Linux.com Article DB: Linux.com Security: Introduction to Port Scanning

After you install nmap, run a port scan on all your ports with the following command:

$ nmap localhost -p 1-65535

Example output:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on takauji (127.0.0.1): (The 65531 ports scanned but not shown below are in state: closed) Port State Service 111/tcp open sunrpc 113/tcp open auth 515/tcp open printer 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

The nmap scan shown above indicates four open ports, the port name and which service runs standard on that port. Even though these are standard ports, there is nothing preventing you from running any program you wish on any port. In fact, if this machine had been compromised, a back-door could have been placed on one of these ports to disguise its identify from a tool such as nmap. In other words the service column should only be used as a guide it is never absolute.

The state column can be one of three types: open, filtered or unfiltered. Open is printed when nmap can reach the service, filtered when the port is being fire-walled by the host, and unfiltered or closed when no service is reachable on that port. By default, closed ports are not printed.

If you are scanning a host over a slow network connection, it might be a good idea to do a "fast" scan that only connects to standard ports, such as those found in /etc/services. This cuts down the number of ports scanned by orders of magnitude.

For instance:

$ nmap -F localhost -vv Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host takauji (127.0.0.1) appears to be up ... good. Initiating TCP connect() scan against takauji (127.0.0.1) Adding TCP port 111 (state open). Adding TCP port 6000 (state open). Adding TCP port 113 (state open). Adding TCP port 515 (state open). The TCP connect scan took 0 seconds to scan 1062 ports. Interesting ports on takauji (127.0.0.1): (The 1058 ports scanned but not shown below are in state: closed) Port State Service 111/tcp open sunrpc 113/tcp open auth 515/tcp open printer 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

The -vv flag tells nmap to output verbose, which is helpful for slower links. Verbose will give you a better status report as nmap moves through the various ports.

If you wish to determine what OS the host is running, use the -O option like so (you must be root to do fingerprinting):

# nmap -F -O localhost Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) [SNIP] TCP Sequence Prediction: Class=random positive increments Difficulty=1749463 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14

Another example:

# nmap -F -O godai Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on godai (192.168.22.22): (The 1058 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 113/tcp open auth TCP Sequence Prediction: Class=random positive increments Difficulty=42674 (Worthy challenge) Remote operating system guess: OpenBSD 2.6

The TCP/IP fingerprint will show the TCP sequence prediction class, and a best guess at the operating system. The TCP sequence class is an indicator at how difficult it would be to predict the sequence numbers and hence how easy it would be to spoof a connection on this stack. Kevin Mitnick used this technique in 1994 against a weak TCP/IP stack to break into Tsutomu Shimomura's computers. (http://www.tao.ca/fire/bos/0037.html).

The more random the sequence, the more difficult it will be to predict and hence the more secure it is.

Originally Published: Thursday, 7 June 2001	Author: Matt Michie
Published to: enchance_articles_security/Basic Security Articles	Page: 4/5 - [Printable]
Linux.com Security: Introduction to Port Scanning Unfortunately nobody can be told which path to take, you must see it for yourself, so choose wisely. Ripped from today's headlines, the writers and editors of Linux.com are proud to present this security-minded introduction to protecting your system. Read on, and know yourself.

	<< Page 4 of 5 >>
After you install nmap, run a port scan on all your ports with the following command: `$ nmap localhost -p 1-65535` Example output: `Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on takauji (127.0.0.1): (The 65531 ports scanned but not shown below are in state: closed) Port State Service 111/tcp open sunrpc 113/tcp open auth 515/tcp open printer 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds` The nmap scan shown above indicates four open ports, the port name and which service runs standard on that port. Even though these are standard ports, there is nothing preventing you from running any program you wish on any port. In fact, if this machine had been compromised, a back-door could have been placed on one of these ports to disguise its identify from a tool such as nmap. In other words the service column should only be used as a guide it is never absolute. The state column can be one of three types: open, filtered or unfiltered. Open is printed when nmap can reach the service, filtered when the port is being fire-walled by the host, and unfiltered or closed when no service is reachable on that port. By default, closed ports are not printed. If you are scanning a host over a slow network connection, it might be a good idea to do a "fast" scan that only connects to standard ports, such as those found in `/etc/services`. This cuts down the number of ports scanned by orders of magnitude. For instance: $ nmap -F localhost -vv Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host takauji (127.0.0.1) appears to be up ... good. Initiating TCP connect() scan against takauji (127.0.0.1) Adding TCP port 111 (state open). Adding TCP port 6000 (state open). Adding TCP port 113 (state open). Adding TCP port 515 (state open). The TCP connect scan took 0 seconds to scan 1062 ports. Interesting ports on takauji (127.0.0.1): (The 1058 ports scanned but not shown below are in state: closed) Port State Service 111/tcp open sunrpc 113/tcp open auth 515/tcp open printer 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds The `-vv` flag tells nmap to output verbose, which is helpful for slower links. Verbose will give you a better status report as nmap moves through the various ports. If you wish to determine what OS the host is running, use the `-O` option like so (you must be root to do fingerprinting): `# nmap -F -O localhost Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) [SNIP] TCP Sequence Prediction: Class=random positive increments Difficulty=1749463 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14` Another example: `# nmap -F -O godai Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on godai (192.168.22.22): (The 1058 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 113/tcp open auth TCP Sequence Prediction: Class=random positive increments Difficulty=42674 (Worthy challenge) Remote operating system guess: OpenBSD 2.6` The TCP/IP fingerprint will show the TCP sequence prediction class, and a best guess at the operating system. The TCP sequence class is an indicator at how difficult it would be to predict the sequence numbers and hence how easy it would be to spoof a connection on this stack. Kevin Mitnick used this technique in 1994 against a weak TCP/IP stack to break into Tsutomu Shimomura's computers. (http://www.tao.ca/fire/bos/0037.html). The more random the sequence, the more difficult it will be to predict and hence the more secure it is.
	<< Page 4 of 5 >>