Friday, December 12, 2003

nmap etc.

Here's some more stuff about nmap - the utility Rahul had mentioned some time ago. nmap is a very powerful port scanner which not only tells you what services the remote computer is running but it also tells you whether the ports are firewalled. It also tells you the OS that computer is using.
It's always a good idea to run nmap with root previleges. Check out the following 2 sample outputs.

[hrishikesh@vikings hrishikesh]$ sudo nmap -vO 10.7.201.38
Password:

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't

want to portscan (and just want to see what hosts are up).
Host (10.7.201.38) appears to be up ... good.
Initiating SYN Stealth Scan against (10.7.201.38)
Adding open port 445/tcp
Adding open port 139/tcp
Adding open port 135/tcp
Adding open port 1025/tcp
The SYN Stealth Scan took 0 seconds to scan 1601 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Interesting ports on (10.7.201.38):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP
TCP Sequence Prediction: Class=random positive increments
Difficulty=9567 (Worthy challenge)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second


This is the output I got when I ran nmap on our dept mail server -


Interesting ports on shakti.aero.iitb.ac.in (10.101.1.2):
(The 1578 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
135/tcp filtered loc-srv
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap2
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
600/tcp open ipcserver
993/tcp open imaps
995/tcp open pop3s
2401/tcp open cvspserver
3306/tcp open mysql
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19-pre4 on Alpha, Linux Kernel 2.4.3

SMP (RedHat)
TCP Sequence Prediction: Class=random positive increments
Difficulty=3081814 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 21 seconds


nmap is a popular tool in many network security scanners. The first step to attacking a remote computer is a port scan. Determine the open ports, check out the services running and see if there are any known vulnerabilities. A security scanner basically automates this process. It checks for these things in it's database and gives you a detailed report. Later the version, more are the vulnerabilites it can detect. This is of course the script kiddie approach. The real fun is doing it yourself and writing code to exploit weaknesses. I would have LOVED to do all this (of course without trashing the servers - just to KNOW) but in IIT, if you are caught, you are in REAL DEEP SHIT. I had a great desire to learn more about these things but the fear kept me from going deeper into this and gaining knowledge. So, no motivation, no fundaes! :-(

But no regrets, doing safe programming can be equally fun! Also interesting is linux system administration. In my opinion, it's a lot more systematic and transparent than in windoze. And in the latest versions of linux distros, you can do practically everything. The only reason I ever need to use windoze is when I want to create ppts (and of course, play games). The command line in linux (basically the shell) is extremely powerful and versatile. Once you are addicted to using the command line, the lot of mouse movement and thousand clicks really suck!

More about linux later!

No comments: