I just wanted to put in a plug for nmap. It’s a very useful tool for any network specialist. I show a use case that came up today.
While cleaning up DNS entries I came across a network segment that didn’t seem to have any active network devices, at least not after I cleaned up the old DNS entries for inactive devices.
So I wanted to see if I could tell the networking tech that this subnet is unused and could be allocated for some other purpose.
I remembered using nmap years ago, and that it was a powerful tool for this kind of thing. What I had in mind was to ping every IP on this segment to see if there were any undocumented hosts.
As it turns out I didn’t even have it installed, but it was very easy to get:
$ zypper install nmap
$ yum install nmap
It doesn’t get easier than that!
A quick review of the man page showed that what I wanted was indeed possible. Here’s the syntax for a systematic PING sweep through a subnet:
$ nmap −sP 10.101.192.0/24
Starting Nmap 4.75 ( http://nmap.org ) at 2012-11-08 10:21 EST
Host 10.101.192.5 appears to be up.
Host 10.101.192.10 appears to be up.
Host 10.101.192.151 appears to be up.
Host 10.101.192.152 appears to be up.
Host 10.101.192.153 appears to be up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.28 seconds
Now I know that subnet has rogue or at least undocumented hosts and is not unused!
The original usage for nmap, at least for me, was to fingerprint an unknown host:
$ nmap −A −T4 ossim.drj.com
Interesting ports on ossim.drj.com (10.22.235.19):
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
80/tcp open http Apache httpd
|_ HTML title: 302 Found
443/tcp open ssl/http Apache httpd
|_ HTML title: Site doesn't have a title.
514/tcp closed shell
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
Device type: WAP|general purpose|PBX
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (93%), Vodavi embedded (85%)
Aggressive OS guesses: OpenWrt 7.09 (Linux 2.6.22) (93%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (92%), Linux 188.8.131.52 (89%), Linux 2.6.21 (Slackware 12.0) (88%), OpenWrt 7.09 (Linux 2.6.17 - 2.6.21) (88%), Linux 2.6.19 - 2.6.21 (88%), Linux 2.6.22 (Fedora 7) (88%), Vodavi XTS-IP PBX (85%), Linux 2.6.22 (85%)
No exact OS matches for host (test conditions non-ideal).
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.87 10.202...
2 0.38 ...
3 0.57 ...
4 6.10 ...
5 114.64 ...
6 119.79 ...
7 103.43 ossim.drj.com (10.22.235.19)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.02 seconds
Now that was kind of an unusual example in which nmap wasn’t too sure about the OS. Usually you get a positive ID of some sort. That’s a chatty server and I’m still not sure what it is.
Nmap can be used for nasty things and in an impolite way, network-wise. So be careful to tone it down. Target your hosts and protocols with care. It can guess what OS a host is running, what ports are open, all kinds of amazing stuff.
I checked PING and did not see a built-in capability to do a PING sweep, though it would have been easy enough to script it. That was my backup option.
Once I had to check on a single UDP port being open on port 80 for a webcast client called Kontiki (they call this protocol KDP). No other ports were open, necessitating the -PN switch.
Single UDP port check
$ nmap −PN −sU -p 80 184.108.40.206
Starting Nmap 4.75 ( http://nmap.org ) at 2013-07-23 13:59 EDT
Interesting ports on 220.127.116.11:
PORT STATE SERVICE
80/udp open|filtered http
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
Three TCP ports checked
$ nmap ‐PN ‐sS ‐p 445,28080,28443 18.104.22.168
Results of that scan
Starting Nmap 5.51 ( http://nmap.org ) at 2017-04-13 09:18 EDT
Nmap scan report for 22.214.171.124
Host is up.
PORT STATE SERVICE
445/tcp filtered microsoft-ds
28080/tcp filtered unknown
28443/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds
“filtered” means there were no reply packets to my SYN packets, usually a sign of an intervening firewall dropping packets. I’m not sure why it describes the host as “up” when actually it is down or behind a firewall. A state of closed indicates that a RST packet was received in reply, indicating that the port is closed on the host itself and it wasn’t a firewall that prevented the test from succeeding. the third possible state is open, which of couse means that it replied with a SYN-ACK to that probe on that port.
To fix the source port add a -g to the above command. E.g., some firewalls have trouble with permitting inbound UDP packets from port 53 so to test for that you throw in a -g 53 and try some random high destination port.
I needed to spoof another host’s IP address and send a simple PING (ICMP request) to diagnose what was going wrong with the reply. Here’s how I did that:
$ nmap −PE −e eth0 −S 10.42.48.1 10.1.145.10
But then I realized what I really needed to do to emulate the problem is to send a single TCP SYN packet to port 8081, without the accompanying ICMP probes that nmap is wont to throw in there first. Here’s how I built up that probe:
$ nmap −PN −sS −p 8081 −−max-retries 0 −e eth0 −S 10.42.48.1 10.1.145.10
Check if a web server is running
$ nmap −PN −p T:80,443 drjohnstechtalk.com
This will check both ports 80 and 443. It doesn’t execute any HTTP protocol. It’s just a quick and dirty test.
don’t have nmap but have something like netcat instead? A good tcp port check with netcat is
netcat -vzw5 <host> <port>. Here’s an actual example.
$ netcat ‐vzw5 drjohnstechtalk.com 443
drjohnstechtalk.com [126.96.36.199] 443 (https) open
Nmap is a great network tool that every IT network tech should be familiar with.
References and related
A more capable and complicated packet generation tool is scapy. I describe it in this blog post.
A simpler network for Windows (simpler than nmap for Windows) is PortQry. It was created by Microsoft.