I just wrote out a lengthy, detailed story about what is going on, and then when I went to post, I had apparently been logged out and it said I didn't have permission. So I'm going to try to summarize. I greatly appreciate any help someone can shine on this.
I am getting bursts (about 20-30) of pings from an outside address ( 3.0.1.128 ) with a destination of 28.164.4.176. The source appears to belong to General Electric in Fairfield, CT. The destination appears to belong to the Dept. of Defense Network Information Center in Columbus, OH. It looks like for some reason, my and my fiance's iPhones (6, up to date on software, no jailbreak) are randomly being assigned that 3.0.1.128 address and that is when the pings come, and we occasionally lose connection. I have a Netgear 3000-100NAS modem/router. I have exchanged the gateway, to get a new MAC address, to force my ISP to issue a new public IP. The problem continued after this. The phone that gets the IP seems completely random. I am also being port scanned by Comcast's DNS. These pings are occasionally knocking us offline, and then it reconnects. The phone that picks up the address is seemingly random, but never both at the same time. Then after a few minutes they pick a local address from the DHCP.
On our network we have 2 laptops, a xbox one, a roku, and then our two smartphones. I basically just left out all of the story telling and dealing with customer service, etc. If there is anymore information I can provide, I will be glad to. I really hope someone can help.
nmap
being used by Trinity in The Matrix to detect ssh running on a vulnerable node before launching an attack on the sshv1 CRC32 flaw and gaining root to shut down the power grid.Hacker Fyodor (Gordon Lynn) wrote nmap
to assist in port scanning and network analysis. He published the original source code in Phrack Magazine, Volume 7, Issue 51, Article 11, and now maintains the tool at Insecure.org. Security experts all over the world use nmap
for simple network checks, detecting open ports and service versions; the NSA keeps a list of security tools and current versions—including nmap
, Snort, and Nessus—up on the big board.
nmap
does not only detect open ports; it detects services and operating system versions as well. You can use nmap
to scan a default range of ports, or a specific subset; it can scan a single host, a range, or a set; and it can find out if hosts are up or down. nmap
can become a powerful tool in the hands of a skilled user, for good or for evil.
The nmap
network scanning tool supplies a diverse set of options to control its behavior. It can scan multiple hosts and host ranges; utilize various scanning techniques; identify operating systems and service versions; and even perform stealth scanning to avoid triggering certain IDS and IPS utilities.
First, let's cover some basic use of nmap
. You should at the very least know how to scan hosts and check for specific ports; these fundamentals will show you what's open on the target network.
Basic use of nmap
just involves scanning a target IP address or domain name. For example:
In this mode of operation, nmap
shows the open ports and the common service carried on that port. nmap
will not show services moved to other ports accurately; http on port 21 will read as ftp, for example.
You can specify multiple hosts on nmap
's command line as well:
As you can see, my Web server exposes too many ports and my MySQL server has a weak firewall; I ran this scan from a DMZ, which has to go through the firewall to enter my network. Here we can see the power of nmap
: I know I should switch my firewall to default deny and allow only the services needed through explicitly. nmap
identifies filtered ports by a lack of response; closed ports send a TCP packet with a RST flag when you try to open them, indicating the server received the packet and would have allowed you to connect to any service listening on that port.
A useful option on the command line to nmap is the 'Verbose' switch. Including -v or -vv on the command line will increase the amount of output nmap generates.
nmap
allows you to use IP address targets for various sets and ranges based on a simple syntax.
x-y
- Specify from x-y. nmap 192.168.0-1.1-2
will scan 192.168.0.1, 192.168.1.1, 192.168.0.2, and 192.168.1.2*
- Replaced with 0-255
. Your shell will probably emit a bunch of file names, so just use 0-255
.x,y
- Specify x
and y
. nmap 192.168.0.1,2,4
will scan 192.168.0.1, 192.168.0.2, and 192.168.0.4. Further, nmap 192.168.0.1-2,4
will scan the same set of hosts./n
- Scan CIDR notated subnets. nmap 192.168.0.0/16
operates as nmap 192.168.0-255.0-255
for example.You can combine these notations in any form you want. For example, if you wanted to scan a few subnets on 192.168.0.0/12, you could use nmap 192.168.0,16,64,96.0/4
. Usually you will not want to do anything this drastic, and can stick to a single host; however, if you need it, you should know how to do it. Remember, nmap
maps networks, not just hosts.< ' Vs ' ss1 area title yahoo<>facebook<>ip address<>
Scanning ports[edit]
-p
Sometimes you don't need to know everything open on a host, sometimes you just want to make sure proFTPd and Apache are up and the SMTP server hasn't died, and see if SSH is listening. For these situations, you can specify ports to scan. Port specification can be manipulated in the same way as target specification, using the x-y
and x,y
notations.
~$ nmap -p21-22,25,80,443 webserv1
Scanning ports including Service Version (-V)[edit]
-p
and -V
(Service version)Includes Service versions for scanned ports:
~$ nmap -sV -p21-22,25,80,443 host1.example.com
Basic Network ping Scanning[edit]
-sn
, previosly and now deprecated -sP
Basic network ping scanning for discovering host responding to icmp requests (ping).
~$ nmap -sn 192.168.0.*
Service Scans[edit]
-sV
, -A
nmap
has the ability to do service scans and RPC grinding; in other words, it can tell you what high level protocol, application, version, version of libssl if the service supplies an [(SSL)] connection, etc., listens on a port instead of matching the port number to the common service. nmap
also uses an RPC grinder, which makes RPC connections to ports running an RPC service; typically a single RPC portmapper port tells you which ports run RPC, but if the firewall blocks that then nmap
will find it itself.
Let's take a look first at a scan against the server behind me. This server provides a profoundly good example because I've configured it to let me poke holes in my college's firewall, and thus it looks really strange. A typical nmap
scan comes out well enough:
The above shows FTP, DNS, hosts2-ns, HTTP/SSL, and Microsoft Directory Services (Active Directory). We can take a closer look with an nmap
service scan using -sV
. The below output gives us something quite different.
So it seems this server really has Apache serving http on two ports; OpenSSH serving over the FTP, DNS, and HTTPS ports; and Samba providing SMB connections. Further, we can see that the server uses SSH 2.0 protocol on OpenSSH 4.3p2 Debian 5ubuntu1, a native Ubuntu .deb rather than a custom build. We can guess with relative accuracy that this server runs Ubuntu, even without an OS scan; either that or the administrator really doesn't have a clue what he's doing, or has managed to change banners with a rewrite proxy to fool us.
Worth note, the -A
switch activates service scanning as well.
You can run many types of advanced port scans with nmap
. Aside from the standard connect()
port scan, nmap
requires root access to perform these advanced scans because it needs to create raw sockets and construct raw TCP/IP packets.
Using nmap with root (-A)[edit]
The nmap
program obtains different information with and without root access. With root access, nmap
can perform advanced TCP/IP scans; operating system detection; and MAC address identification.
First, let's check out a normal user utilizing nmap
with the -A
option. nmap -A
activates operating system and service scanning, in the same way as nmap -O -sV
. Operating system detection requires root access, so OS detection won't work at all. I've performed the below scan against a Linksys WRT54G wireless router.
As you can see, nmap
simply skips the OS detection phase. When we put nmap
into operation as root, however, we see that it can also look up a lot more information. Below, we see it discovered the MAC address and identified the vendor owning that MAC space; the operating system and details about the OS; the uptime; and the network distance. It also gave us a device type; nmap
sees a Linux OS used for desktops, wireless routers, or network storage, and thus classifies the device as either general purpose, WAP, or storage.
nmap
becomes much more powerful with root access; however, for security reasons you should not haphazardly give nmap
the SUID permission. You can allow users to run nmap
specifically via sudo
, but be aware that anything that allows a user to gain root access—SUID bits, sudo
, etc.—represents a security risk.
Operating system detection[edit]
-O
The -O
switch enables nmap
operating system detection. OS detection attempts to use characteristics of the target's TCP/IP stack to fingerprint the remote operating system; usually it can identify Linux, Windows, and BSD, and find a general range of versions and families like Windows NT/XP or 95/98/ME. A typical OS Detection scan looks like the below.
TCP connect() Scan[edit]
-sT
nmap
allows a TCP connect() scan in all cases, administrative access or not; when you specify other scan types without root access, nmap
automatically substitutes this scan type.
In this scanning mode, nmap
opens a connection to the port in the same way a Web browser or FTP client does and checks to see how the TCP/IP stack responds. The following results arise from this scan:
nmap
was able to complete a connection, and then closed the port.nmap
tried to connect and got an error informing it that the port was closed (the OS got a RST packet).nmap
tried to connect and the OS gave it some other error, like host or port unreachable or connection time-out.TCP connect() scans work with all privilege levels, but can execute slowly and produce excess packets. They also usually create more logs on the target, and can crash really poorly programmed services.
TCP SYN Scan[edit]
-sS
The nmap
TCP SYN scan uses a simple SYN packet to connect to a port to determine its status. nmap
uses this by default whenever it has raw socket privileges.
The TCP SYN scan sends a SYN packet as if opening a connection, and checks the result. The following statuses come from this test:
nmap
got a SYN/ACK from the host on that port. nmap
does not have to take further action; the OS has no record of the connection, and responds to the SYN/ACK with a RST, tearing down the connection on the target.nmap
got a RST from the host on that port.nmap
got something else, or nothing.TCP SYN scans execute very quickly, create fewer logs, and act in a more stealthy manner.
You can use nmap
to penetrate firewalls as well. nmap
can perform scans useful for determining whether a firewall uses stateful filtering or not; and which ports a firewall allows through. You can scan targets behind the firewall with this and discover the firewall rules, allowing more targeted scans and possibly evading firewall logging.
TCP ACK Scan[edit]
-sA
Unfortunately, if you scan through certain IPS or IDS machines, you get loads of fluff from proxy ports. This presents a minor annoyance. I had to trim below output, as it contained thousands of lines of text. I've obscured the host I scanned below; I had chosen a live machine on the Internet to scan for this, because I don't have the IPS hardware they use.
Fortunately, you can perform a stealth scan to evade this; unfortunately, stealth scans take an order of magnitude longer. Usually a polite scan will do the trick, it causes only 150 packets/minute.
~$ nmap -T polite %%%
The -T
Nordictrack exp 2000 xi treadmill manual. option takes one of five arguments, given by name or number. These are:
paranoid
(0) - No parallel scanning. 5 minutes between sending packets.sneaky
(1) - No parallel scanning. 15 seconds between sending packets.polite
(2) - No parallel scanning. 0.4 seconds between sending packets.normal
(3) - Default scanning. Tries to be very fast without overloading the network.aggressive
(4) - Faster than normal, but loads the network.insane
(5) - Parallel scans, times out hosts in 15 minutes, won't wait more than 0.3 seconds for an individual probe. Loses a lot of information.nmap
also provides options to control scan time-outs. Combining these with the above provides more fine-tuned scans, for example a scan doing 100 packets per minute:
~$ nmap -T sneaky --scan_delay 600
Let's try the above scan again, politely.
As we can see, this scan takes 693 seconds instead of 23, 30 times longer.