Networking

Scanning with nmap

Vincent Danen takes you through some basic tasks with the scanning and auditing utility, nmap.

Nmap is a powerful scanning and auditing utility that can help diagnose problems with systems, particular in terms of firewall settings. With nmap, you can determine whether or not your firewall rules are working as they should, make sure you've got everything locked down the way you want it, and so forth. Every Linux distribution comes with nmap; it's too indispensable not to.

To do a quick scan of a remote host, use:

# nmap -sT host

This will execute a TCP connect() port scan on the remote host and report on open ports. Another similar scan is to use the -sS option, which does a TCP SYN stealth port scan, but this scan requires root privileges. This accomplishes roughly the same thing as using -sT but there is less of a chance that the remote system will log the connection.

Other features include using the -O option to tell nmap to try to determine the remote operating system by fingerprinting it using various techniques.

You can also do "sweep" scans by telling nmap a range of IPs to scan which can be a great way of determining what IPs are being used by what hosts. For instance:

# nmap -sP '192.168.0.*'

This will do a quick ping scan to determine if any of the IP's in the range 192.168.0.0-192.168.0.255 are available, and will report those that respond to pings.

Another option is to use the -sV option, which will attempt to obtain version numbers for applications on any open ports:

# sudo nmap -sV remote.host.com
 
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2006-02-28 15:08 MST
Interesting ports on remote.host.com (192.168.0.12):
(The 1652 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     ProFTPD 1.2.9
22/tcp   open  ssh     OpenSSH 3.6.1p2 (protocol 1.99)
25/tcp   open  smtp    Exim smtpd 4.43
111/tcp  open  rpcbind 2 (rpc #100000)
804/tcp  open  rpc
1000/tcp open  status  1 (rpc #100024)
1022/tcp open  ssh     OpenSSH 3.6.1p2 (protocol 1.99)
2049/tcp open  nfs     2-4 (rpc #100003)
6002/tcp open  X11:2?
6003/tcp open  X11:3?
6667/tcp open  irc?
Nmap run completed -- 1 IP address (1 host up) scanned in 107.364 seconds

As you can see, nmap is quite versatile and extremely useful for helping determine what information is publicly accessible from your system by remote.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments