Earlier this week, I was asked to check if a particular port is open or not for our storage product. I checked all ports, and provided the report. All systems require open ports and services to communicate and perform the required tasks. A good security policy is to keep only the required ports open and close all others.
This indeed is a general and recurring question. Which ports are open of my machine? Obtaining an answer isn't complicated, if you are aware of nmap and the magical things it does.
If you have never heard of nmap, well, I'd say time to learn something new. What is nmap and what sort of magic it does, this is a huge subject entirely. Here is something to get you started.
This indeed is a general and recurring question. Which ports are open of my machine? Obtaining an answer isn't complicated, if you are aware of nmap and the magical things it does.
If you have never heard of nmap, well, I'd say time to learn something new. What is nmap and what sort of magic it does, this is a huge subject entirely. Here is something to get you started.
nmap is a scanning tool that does port scan. nmap sends various types of probes to the target IP address and then examines the responses to determine whether the service is actually listening. For example, with an SYN scan, nmap sends a TCP SYN packet to the TCP port it is probing. This process is also known as half-open scanning because it does not open a full TCP connection. If the response is a SYN/ACK, that is an indication of the port being in a listening state. If the response to the SYN packet is an RST (reset), that hints us that the port is closed or is not in a listening state. If no response is received to the SYN probe, nmap marks the port as filtered because it cannot determine if the port is open or closed.
If you have a machine with nmap installed, and your target machine is reachable from there, then you have the setup ready for you.
# nmap -sV --version-all --version-trace -p1-65535 -f target.machine.ip.address
What options of nmap are we using :
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
PORT SPECIFICATION AND SCAN ORDER:
-p: Only scan specified ports
-p1-65535 scan ports in the range 1 to 65535
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu: fragment packets (optionally w/given MTU)
If the target machine is reachable, output from nmap would begin like :
Starting Nmap 5.51 ( http://nmap.org ) at 2018-04-06 06:48 UTC
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
This would be followed by a vast output. The summary at the end is what you'd be interested in. Here is an example.
Nmap scan report for target.machine.ip.address
Host is up (0.00012s latency).
Scanned at 2018-04-06 06:48:39 UTC for 15s
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
111/tcp open rpcbind
875/tcp open rpcbind
2049/tcp open rpcbind
5920/tcp open vnc VNC (protocol 3.8)
6020/tcp open X11 (access denied)
41253/tcp open rpcbind
44220/tcp open rpcbind
45208/tcp open rpcbind
45964/tcp open rpcbind
46691/tcp open rpcbind
51961/tcp open rpcbind
Service Info: OS: Unix
Final times for host: srtt: 122 rttvar: 17 to: 100000
Read from /usr/share/nmap: nmap-payloads nmap-rpc nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.28 seconds
#
Let's understand the summary in the example.
Out of the 65535 ports, 12 are open and 65523 are closed. For the closed ports, no information appears in the summary. For the open ports, details are listed.
If ports are reported as "filtered", this indicates access to those ports is denied by a firewall.
And this leads us to another question. "What if I want to check locally, and not from any other machine on my network?" The same question could be put in more ways. "What if I do not want to use nmap?" "I got the list from nmap. I want to cross-verify the same."
In this case, the netstat utility is our good friend.
Useful options of netstat are :
# nmap -sV --version-all --version-trace -p1-65535 -f target.machine.ip.address
What options of nmap are we using :
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
PORT SPECIFICATION AND SCAN ORDER:
-p
-p1-65535 scan ports in the range 1 to 65535
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu
If the target machine is reachable, output from nmap would begin like :
Starting Nmap 5.51 ( http://nmap.org ) at 2018-04-06 06:48 UTC
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
This would be followed by a vast output. The summary at the end is what you'd be interested in. Here is an example.
Nmap scan report for target.machine.ip.address
Host is up (0.00012s latency).
Scanned at 2018-04-06 06:48:39 UTC for 15s
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
111/tcp open rpcbind
875/tcp open rpcbind
2049/tcp open rpcbind
5920/tcp open vnc VNC (protocol 3.8)
6020/tcp open X11 (access denied)
41253/tcp open rpcbind
44220/tcp open rpcbind
45208/tcp open rpcbind
45964/tcp open rpcbind
46691/tcp open rpcbind
51961/tcp open rpcbind
Service Info: OS: Unix
Final times for host: srtt: 122 rttvar: 17 to: 100000
Read from /usr/share/nmap: nmap-payloads nmap-rpc nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.28 seconds
#
Let's understand the summary in the example.
Out of the 65535 ports, 12 are open and 65523 are closed. For the closed ports, no information appears in the summary. For the open ports, details are listed.
If ports are reported as "filtered", this indicates access to those ports is denied by a firewall.
And this leads us to another question. "What if I want to check locally, and not from any other machine on my network?" The same question could be put in more ways. "What if I do not want to use nmap?" "I got the list from nmap. I want to cross-verify the same."
In this case, the netstat utility is our good friend.
Useful options of netstat are :
-t, --tcp tcp only
-n, --numeric don't resolve names
-l, --listening display listening server sockets
-p, --programs display PID/Program name for socketsFor the curious minds who want to understand more about nmap, some of the most commonly used nmap scanning options for few specific scenarios are:
TCP Connect Scan (-sT)
UDP Scan (-sU)
TCP FIN Scan (-sF)
Host Discovery Scan (-sn)
Timing Options (-T 0-5)
If knowning these in detail is the intention, then I leave to the reader to explore and learn.
