Jan. 10, 2011, 1:36 a.m.
posted by whitehat
You can use nmap to determine all the TCP/IP ports on which a remote server is listening. It isn't usually an important tool in the home environment, but it can be used in a corporate environment to detect vulnerabilities in your network, such as servers running unauthorized network applications. It is a favorite tool of malicious surfers and therefore should be used to test external as well as internal servers under your control.
Whenever you are in doubt, you can get a list of available nmap options by just entering the command without arguments at the command prompt:
[[email protected] tmp]# nmap Nmap V. 3.00 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) ... ... [[email protected] tmp]#
Some of the more common nmap options are listed in Figure, but you should also refer to the nmap man pages for full descriptions of them all.
Here is an example of trying to do a scan using valid TCP connections (-sT) in the extremely slow insane mode (-T 5) from ports 1 to 5000:
[[email protected] tmp]# nmap -sT -T 5 -p 1-5000 192.168.1.153 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on whoknows.my-site-int.com (192.168.1.153): (The 4981 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 139/tcp open netbios-ssn 199/tcp open smux 2105/tcp open eklogin 2301/tcp open compaqdiag 3300/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds [[email protected] tmp]#
Full coverage of the possibilities on nmap as a security scanning tool are beyond the scope of this book, but you should go the extra mile and purchase a text specifically on Linux security to help protect you against attempts at malicious security breaches.