6/27/2011

NMAP 2

NMAP 2

Let's try using nmap to scan and how to use it to lockdown and stop unused services (may attacker used this services to attack by exploiting these services )



by using command nmap -sS localhost to scanning my computer
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

we see here 4 ports we 4 services on my computer
want to get more information about these services 
 1- SMTP using port 25 if it not use on your computer ,shut it down by stopping it's daemon(exim4 or postfix) by command /etc/init.d/postfix stop

let's start scanning again nmap -sS localhost
result :

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
111/tcp  open  rpcbind
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds



SMTP it gone


2- rpcbind 
let's see what is that 

/etc/services | grep 111
result :

sunrpc        111/tcp        portmapper    # RPC 4.0 portmapper
sunrpc        111/udp        portmapper 

 and try another netstat -ntlp | grep 111
result :

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2419/portmap

"LISTEN" it's active and waiting ,so let's stop portmap daemon
/etc/init.d/portmap stop 

scanning again  nmap -sS localhost
result :
 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
631/tcp  open  ipp
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds  

 portmap is gone too 

3- ipp

cat /etc/services | grep 631
result :

ipp        631/tcp                # Internet Printing Protocol
ipp        631/udp
 
and try another netstat -ntlp | grep 631
result :

tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1197/cupsd   

 "LISTEN" it's activated ,let's shut it down 
/etc/init.d/cups stop


scanning again nmap -sS localhost
result:


Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-28 00:51 EEST
Interesting ports on example (127.0.0.1):
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds   

it's better now (if you want to shutdown HTTP, just shut down it's daemon "apache") 

hint: 
i used here /etc/init.d/  to stop and start daemons , another distro of linux may be different such as redhat or centos (/sbin/service httpd start) to start apache server or (http) .

No comments:

Post a Comment