[Courses] [Security] Nmap -- looking from the outside in
coldfire
rolick571 at duq.edu
Mon Mar 11 15:37:55 EST 2002
just a tid bit ... nmap shouldn't provide an absolute feeling of security
as it won't always uncover any/all open ports. a well setup firewall would
prevent services from being discovered even if they're offered.
i do remember when i discovered namp. i wanted to go out and portscan
everything :) but like raven said, any webmasters with a clue will
percieve this as a potential attack and could inform the authorities.
with some of the legislation that's getting pushed through congress,
portscanning may very well be a terrorist act here shortly.
and also as raven suggested, anyone particularly interested in network
security should read the docs .. though extensive, they're very
informative :)
> Okay, so last week we took a look at what services we were
> running on our boxes via netstat. That shows you a sysadmin's eye view.
> But there's always the possibility that your box has been hacked. If
> indeed that's the case, then netstat may have been trojaned. The output
> you see may be incomplete, or even utterly lying to you. You also need
> to be able to see what services your box is advertising to the outside
> world, from the outside. For that, you need a portscanner.
>
> Obligatory Disclaimer: Like any tool, portscanners can be used
> for multiple purposes. Running one against your own system to see what
> holes there are is fine. But running one against someone else's box is
> usually seen as an attack, or the preliminary to one. Black hats do
> this to see where the holes are, in order to find systems running
> vulnerable services, or to more efficiently attack a particular system.
> Don't do it without explicit (ideally, explicit written) permission.
> Your account from your ISP can get canned, you can have the police show
> up for a "friendly chat", you may even do jail time. (Unlikely, but
> possible.) If you have fellow sysadmins on your box or people monitoring
> your network traffic, let them know what you're up to so they don't see
> it as an attack and treat it as such.
>
> Don't be stupid. Every time I teach a security course, there's
> always one person who just has to go use their newfound skills to cause
> havoc. They get caught and bad things happen. I'd love for this to be
> the first group where that doesn't happen. Be nice.
>
> That said, let's learn how to use a portscanner for good and not
> for evil. [grin] My favorite is nmap. You can download it from
> http://www.insecure.org/nmap/ in source or RPM form -- installation is
> pretty trivial. (Debian users,
> http://packages.debian.org/unstable/net/nmap.html or apt-get nmap from
> the unstable tree.)
>
> You will need to do this from a different box than the one
> you're portscanning. I would severely recommend against installing nmap
> on a university account or anything like that. Many sysadmins take a
> very dim view of "hacking software" being put on their machines. Do so
> at your own risk.
>
> If your box is in privately addressed space, you'll have to run
> nmap from within that space. You can sometimes nmap through a firewall
> -- we'll get into that with our discussion of firewalls. The two go
> hand in hand pretty well.
>
> The man page for nmap is pretty long, and very thorough. If you
> really really want to understand portscanning, it's well worth your
> time.
>
> So let's take my Linux box from last week as an example. If
> you'll recall, it was running an ssh server, an FTP server, a Web
> server, and an SMTP server. The option -sT to nmap tells it to run a
> standard TCP connect scan -- basically, "what TCP services are advertised".
>
> djinni# nmap -sT ravenslinuxbox
>
> Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
> Interesting ports on ravenslinuxbox (IP.of.that.box):
> (The 1538 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
>
> So the nmap output pretty much correlates with what we were
> seeing from netstat. This is a good thing. A port with a state of
> closed (like the other 1538 here) means that there is no service
> listening on that port. Say we're feeling a bit more paranoid, though,
> and we want to scan every possible port. The -p option, followed by the
> port range, will do this for us.
>
> djinni# nmap -sT -p 1-65535 ravenslinuxbox
>
> Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
> Interesting ports on ravenslinuxbox (IP.of.that.box):
> (The 65531 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
>
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
>
> Since there are only 65,535 possible ports, this scans them all.
> I can now be pretty darn sure this box isn't secretly listening for TCP
> connections that I don't know about.
>
> More nmap as we get into firewalls, and what should and
> shouldn't be protected.
>
> Cheers,
> Raven
>
> "Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
> order of nature."
> -- me, after too long a day at work
> _______________________________________________
> Courses mailing list
> Courses at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/courses
>
More information about the Courses
mailing list