nmap or network mapper is an open source command line program for security auditing. Here is a basic intro!
As always, only scan your own hosts or hosts that you have permission to scan!
To do a simple check of open ports or port filtering, issue:
$ sudo nmap host
stmiller@brahms:~$ sudo nmap scottlinux.com Starting Nmap 5.21 ( http://nmap.org ) at 2011-10-01 09:43 PDT Nmap scan report for scottlinux.com (126.96.36.199) Host is up (0.023s latency). rDNS record for 188.8.131.52: li166-66.members.linode.com Not shown: 994 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https 465/tcp open smtps 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 4.54 seconds stmiller@brahms:~$
In the default scan for TCP, nmap makes what is called a half-open connection often called a SYN scan. You send a SYN packet to begin a TCP connection, the server replies with a SYN-ACK. Next, nmap does not follow up with an ACK, but instead records that as a listening port.
To get a little more fancy, try adding these options:
$ sudo nmap -A -T4 --spoof-mac 0 scanme.nmap.org
-A: Enables OS detection and version detection, script scanning and
-T(value) is a numerical value betweek 0 and 5 that sets the intensity of the scan.
paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)
If you are concerned about tripping IDS, use T0 or T1 but note this will increase the time to complete the scan.
–spoof-mac with a value of 0 will provide a random MAC address. This is of course optional but useful.
Here is an example scan:
stmiller@brahms:~$ sudo nmap -A -T4 --spoof-mac 0 scottlinux.com [sudo] password for stmiller: Starting Nmap 5.21 ( http://nmap.org ) at 2011-10-01 09:40 PDT Spoofing MAC address 96:56:9A:A9:6B:64 (No registered vendor) Nmap scan report for scottlinux.com (184.108.40.206) Host is up (0.030s latency). rDNS record for 220.127.116.11: li166-66.members.linode.com Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh? 25/tcp open smtp? 80/tcp open http Apache httpd | robots.txt: has 13 disallowed entries | /cgi-bin /wp-admin /wp-includes /wp-content /author |_/wget/ /httpd/ /i/ /f/ /t/ /c/ /j/ / |_html-title: HTTP Error 403 443/tcp open ssl/http Apache httpd | robots.txt: has 13 disallowed entries | /cgi-bin /wp-admin /wp-includes /wp-content /author |_/wget/ /httpd/ /i/ /f/ /t/ /c/ /j/ / |_html-title: HTTP Error 403 993/tcp open imaps? Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|webcam|broadband router|WAP|general purpose|printer Running (JUST GUESSING) : CipherLab embedded (86%), D-Link embedded (86%), Efficient Networks embedded (86%), Hioki embedded (86%), Linux 2.4.X|2.6.X (86%), Panasonic embedded (86%) Aggressive OS guesses: CipherLab 5100 time and attendance terminal (86%), D-Link DCS-3220 or DCS-5300G webcam (86%), Efficient Networks SpeedStream 5100 ADSL router (86%), Hioki MEMORY HiCORDER 8855 digital oscilloscope (86%), DD-WRT v23 (Linux 2.4.36) (86%), Linux 2.6.18 (86%), Linux 2.6.26 (PCLinuxOS) (86%), Panasonic DB-3500 series printer (86%), Panasonic KX-HCM270 Network Camera (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 11 hops TRACEROUTE (using port 25/tcp) HOP RTT ADDRESS 1 3.86 ms 172.16.1.1 2 30.95 ms 10.15.0.1 3 31.60 ms 172.16.17.1 4 32.46 ms te-1-2.ar01.rkln-ca.wavecable.com (18.104.22.168) 5 68.42 ms 22.214.171.124 6 38.80 ms vb1510.rar3.sanjose-ca.us.xo.net (126.96.36.199) 7 31.33 ms 188.8.131.52.ptr.us.xo.net (184.108.40.206) 8 26.34 ms 220.127.116.11.ptr.us.xo.net (18.104.22.168) 9 ... 10 16.91 ms linode-llc.10gigabitethernet2-3.core1.fmt1.he.net (22.214.171.124) 11 16.02 ms li166-66.members.linode.com (126.96.36.199) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.22 seconds
Ok, so the OS detection did not work so great for my server, but good information is provided including a quick tracroute.