[Courses] [Security] Nmap -- looking from the outside in

Raven, corporate courtesan raven at oneeyedcrow.net
Mon Mar 11 13:07:27 EST 2002 

Heya --

	Okay, so last week we took a look at what services we were
running on our boxes via netstat.  That shows you a sysadmin's eye view.
But there's always the possibility that your box has been hacked.  If
indeed that's the case, then netstat may have been trojaned.  The output
you see may be incomplete, or even utterly lying to you.  You also need
to be able to see what services your box is advertising to the outside
world, from the outside.  For that, you need a portscanner.

	Obligatory Disclaimer: Like any tool, portscanners can be used
for multiple purposes.  Running one against your own system to see what
holes there are is fine.  But running one against someone else's box is
usually seen as an attack, or the preliminary to one.  Black hats do
this to see where the holes are, in order to find systems running
vulnerable services, or to more efficiently attack a particular system.
Don't do it without explicit (ideally, explicit written) permission.
Your account from your ISP can get canned, you can have the police show
up for a "friendly chat", you may even do jail time.  (Unlikely, but
possible.) If you have fellow sysadmins on your box or people monitoring
your network traffic, let them know what you're up to so they don't see
it as an attack and treat it as such.

	Don't be stupid.  Every time I teach a security course, there's
always one person who just has to go use their newfound skills to cause
havoc.  They get caught and bad things happen.  I'd love for this to be
the first group where that doesn't happen.  Be nice.

	That said, let's learn how to use a portscanner for good and not
for evil.  [grin]  My favorite is nmap.  You can download it from
http://www.insecure.org/nmap/ in source or RPM form -- installation is
pretty trivial.  (Debian users,
http://packages.debian.org/unstable/net/nmap.html or apt-get nmap from
the unstable tree.)

	You will need to do this from a different box than the one
you're portscanning.  I would severely recommend against installing nmap
on a university account or anything like that.  Many sysadmins take a
very dim view of "hacking software" being put on their machines.  Do so
at your own risk.

	If your box is in privately addressed space, you'll have to run
nmap from within that space.  You can sometimes nmap through a firewall
-- we'll get into that with our discussion of firewalls.  The two go
hand in hand pretty well.

	The man page for nmap is pretty long, and very thorough.  If you
really really want to understand portscanning, it's well worth your
time.

	So let's take my Linux box from last week as an example.  If
you'll recall, it was running an ssh server, an FTP server, a Web
server, and an SMTP server.  The option -sT to nmap tells it to run a
standard TCP connect scan -- basically, "what TCP services are advertised".

djinni# nmap -sT ravenslinuxbox

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on ravenslinuxbox (IP.of.that.box):
(The 1538 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http


Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 

	So the nmap output pretty much correlates with what we were
seeing from netstat.  This is a good thing.  A port with a state of
closed (like the other 1538 here) means that there is no service
listening on that port.  Say we're feeling a bit more paranoid, though,
and we want to scan every possible port.  The -p option, followed by the
port range, will do this for us.

djinni# nmap -sT -p 1-65535 ravenslinuxbox

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on ravenslinuxbox (IP.of.that.box):
(The 65531 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http


Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds 

	Since there are only 65,535 possible ports, this scans them all.
I can now be pretty darn sure this box isn't secretly listening for TCP
connections that I don't know about.

	More nmap as we get into firewalls, and what should and
shouldn't be protected.

Cheers,
Raven

"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work

More information about the Courses mailing list