Recently we talked about how to secure your server using Nmap and how to block connections using the firewall iptables. But how can we check if what we did is actually working? This is where Nmap comes in. Nmap is a network scanner and mapper tool and you can use it to check your server externally. With it, you can scan your server to check for open TCP ports and vulnerabilities. Read on to find out how to!

First, start with this line:

sudo nmap -p 0-65535 –T5 –A -v remote_host 

Most likely the result will look similar to this: 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 18:33 Pacific Daylight Time  

NSE: Loaded 148 scripts for scanning.  

NSE: Script Pre-scanning.  

Initiating NSE at 18:33  

Completed NSE at 18:33, 0.00s elapsed  

Initiating NSE at 18:33  

Completed NSE at 18:33, 0.00s elapsed  

Initiating Ping Scan at 18:33  

Scanning 71.19.245.5 [4 ports]  

Completed Ping Scan at 18:33, 0.27s elapsed (1 total hosts)  

Initiating Parallel DNS resolution of 1 host. at 18:33  

Completed Parallel DNS resolution of 1 host. at 18:33, 0.05s elapsed  

Initiating SYN Stealth Scan at 18:33  

Scanning localhost.example.com (192.168.1.1) [65535 ports]  

Discovered open port 80/tcp on 71.19.245.5  

Discovered open port 22/tcp on 71.19.245.5  

Discovered open port 4000/tcp on 71.19.245.5  

Completed SYN Stealth Scan at 18:33, 5.69s elapsed (65535 total ports)  

Initiating Service scan at 18:33  

Scanning 3 services on localhost.example.com (192.168.1.1)  

Completed Service scan at 18:34, 6.87s elapsed (3 services on 1 host)  

Initiating OS detection (try #1) against localhost.example.com (192.168.1.1)  

Retrying OS detection (try #2) against localhost.example.com (192.168.1.1)  

Initiating Traceroute at 18:34  

Completed Traceroute at 18:34, 0.02s elapsed  

Initiating Parallel DNS resolution of 2 hosts. at 18:34  

Completed Parallel DNS resolution of 2 hosts. at 18:34, 0.05s elapsed  

NSE: Script scanning 71.19.245.5.  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.22s elapsed  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.00s elapsed  

Nmap scan report for localhost.example.com (192.168.1.1)  

Host is up (0.00052s latency).  

Not shown: 65532 closed ports  

PORT     STATE SERVICE      VERSION  

22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 

| ssh-hostkey:  

|   2048 47:6f:64:5b:eb:33:8a:1d:e0:1f:1e:7c:ce:84:76:f7 (RSA) 

|   256 c6:de:96:58:10:a3:c6:66:6f:44:b7:42:31:94:f0:46 (ECDSA 

|_  256 1c:ce:9d:ae:9d:cd:c8:5a:64:c3:ac:5e:df:97:9b:1e (ED25519) 

80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu)) 

| http-methods:  

|_  Supported Methods: GET HEAD POST OPTIONS 

|_http-server-header: Apache/2.4.18 (Ubuntu)  

|_http-title: Apache2 Ubuntu Default Page: It works  

4000/tcp open  nomachine-nx NoMachine NX Server remote desktop 6.2.4  

Device type: general purpose|storage-misc|WAP|load balancer|route  

Running (JUST GUESSING): Linux 2.6.X (96%), Netgear embedded (96%), Ubiquiti embedded (92%), F5 Networks embedded (90%), F5 Networks TMOS 11.1.X (89%), Linksys embedded (89%), Synology embedded (88%) 

OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:2.6 cpe:/h:netgear:readynas_3200 cpe:/o:f5:tmos:11.1 cpe:/h:linksys:befw11s4 cpe:/h:synology:rt1900ac cpe:/h:netgear:wndap660 

Aggressive OS guesses: Linux 2.6.32 (96%), Netgear ReadyNAS 3200 NAS device (Linux 2.6) (96%), Linux 2.6.11 – 2.6.18 (93%), Ubiquiti WAP (Linux 2.6.32) (92%), F5 BIG-IP load balancer (90%), F5 3600 LTM load balancer (89%), Linksys BEFW11S4 WAP (89%), Synology RT1900ac router (88%), Netgear WNDAP660 WAP (Linux 2.6.36) (88%)  

No exact OS matches for host (test conditions non-ideal).  

Uptime guess: 3.740 days (since Mon Sep 17 00:48:54 2018)  

Network Distance: 2 hops  

TCP Sequence Prediction: Difficulty=261 (Good luck!)  

IP ID Sequence Generation: All zeros  

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

NSE: Script Post-scanning.  

Initiating NSE at 18:34  

Completed NSE at 18:34, 0.00s elapsed  

Initiating NSE at 18:34 

Completed NSE at 18:34, 0.00s elapsed 

Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds 

            Raw packets sent: 65585 (2.889MB) | Rcvd: 65589 (2.624MB) 

 

Nmap has also included vulnerability scripts you can run to check if your server is susceptible. To run them we just pass the name of the script to Nmap. 

sudo nmap  –script http-headers remote_host 

 

And the result: 

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 18:13 Pacific Daylight Time 

Nmap scan report for (192.168.1.1) 

Host is up (0.27s latency). 

Not shown: 996 closed ports 

PORT      STATE    SERVICE 

22/tcp    open     ssh 

80/tcp    open     http 

4000/tcp  open     nomachine-nx  

| http-headers:  

|   Date: Wed, 15 Nov 2017 05:10:04 GMT 

|   Server: Apache/2.4.7 (Ubuntu) 

|   Accept-Ranges: bytes 

|   Vary: Accept-Encoding 

|   Connection: close 

|   Content-Type: text/html 

|    

|_  (Request type: HEAD) 

Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds 

 

It does get hectic to run scripts one by one; that’s why Nmap has two unique features: categories and wildcards.

To use wildcard you use *, like in the example below. It will run all scripts starting with HTTP. 

sudo nmap  –script http* remote_host 

 

And to run categories we just specify its name, ‘vulnerability’ in this case: 

sudo nmap  –script vuln remote_host 

 

You can even use boolean expressions to specify different categories, in this case, we will say we want to use scripts from the default category or discovery with the safe category if no default exists. 

sudo nmap –script “default or (discovery and safe)” remote_host 

 

This concludes our quick tutorial on Nmap; with it, you can see that only SSH, HTTP, and NX are running on our server with every other port closed. This means our server is properly secured with no other ports open. The vulnerability category can be used to scan your server for vulnerabilities, which researchers find in software. You can always find more scripts over at the Nmap website.

Do you have any questions about running Nmap? Feel free to ask one of our data centre technicians below!

Photo by Laurenz Kleinheider on Unsplash