Checking Your Work with Scanners, Part I (of II): nmap
nmap sports a frightening array of features designed to sneak through firewalls, avoid triggering intrusion-detection software and otherwise help the user evade detection. I feel no urge whatsoever to discuss those features here; while no doubt they have legitimate uses, I'd like to spend the remainder of this article on a few nifty features that are less obviously cracker-oriented.
Suppose you're the administrator of a large network and someone installs a server in your machine room that appears to be reachable from the Internet, in possible violation of your organization's security policy (and/or to your indignation since you weren't asked for permission). Before going on an authority-asserting rampage, you decide to first find out as much as you can about the possible risks to which your network has been exposed.
Luckily, the mystery server has an IP address scrawled on its front in purple crayon. Equally luckily, you're a righteous nmap angel of vengeance because you read “Paranoid Penguin” this month. Here are some nmap options to help you find out just what's going on.
First, what OS is this beast running? OS fingerprinting, summoned by the -O flag, may tell you. When you use -O, nmap sends packets with various TCP options set and compares the replies it receives with its OS fingerprinting database (/usr/share/nmap/nmap-os-fingerprints on my Red Hat 7.0 system). In my experience this feature works extremely well, except on MacOS 8 (which seems to stump it).
Next, are any of the active ports running services with root privileges? Obviously some services need this much privilege but many don't; if the web server on this box is running as root, someone is going to need talking to for sure. Use the -I flag to have nmap query the target's ident dæmon, whose sole purpose is to tell the world which user owns each listening service.
Can we minimize the chances an overly aggressive scan will overload the target system or the network? Oh yes. The -T flag allows us to specify a timing mode; the options are Paranoid, Sneaky, Polite, Normal, Aggressive and Insane, in increasing degree of network-unfriendliness (based on how long nmap waits between packets and whether it sends packets serially or in batches). -T Polite is a good choice if you want to go easy on your target and/or network.
How do we do a fast scan that checks for likely services without scanning all privileged ports? The -F flag tells nmap to scan only those ports listed in nmap-services. In this way, we avoid ports unlikely to yield anything interesting.
Finally, is there an easy way to save our evidence of lameness as a text file? Typing -oN filename tells nmap to write its results to a text file. If we want nmap to use HaX0r Sp3ll1ng, we can use -oS filename instead (“S” is for “Script-Kiddie-Talk”).
In Listing 4 we see the unauthorized server is accepting connections for, among other things, Secure Shell, Telnet, HTTP/SSL, LPD, X and nessus. nessus? Why, that's a security scanner. You definitely don't want internet hosts able to reach a nessus server on your network—that just happens to be the topic of next month's column.
As powerful as nmap is, nessus gives us a means of going a step further and probing all these listening-ports nmap has found for known weaknesses. Again, we'll focus on using these powerful tools for good rather than evil; in the meantime, I hope you'll do the same with nmap.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- RSS Feeds
- New Products
- I like your topic on android
21 sec ago
- Reply to comment | Linux Journal
21 min 31 sec ago
- This is the easiest tutorial
6 hours 36 min ago
- Ahh, the Koolaid.
12 hours 14 min ago
- git-annex assistant
18 hours 14 min ago
- direct cable connection
18 hours 36 min ago
- Agreed on AirDroid. With my
18 hours 46 min ago
- I just learned this
18 hours 51 min ago
19 hours 21 min ago
- not living upto the mobile revolution
22 hours 12 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.