Recently we talked about how to secure your server using Nmap and how to block connections using the firewall iptables. But how can we check if what we did is actually working? This is where Nmap comes in. Nmap is a network scanner and mapper tool and you can use it to check your server externally. With it, you can scan your server to check for open TCP ports and vulnerabilities. Read on to find out how to!
First, start with this line:
sudo nmap -p 0-65535 –T5 –A -v remote_host
Most likely the result will look similar to this:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 18:33 Pacific Daylight Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:33
Completed NSE at 18:33, 0.00s elapsed
Initiating NSE at 18:33
Completed NSE at 18:33, 0.00s elapsed
Initiating Ping Scan at 18:33
Scanning 71.19.245.5 [4 ports]
Completed Ping Scan at 18:33, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:33
Completed Parallel DNS resolution of 1 host. at 18:33, 0.05s elapsed
Initiating SYN Stealth Scan at 18:33
Scanning localhost.example.com (192.168.1.1) [65535 ports]
Discovered open port 80/tcp on 71.19.245.5
Discovered open port 22/tcp on 71.19.245.5
Discovered open port 4000/tcp on 71.19.245.5
Completed SYN Stealth Scan at 18:33, 5.69s elapsed (65535 total ports)
Initiating Service scan at 18:33
Scanning 3 services on localhost.example.com (192.168.1.1)
Completed Service scan at 18:34, 6.87s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against localhost.example.com (192.168.1.1)
Retrying OS detection (try #2) against localhost.example.com (192.168.1.1)
Initiating Traceroute at 18:34
Completed Traceroute at 18:34, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 18:34
Completed Parallel DNS resolution of 2 hosts. at 18:34, 0.05s elapsed
NSE: Script scanning 71.19.245.5.
Initiating NSE at 18:34
Completed NSE at 18:34, 0.22s elapsed
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Nmap scan report for localhost.example.com (192.168.1.1)
Host is up (0.00052s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 47:6f:64:5b:eb:33:8a:1d:e0:1f:1e:7c:ce:84:76:f7 (RSA)
| 256 c6:de:96:58:10:a3:c6:66:6f:44:b7:42:31:94:f0:46 (ECDSA
|_ 256 1c:ce:9d:ae:9d:cd:c8:5a:64:c3:ac:5e:df:97:9b:1e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
4000/tcp open nomachine-nx NoMachine NX Server remote desktop 6.2.4
Device type: general purpose|storage-misc|WAP|load balancer|route
Running (JUST GUESSING): Linux 2.6.X (96%), Netgear embedded (96%), Ubiquiti embedded (92%), F5 Networks embedded (90%), F5 Networks TMOS 11.1.X (89%), Linksys embedded (89%), Synology embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:2.6 cpe:/h:netgear:readynas_3200 cpe:/o:f5:tmos:11.1 cpe:/h:linksys:befw11s4 cpe:/h:synology:rt1900ac cpe:/h:netgear:wndap660
Aggressive OS guesses: Linux 2.6.32 (96%), Netgear ReadyNAS 3200 NAS device (Linux 2.6) (96%), Linux 2.6.11 – 2.6.18 (93%), Ubiquiti WAP (Linux 2.6.32) (92%), F5 BIG-IP load balancer (90%), F5 3600 LTM load balancer (89%), Linksys BEFW11S4 WAP (89%), Synology RT1900ac router (88%), Netgear WNDAP660 WAP (Linux 2.6.36) (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 3.740 days (since Mon Sep 17 00:48:54 2018)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
Raw packets sent: 65585 (2.889MB) | Rcvd: 65589 (2.624MB)
Nmap has also included vulnerability scripts you can run to check if your server is susceptible. To run them we just pass the name of the script to Nmap.
sudo nmap –script http-headers remote_host
And the result:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-20 18:13 Pacific Daylight Time
Nmap scan report for (192.168.1.1)
Host is up (0.27s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
4000/tcp open nomachine-nx
| http-headers:
| Date: Wed, 15 Nov 2017 05:10:04 GMT
| Server: Apache/2.4.7 (Ubuntu)
| Accept-Ranges: bytes
| Vary: Accept-Encoding
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
Nmap done: 1 IP address (1 host up) scanned in 20.96 seconds
It does get hectic to run scripts one by one; that’s why Nmap has two unique features: categories and wildcards.
To use wildcard you use *, like in the example below. It will run all scripts starting with HTTP.
sudo nmap –script http* remote_host
And to run categories we just specify its name, ‘vulnerability’ in this case:
sudo nmap –script vuln remote_host
You can even use boolean expressions to specify different categories, in this case, we will say we want to use scripts from the default category or discovery with the safe category if no default exists.
sudo nmap –script “default or (discovery and safe)” remote_host
This concludes our quick tutorial on Nmap; with it, you can see that only SSH, HTTP, and NX are running on our server with every other port closed. This means our server is properly secured with no other ports open. The vulnerability category can be used to scan your server for vulnerabilities, which researchers find in software. You can always find more scripts over at the Nmap website.
Do you have any questions about running Nmap? Feel free to ask one of our data centre technicians below!
Photo by Laurenz Kleinheider on Unsplash
Be First to Comment