11 2005) Nmap finished: 1 IP address (1 host up) scanned in 2.390 seconds
Interestingly the uptime output agrees with the current state of the system:
root@mystery:~# uptime 01:44:38 up 7:20, 4 users, load average: 0.04, 0.05, 0.07
As an example of a different machine entirely, here's it running against the new router I've just setup and installed, killing my desktop's uptime in the process:
root@mystery:~# nmap -O 192.168.1.1 Interesting ports on router (192.168.1.1): (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:xx:xx:xx:xx:xx (The Linksys Group) Device type: broadband router|WAP Running: D-Link embedded, US Robotics embedded OS details: D-Link DI-804HV VPN Router or US-Robotics 8022 WAP, D-Link, SMC, Tonze, or US Robotics wireless broadband router Nmap finished: 1 IP address (1 host up) scanned in 2.760 seconds
The manpage gives a more thorough example of the kind of options you can supply, and what they do. To read that invoke:
man nmap
Caution: When it comes to running port-scans you should be careful to run them only against hosts you control. Many people consider a port-scan an active attack scan, and as such a malicious act. Whilst a port scan itself isn't terribly dangerous, in general, some of the "aggressive" scanning modes can cause unpleasant side effects - I have a HP printer which will consistently lockup when scanned with nmap for example.
When it comes to being on the receiving side of port scans you can often spot them by examining your system logs. For example the scan conducted in these examples has triggered several warnings upon the host it was run against (this snippet from /var/log/auth.log):
mystery sshd[6046]: Did not receive identification string from 192.168.1.80
Here we see a connection came into the running OpenSSH server, but didn't send the expected version string - instead it simply connected, recorded the success, and then immediately terminated.
By scanning logs you can detect these connection attempts using tools such as logcheck or logwatch.
The best defence against port-scans? Run a firewall and ensure that only services you explicitly desire to be externally accessible are. Security-sensitive services such as OpenSSH should be restricted only to the hosts which need to connect as well.
A more active defence can be achieved by running other tools such as portsentry which has the ability to recognise and drop incoming port scans. Other tools exist such as scandetd too.
I have a host that sits behind my firewall.
I wish to test my firewall configurations from that host.
I use nmap to scan outside, i.e. from the LAN to the WAN(iNet).
This allows me to see what on what ports my host can get internet access to.
Today I mostly use rootshell.be as my scanning target (I hope that the guys there don't mind too much about that) but what I'm really looking for is a server that will report each port that I'm asking him as "open" i.e. return SYN ACK. I wouldn't mind setting up such a server myself - If someone could point me in the right direction; basically all that I need to get it up is a way to start some daemon in a mode that it listens to all the TCP & UDP range from 1 to 65535.
If OTOH such a service already exists somewhere over the net please be kind enough to post his IP address.
Thank you.
Maxim.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
You can install the portsentry package if you wish to create a server which "replies" to all ports whilst logging connection attempts.
Note that if you have normal deamons such as OpenSSH, Apache, etc, installed you'll not log thouse.
I'm not aware of any publically accessible hosts with many open ports. Maybe the Honeypot project would be good people to ask?
[ Parent | Reply to this comment ]
#!/bin/bash
for i in {0..65535}
do
TEST=`nc -zv 192.168.2.1 "$i" 2>&1 `
logger -t "scan-ports" "$TEST"
done
# EOF
[ Parent | Reply to this comment ]