Scanning and Defending Linux Networks with Nmap
6 - 12 min read
Nov 27, 2023
Cybercriminals implement scanning into their attacks to find network machines with open ports that they can utilize to bypass security and harm businesses and employees. Before launching an attack, threat actors run cloud security scanners like Linux Nmap that can sweep servers and find cybersecurity vulnerabilities to exploit. Once they identify a target, an intruder can use TCP stack fingerprinting to determine the type of machine they are breaching.
Organizations must work with the same tools that threat actors implement so employees can see what network security issues permit cybercriminals into a system. This article will discuss Nmap, how to utilize it in various privacy sandboxes, and how to prevent cloud security breaches from entering your server so you can improve your security posture.
What is Nmap?
Nmap is a free-to-download service under the GNU General Public License (GPL) that can analyze collected data regarding hosts and services within a network. We will focus on how to work with Nmap on the command line as we move forward. Let’s start with a few basic explanations and steps that can help with your understanding of this cloud security framework:
- Within the "nmap" command line, scans have an -s flag specifying their type.
- Select one of the scanner options and what host or network you want to target.
- You can scan one host or an entire network with the correct configurations.
- Providing a network address with "/mask" appended to it can help you learn more about your targets.
- Once you understand how Nmap functions, you can run root commands and custom packets that prove effective in your analysis.
- Specify networks with wildcards such as 192.168.7.*, 192.168.7.0/24, or 192.168.7.1,4,8-12 to scan selected hosts on a subnet.
What Techniques Can I Use on Nmap to Find Cybersecurity Vulnerabilities on My Server?
You must learn the various methods you can implement for testing your server so you can integrate security patching as best as possible to keep your organization and employees secure. Here are some configurations you can utilize to strengthen data and network security:
Ping Sweeping
Intruders can sweep entire networks looking for targets with Nmap. This is usually done with a ping scan using the "-sP" flag. By default, Nmap will send an ICMP echo and a TCP ACK to each host it scans. Nmap will consider hosts that respond to either to be up. In this example, scan all hosts on the 192.168.7.0 network:
# nmap -sP 192.168.7.0/24
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it.
Sometimes, you may want to check a system's availability without sending ICMP echo requests, which some sites may block. In this case, a TCP "ping" sweep can be used to scan a target's network.
A TCP "ping" will send an ACK to each machine on a target network. Machines that are up should respond with a TCP RST. To use the TCP "ping" option with a ping scan, include the "-PT
# nmap -sP -PT80 192.168.7.0/24
TCP probe port is 80
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Host (192.168.7.11) appears to be up.
Host (192.168.7.12) appears to be up.
Host (192.168.7.76) appears to be up.
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 1 second
When a potential intruder knows which machines on the target's network are alive, the next step is port scanning.
Nmap provides different types of port scans: TCP connect, TCP SYN, Stealth FIN, Xmas Tree, and Null, as well as UDP scans.
Port Scanning
An attacker using TCP connect scans to probe is easily detected. Nmap will use the connect() system call to open connections to interesting ports on the target host and complete the 3-way TCP handshake. Logs on the host machine will show these ports being opened by the attacker. A TCP connect scan is used with the "-sT" flag as:
# nmap -sT 192.168.7.12
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Interesting ports on (192.168.7.12):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
...
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
Stealth Scanning
What if an attacker wants to scan a host without leaving his calling card in the system logs on the target machine? TCP SYN scans are less prone to logging on the target's machine because a full handshake never completes. A SYN scan starts by sending a SYN packet, the first packet in TCP negotiation. Any open ports will respond with a SYN|ACK, as they should. However, the attacker sends a RST instead of an ACK, which terminates the connection. The advantage is that the 3-way handshake never completes, and fewer sites will log this probe type. Closed ports will respond to the initial SYN with an RST, allowing Nmap to determine that the host isn't listening on that port. The "-sS" flag will launch a SYN scan against a host or network as:
# nmap -sS 192.168.7.7
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Interesting ports on saturnlink.nac.net (192.168.7.7):
Port State Protocol Service
21 open tcp ftp
25 open tcp smtp
53 open tcp domain
80 open tcp http
...
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Although SYN scans are more likely to be unnoticed, they can still be detected by some intrusion detection countermeasures. The Stealth FIN, Xmas Tree, and Null scans are used to evade packet filters and firewalls that may be watching for SYN packets directed toward restricted ports. These three scans should return an RST for closed ports, whereas open ports should drop the packet. A FIN "-sF" scan will send a FIN packet to each port, whereas the Xmas Tree scan "-sX" turns on the FIN, URG, and PUSH flags, and a Null Scan "-sN" turns off all flags. Because of Microsoft's compliance with TCP standards, the FIN, Xmas Tree, and Null scans are only effective on non-Microsoft operating systems.
UDP Scanning
If an attacker is looking for popular UDP holes to exploit, such as a rpcbind hole or cDc Back Orifice. He/she will want to know what UDP ports are listening, and to find these ports will most likely initiate a UDP scan. Using the UDP scan "-sU," an attacker can determine what ports are open to UDP on a host. Nmap will send a 0-byte UDP packet to each port. If the host returns a "port unreachable" message, that port is considered closed. This method can be time-consuming because most UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap detects this rate and slows itself down so as not to overflow the target with messages that would have been ignored. Launch a UDP scan as follows:
# nmap -sU 192.168.7.7
WARNING: -sU is now UDP scan -- for TCP FIN scan use -sF
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Interesting ports on saturnlink.nac.net (192.168.7.7):
Port State Protocol Service
53 open udp domain
111 open udp sunrpc
123 open udp ntp
137 open udp netbios-ns
138 open udp netbios-dgm
177 open udp xdmcp
1024 open udp unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
OS Fingerprinting
Often, an intruder may be more familiar with exploits for a particular operating system and may be looking for machines he can compromise easily. A common option is TCP/IP fingerprinting with the "-O" option to determine the remote operating system. This must be combined with a port scan, not a ping scan. Nmap accomplishes this by sending different probes to the host, which will narrow the target operating system. Fingerprinting the TCP stack includes such techniques as FIN probing to see what kind of response the target has, BOGUS flag probing to see the remote host's reaction to undefined flags sent with a SYN packet, TCP Initial Sequence Number (ISN) sampling to find patterns of ISN numbers, as well as other methods of determining the remote operating system.
Nmap's Operating System detection feature is a very accurate and effective tool, as demonstrated by fingerprinting the stack of this Solaris 2.7 machine with a SYN scan:
# nmap -sS -O 192.168.7.12
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Interesting ports on comet (192.168.7.12):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
...
TCP Sequence Prediction: Class=random positive increments
Difficulty=17818 (Worthy challenge)
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
Do you notice the TCP Sequence Prediction? When given the -O option, Nmap also tells us how difficult it is to predict the remote host's TCP sequence number. This information is valuable to an attacker looking for hosts that can be vulnerable to session hijacking.
Ident Scanning
An attacker often may look for a machine in which he/she has a specific exploit for a process, such as a web server running as root. If the target is running identd, an attacker using Nmap can find out what user owns the HTTP daemon by including the "-I" option to a TCP connect scan. We'll demonstrate by scanning a Linux web server:
# nmap -sT -p 80 -I -O www.yourserver.com
Starting nmap V. 2.12 by Fyodor (This email address is being protected from spambots. You need JavaScript enabled to view it. , www.insecure.org/nmap/)
Interesting ports on www.yourserver.com (xxx.xxx.xxx.xxx):
Port State Protocol Service Owner
80 open tcp http root
TCP Sequence Prediction: Class=random positive increments
Difficulty=1140492 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.1.132; 2.2.0-pre1 - 2.2.2
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
If your webserver is misconfigured and running as root, as this one is, it will probably be a late night at the data center.
While it is bad security practice to run Apache as root, you can block incoming ident requests by commenting out "auth" in /etc/inetd.conf and restarting inetd. Another method of stopping ident requests is implementing firewall rules at your network border with ipchains or your favorite firewall. This will prevent the curious hooligan from probing your site to determine what user owns what daemons.
What Are My Other Options as an Nmap User?
In addition to these scans, Nmap offers a myriad of options. One of which, "-PT
An option that is useful with scans is "-P0". Since Nmap will ping a target with TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default. The "-P0" option to a scan will allow
One option you should get into the habit of using is "-v," a verbose option that can be used with all types of scans. You can use this flag once or twice to get more information about the target's machine.
The ability to target specific ports is accomplished with the "-p
# nmap -sS -p 21,23,53,80 -O -v www.yourserver.com
Factor in a database of popular exploits, and even a novice cracker could be well on his way to getting root access to your machine.
Final Thoughts on Scanning and Defending Networks with Nmap
Various network security toolkits exist that can help counter attacks in network security. However, these toolkits cannot serve as a substitute for having a knowledgeable administrator actively overseeing everything on a server. Network security websites must prioritize monitoring results from cloud security scanners to ensure that no cybercriminals are planning an attack.
Using Nmap to learn more about your sites, systems, and administration can help you discover cybersecurity vulnerabilities that could permit potential intruders the opportunity to probe your machines and prepare to instigate attacks in network security. Therefore, you must set up Nmap on your Linux server to stay safe and secure.
