[Courses] [Security] Nmap -- looking from the outside in

coldfire rolick571 at duq.edu
Mon Mar 11 15:37:55 EST 2002 

just a tid bit ... nmap shouldn't provide an absolute feeling of security
as it won't always uncover any/all open ports. a well setup firewall would
prevent services from being discovered even if they're offered.

i do remember when i discovered namp.  i wanted to go out and portscan
everything :)  but like raven said, any webmasters with a clue will
percieve this as a potential attack and could inform the authorities.
with some of the legislation that's getting pushed through congress,
portscanning may very well be a terrorist act here shortly.

and also as raven suggested, anyone particularly interested in network
security should read the docs .. though extensive, they're very
informative :)

> 	Okay, so last week we took a look at what services we were
> running on our boxes via netstat.  That shows you a sysadmin's eye view.
> But there's always the possibility that your box has been hacked.  If
> indeed that's the case, then netstat may have been trojaned.  The output
> you see may be incomplete, or even utterly lying to you.  You also need
> to be able to see what services your box is advertising to the outside
> world, from the outside.  For that, you need a portscanner.
> 
> 	Obligatory Disclaimer: Like any tool, portscanners can be used
> for multiple purposes.  Running one against your own system to see what
> holes there are is fine.  But running one against someone else's box is
> usually seen as an attack, or the preliminary to one.  Black hats do
> this to see where the holes are, in order to find systems running
> vulnerable services, or to more efficiently attack a particular system.
> Don't do it without explicit (ideally, explicit written) permission.
> Your account from your ISP can get canned, you can have the police show
> up for a "friendly chat", you may even do jail time.  (Unlikely, but
> possible.) If you have fellow sysadmins on your box or people monitoring
> your network traffic, let them know what you're up to so they don't see
> it as an attack and treat it as such.
> 
> 	Don't be stupid.  Every time I teach a security course, there's
> always one person who just has to go use their newfound skills to cause
> havoc.  They get caught and bad things happen.  I'd love for this to be
> the first group where that doesn't happen.  Be nice.
> 
> 	That said, let's learn how to use a portscanner for good and not
> for evil.  [grin]  My favorite is nmap.  You can download it from
> http://www.insecure.org/nmap/ in source or RPM form -- installation is
> pretty trivial.  (Debian users,
> http://packages.debian.org/unstable/net/nmap.html or apt-get nmap from
> the unstable tree.)
> 
> 	You will need to do this from a different box than the one
> you're portscanning.  I would severely recommend against installing nmap
> on a university account or anything like that.  Many sysadmins take a
> very dim view of "hacking software" being put on their machines.  Do so
> at your own risk.
> 
> 	If your box is in privately addressed space, you'll have to run
> nmap from within that space.  You can sometimes nmap through a firewall
> -- we'll get into that with our discussion of firewalls.  The two go
> hand in hand pretty well.
> 
> 	The man page for nmap is pretty long, and very thorough.  If you
> really really want to understand portscanning, it's well worth your
> time.
> 
> 	So let's take my Linux box from last week as an example.  If
> you'll recall, it was running an ssh server, an FTP server, a Web
> server, and an SMTP server.  The option -sT to nmap tells it to run a
> standard TCP connect scan -- basically, "what TCP services are advertised".
> 
> djinni# nmap -sT ravenslinuxbox
> 
> Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
> Interesting ports on ravenslinuxbox (IP.of.that.box):
> (The 1538 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 
> 
> 	So the nmap output pretty much correlates with what we were
> seeing from netstat.  This is a good thing.  A port with a state of
> closed (like the other 1538 here) means that there is no service
> listening on that port.  Say we're feeling a bit more paranoid, though,
> and we want to scan every possible port.  The -p option, followed by the
> port range, will do this for us.
> 
> djinni# nmap -sT -p 1-65535 ravenslinuxbox
> 
> Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
> Interesting ports on ravenslinuxbox (IP.of.that.box):
> (The 65531 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds 
> 
> 	Since there are only 65,535 possible ports, this scans them all.
> I can now be pretty darn sure this box isn't secretly listening for TCP
> connections that I don't know about.
> 
> 	More nmap as we get into firewalls, and what should and
> shouldn't be protected.
> 
> Cheers,
> Raven
> 
> "Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
>  order of nature."
>   -- me, after too long a day at work
> _______________________________________________
> Courses mailing list
> Courses at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/courses
>

More information about the Courses mailing list