Introduction to Linux penetration testing with nmap

David M Williams
Monday, 13 August 2007 19:49

Business IT - Open Source

It’s also worth gleaning more data about the services discovered to be open; after all, knowing a remote host has port 80 open gives some information but knowing it is running a specific version of Apache gives far more information. And knowing port 3000 (say) is open gives some basic information, but knowing that SSH is listening on that port yields far more information.

Here’s where nmap’s version-scan comes in: run nmap again using the –sV flag. This time nmap makes a telnet-like connection to each port and reads the banner presented. To illustrate, consider manually testing port 25:


[dave@bebop ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 bebop.local ESMTP Sendmail 8.13.8/8.13.8; Mon 13 Aug 2007 23:17:59 +1000
Quit
221 2.0.0 bebop.local closing connection

Here, you can see sendmail identifies itself and gives its version number. This is valuable information; exploits can now be searched for that are appropriate for this target.

Where to from here

That’s the basics of beginning penetration testing by using nmap to perform research. There are many options to nmap and it is a very versatile tool. It is definitely worthwhile reading the documentation on insecure.org to understand other ways it can be used as well as good tips for successful stealthy probing.

One such tip is to space out the scanning over a period of time. Despite best attempts to be quiet, diligent admins may notice unusual network activity especially if this has a pattern to it like incrementing through a series of ports. In this case, nmap offers a –T0 flag to spread its scans over some considerable time. This means it will take a long time to return results but with the benefit of reducing the possibility of notice. By contrast, timing can be sped up greatly with –T5. This may be useful if the target system is on a high-speed network like a LAN and you only have a very small window of time to capture data. Other timings are possible through –T1 through –T4.

Another good nmap flag for beginners is –v which gives additional, verbose, output. With this set nmap will provide extra text explaining its actions and results.

Flags can be combined to perform more work in one run and speed up the gathering of results. An example is the single command nmap –v –sS –O –sV –T1 host.

You might also like to explore other open-source tools which can add more detail to the results obtained from nmap. Popular penetration testing programs include amap, scanrand and ike-scan. Good luck!