NMap - Linux port scanning

How to know which port is open from unmanaged remote host?
How to determine running application and services from remote host?
How to do basic port scanning against a host?
How to confirm ports opened from remote host?

Here are a several ways to do port scanning and know which port/services are currently opened from remote host.

Determining opened ports from remote hosts enables somebody to check which service and known applications are currently running from a remote host. Considering that you are not currently managing a particular remote host, this gives confirmation if a specific application service is properly running from specific ports of a particular IP address or host. This can be handy at times when needed to verify some running services on host ports.

Linux Port Scanning
-------------------

This blog entry does not intend to discuss of any misuse or abuse usage of a powerful linux command line tool like nmap. However, in hope to explain more of basic nmap usage, this blog entry is here for further basic nmap references.

Take for example, a client is allowed to send and receive mail from his box and considering all changes have been done from your server and still the client can't receive emails. Further client phone conversation informs you that the issue was working fine recently and suddently, he just cannot send and receive emails. Although you can verify that the destination host is currently up, and you are not currently with the client's site, this blog entry is another step on expanding your troubleshooting arm to confirm some ports from remote host without having total access from it.

One way to approach this issue is by using one of the linux port scanning packages named nmap.
Nmap man says:

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Here's how to verify if a port is open from remote host using NMap.

Port Scanning with Nmap

# nmap remote-IP-address
# nmap -P0 123.123.123.123

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time.

Ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

To issue nmap OS and version detection using nmap

# nmap -A 123.123.123.123

If you wish to do UDP scan against the remote host

# nmap -sU 123.123.123.123

If you wish to do specific port scanning using nmap

# nmap -v -p port_number 123.123.123.123

If you wish to probe open ports for service and version

# nmap -sV 123.123.123.123

Ping scanning can also be done using nmap

# nmap -sP 123.123.123.123

Sometimes you wish to scan a whole network of adjacent hosts. Nmap supports CIDR-style addressing. Nmap scanning to group of host or multiple IP address can also be done like so

# nmap -v -P0 123.123.123.123; 111.222.111.222-230
# nmap -v -P0 192.168.0.0/24; 192.168.1.0/27

When doing group port scanning, exclusing of a particular IP from command line

# nmap -v -P0 v -P0 123.123.123.123; 111.222.111.222-230 --exclude 111.222.111.222.228

Using nmap to exclude multiple host from batch text file can be done like

# nmap -v -P0 -P0 123.123.123.123; 111.222.111.222-230 --excludefile textfile.txt

When doing large number of multiple host port scanning using nmap, a delay can also be specified like so

# nmap -v -P0 123.123.123-254.123-254 --scan-delay 5

Nmap is capable of reading IP address as a batch from text file. This can be done like so

# nmap -v -iL ip-address-text.txt

Nmap also supports resuming an aborted nmap scan by specifying nmap parameter like so

# nmap -v -P0 123.123.123.123-150 --resume

Nmap is so great and handy as it also supports MAC address spoofing for probing remote host. This can be specified using the below nmap argument

# nmap -v -P0 123.123.123.123 --spoof-mac 00:03:47:31:55:69

All nmap shown above were scanning IP address, since nmap knows any DNS presence, you can also specify hostname or domain name as a target remote host for scanning

# nmap -v -P0 my.domain.com

Timing values for nmap can also be specified. Timing nmap values can be useful for IDS alert from target hosts that usually takes longer results to appear. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned -T0 and -T1 values. Other values are shown below:
0 1 2 3 4
-T
1 = Paranoid
2 = Sneaky
3 = Polite
4 = Normal
5 = Aggressive
6 = Insane

# nmap -P0 -T1 123.123.123.123

Source host port can also be spoofed trying to achieve same scanning effect from a cloned source host. This can also be specified with nmap as shown below

# nmap -p 110 123.123.123.123 --source-port 110

Generally, collecting opened ports from multiple target hosts can be redirected to physical file using linux I/O as well, this is when you are doing host port monitoring and gathering opened ports statistics in a long-term basis.

Nmap works like sending out a series of TCP and UDP packets to a target host and then examines the returning response bits coming from the target host. The response bits are also classified based on the specified arguments from the person doing the port scanning.

However each version of nmap keeps track of its own port database file. So, it is highly advisable to upgrade your nmap version. Upgrading of nmap package can be easily done like so

# yum -y update nmap

If you wish to know more of known linux defined service ports, you can see more /etc/services.

Basically, nmap offers more arguments depending on the needed nmap service. I find it quite handy, as it does the job very well specially when I need them so. Use nmap with your good thoughts of linux port scanning, and be careful with scanning target host, as you might leave a mark while you are scanning them too!

HTH