05 Nmap -- looking from the outside in

Okay, so last week we took a look at what services we were running on our boxes via netstat. That shows you a sysadmin's eye view. But there's always the possibility that your box has been hacked. If indeed that's the case, then netstat may have been trojaned. The output you see may be incomplete, or even utterly lying to you. You also need to be able to see what services your box is advertising to the outside world, from the outside. For that, you need a portscanner.

Obligatory Disclaimer: Like any tool, portscanners can be used for multiple purposes. Running one against your own system to see what holes there are is fine. But running one against someone else's box is usually seen as an attack, or the preliminary to one. Black hats do this to see where the holes are, in order to find systems running vulnerable services, or to more efficiently attack a particular system. Don't do it without explicit (ideally, explicit written) permission. Your account from your ISP can get canned, you can have the police show up for a "friendly chat", you may even do jail time. (Unlikely, but possible.) If you have fellow sysadmins on your box or people monitoring your network traffic, let them know what you're up to so they don't see it as an attack and treat it as such.

Don't be stupid. Every time I teach a security course, there's always one person who just has to go use their newfound skills to cause havoc. They get caught and bad things happen. I'd love for this to be the first group where that doesn't happen. Be nice.

That said, let's learn how to use a portscanner for good and not for evil. [grin] My favorite is nmap. You can download it from http://www.insecure.org/nmap/ in source or RPM form -- installation is pretty trivial. (Debian users, http://packages.debian.org/unstable/net/nmap.html or apt-get nmap from the unstable tree.)

You will need to do this from a different box than the one you're portscanning. I would severely recommend against installing nmap on a university account or anything like that. Many sysadmins take a very dim view of "hacking software" being put on their machines. Do so at your own risk.

If your box is in privately addressed space, you'll have to run nmap from within that space. You can sometimes nmap through a firewall -- we'll get into that with our discussion of firewalls. The two go hand in hand pretty well.

The man page for nmap is pretty long, and very thorough. If you really really want to understand portscanning, it's well worth your time.

So let's take my Linux box from last week as an example. If you'll recall, it was running an ssh server, an FTP server, a Web server, and an SMTP server. The option -sT to nmap tells it to run a standard TCP connect scan -- basically, "what TCP services are advertised".

djinni# nmap -sT ravenslinuxbox

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on ravenslinuxbox (IP.of.that.box):
(The 1538 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http


Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 
So the nmap output pretty much correlates with what we were seeing from netstat. This is a good thing. A port with a state of closed (like the other 1538 here) means that there is no service listening on that port. Say we're feeling a bit more paranoid, though, and we want to scan every possible port. The -p option, followed by the port range, will do this for us.
djinni# nmap -sT -p 1-65535 ravenslinuxbox

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on ravenslinuxbox (IP.of.that.box):
(The 65531 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http


Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds 
Since there are only 65,535 possible ports, this scans them all. I can now be pretty darn sure this box isn't secretly listening for TCP connections that I don't know about.

More nmap as we get into firewalls, and what should and shouldn't be protected.

Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).