What is Reddit's opinion of
Nmap?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
Bandwidth doesn't seem to be the problem.
$ host voat.co voat.co has address 91.250.84.85
$ host 91.250.84.85 85.84.250.91.in-addr.arpa domain name pointer rs213611.rs.hosteurope.de.
$ ping 91.250.84.85 PING 91.250.84.85 (91.250.84.85): 56 data bytes 64 bytes from 91.250.84.85: icmp_seq=0 ttl=116 time=25.273 ms 64 bytes from 91.250.84.85: icmp_seq=1 ttl=116 time=26.345 ms 64 bytes from 91.250.84.85: icmp_seq=2 ttl=116 time=26.850 ms 64 bytes from 91.250.84.85: icmp_seq=3 ttl=116 time=25.089 ms ^C --- 91.250.84.85 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 25.089/25.889/26.850/0.733 ms
They address is pointing to an hoster in a datacenter in Germany. The ping is steady, around 26 from here, The Netherlands.
$ sudo nmap -sS -O 91.250.84.85
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-11 16:34 CEST Nmap scan report for rs213611.rs.hosteurope.de (91.250.84.85) Host is up (0.0084s latency). Not shown: 989 filtered ports PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 554/tcp open rtsp 1433/tcp open ms-sql-s 3389/tcp open ms-wbt-server 7070/tcp open realserver 8443/tcp open https-alt
I see some Microsoft ports opened, and on port 8443 runs Plesk for Windows. It seems to be just a simple server, and on Windows. That's asking for problems imho. They became "slashdotted" and could have prevented it by using Varnish and/or NGINX with caching enabled and tuned.
WOW. I never thought anyone would upstage Hackers (1996) for lack of realism!
Aside Matrix Reloaded, are there any movies out there that do it even close to correct?
For those who are unaware, despite the piles of nonsense of Matrix Reloaded, they did a great job with the real world hacking. In the scene where Trinity breaks into the power grid servers, she uses nmap to scan for vulnerabilities, finds that it is running an old version of SSH, then uses a real exploit called sshnuke to reset the root password. Though the vulnerability had been fixed for a few months by the time the movie came out, there is a good chance low security government servers had yet to be patched.
http://nmap.org/images/matrix/trinity-nmapscreen-hd-crop-1200x728.jpg
Credit to u/calrogman for finding this From apply_delayed_options() in nmap.cc:
> if (o.verbose) { if (local_time->tm_mon == 8 && local_time->tm_mday == 1) { log_write(LOG_STDOUT | LOG_SKID, "Happy %dth Birthday to Nmap, may it live to be %d!\n", local_time->tm_year - 97, local_time->tm_year + 3); } else if (local_time->tm_mon == 11 && local_time->tm_mday == 25) { log_write(LOG_STDOUT | LOG_SKID, "Nmap wishes you a merry Christmas! Specify -sX for Xmas Scan (http://nmap.org/book/man-port-scanning-techniques.html).\n"); } }
Not Foscam for once :)
root@raspberrypi ~ # nmap -PN 10.100.100.10
Starting Nmap 6.00 ( http://nmap.org ) at 2015-09-28 01:13 UTC Nmap scan report for Foscam-[Redacted] Host is up (0.064s latency). Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http MAC Address: 48:02:[Redacted] (B-Link Electronic Limited)
Nmap done: 1 IP address (1 host up) scanned in 4.92 seconds root@raspberrypi ~ #
Windows firewall does a better job than Linux in some cases. For example when someone is running a port scan it won't respond to some type of hidden scans like FIN scans. http://nmap.org/nmap_doc.html
Some people do
yum install nmap
or
wget http://nmap.org/dist/nmap-5.61TEST2.tgz
tar -zxvf nmap-5.61TEST2.tgz
cd nmap-5.61TEST2
./configure
make
sudo make install
Edit: Fixed because I didn't actually try to run the second way.
[gordie@maple02]~% nmap whitehouse.gov zsh: no manners found: nmap whitehouse.gov [gordie@maple02]~% please nmap whitehouse.gov
Starting Nmap 6.40 ( http://nmap.org ) at 2015-10-23 05:36 NST ...
I did some superficial research into the server this announcement was posted on.
~# nmap -F -P0 -O terathon.com
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-12 22:34 CST Nmap scan report for terathon.com (69.175.14.218) Host is up (0.035s latency). rDNS record for 69.175.14.218: server.terathon.com Not shown: 86 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh [... snip ...] 995/tcp open pop3s 3306/tcp open mysql Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.27 Network Distance: 15 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds
Seems to be working okay for a "[...]disparate array of barely functioning parts with horrible reliability and little potential[...]".
There's the film "The Girl with the Dragon Tattoo" where we see a couple of scenes of the main character using Nmap along with Terminal and I believe a couple of instances of SSH. It's probably in my opinion one of the few films that I can think of where they actually get hacking right. Non of the Hollywood CGI crap.
Not sure if this counts, but I would also add The Social Network as a film that it least tries to get the tech stuff right, especially with the scenes involving Jesse Eisenberg using KDE.
EDIT: For anyone wanting to know an example, here's a scene from "The Girl with the Dragon Tattoo": http://nmap.org/images/gwtdt/gwtdt-nmap-screen.jpg
You are incorrect, it is not.
http://nmap.org/book/legal-issues.html
>After all, no United States federal laws explicitly criminalize port scanning. A much more frequent occurrence is that the target network will notice a scan and send a complaint to the network service provider where the scan initiated (your ISP). Most network administrators do not seem to care or notice the many scans bouncing off their networks daily, but a few complain.
She used a real version of a real tool (http://nmap.org) to discover the exploit existed, then she used a fictional tool (sshnuke) to exploit the real ssh1 CRC32 vulnerability which had been found and fixed some time before the movie was released.
Fixed formatting.
Starting Nmap 6.00 ( http://nmap.org ) at 2014-05-22 16:11 IST Nmap scan report for john.com (162.252.156.212) Host is up (0.16s latency). rDNS record for 162.252.156.212: perfora.net Not shown: 995 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 22/tcp open ssh Linksys WRT45G modified dropbear sshd (protocol 2.0) |ssh-hostkey: 1024 34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 (DSA) 80/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: John.com 81/tcp open http Apache httpd | http-auth: | HTTP/1.1 401 Authorization Required | Basic realm=WebDAV |_http-title: 401 Authorization Required |_http-methods: No Allow or Public header in OPTIONS response (status code 401) 443/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: John.com Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: storage-misc Running (JUST GUESSING): Linksys Linux 2.6.X (86%)
>nmap -Pn 65.96.124.4
Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-19 01:50 Eastern Daylight Time
Nmap scan report for c-65-96-124-4.hsd1.ma.comcast.net (65.96.124.4) Host is up. All 1000 scanned ports on c-65-96-124-4.hsd1.ma.comcast.net (65.96.124.4) are fi ltered
Nmap done: 1 IP address (1 host up) scanned in 202.01 seconds
So, the host is up, but the ports are filtered... hmm...
Never mind that an IPMI card should never be on the Internet without a strict firewall in front of it.
With the reference implementation of NTP, which just about everyone uses, there's no difference between the client and the server. It's the same software, with the same (or largely similar) config.
If you want to scan your own network(s) for vulnerable systems, there's an nmap script that can help.
:/
skaverat:~/ $ nmap -p22 --open -sV 197.213.63.32/29
Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-20 15:47 CET Nmap done: 8 IP addresses (0 hosts up) scanned in 5.10 seconds
"Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing."
"Needing to hack the city power grid, she [Trinity] whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001"
I'm not sure that'll work
$ nmap -p443 webcdn.pathofexile.com Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-15 13:20 CEST Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 50.00% done; ETC: 13:20 (0:00:00 remaining) Nmap scan report for webcdn.pathofexile.com (69.16.175.42) Host is up (0.027s latency). Other addresses for webcdn.pathofexile.com (not scanned): 69.16.175.10 rDNS record for 69.16.175.42: hwcdn.net PORT STATE SERVICE 443/tcp filtered https
Plus, the issue is that these IP's are probably shared with other customers, and unfortunately you can't use SNI as long as you have people still on Windows XP, which, I think you guys do have (from some DirectX discussion somewhere).
So the only real way to really fix this is to not do do this:
;; ANSWER SECTION: webcdn.pathofexile.com. 165 IN CNAME cds.p7p4m6s5.hwcdn.net.
And instead directly link to
https://p7p4m6s5.ssl.hwcdn.net
Like you do on other parts of the site. And you really should do that btw, and then set the upgrade insecure requests header.
Please tell me where to send the invoice to :P
There's published attacks against WPA(2) + TKIP.
Switch to CCMP (AES) with a new passphrase just to be sure.
The to attack other users part in their message suggests it's a flaw in your router.
Find your "public" IP address, then run nmap against it.
The following commands should do it:
nmap -P0 -p1-65535 YOUR_PUBLIC_IP nmap -P0 -sU -p1-65535 YOUR_PUBLIC_IP
They'll give you a list of ports open at the firewall.
Any of the following being open would warrant a support ticket with the router's manufacturer, as there either is a flaw in their system, or you need help with properly setting it up:
udp/53 udp/123 udp/161 udp/162
Depending on the router's security policy, you may have to run the scan from outside your own network to get accurate results.
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-25 20:25 EEST
> Nmap scan report for client.thehost.com.ua (91.234.34.114)
> Host is up (0.018s latency).
> Not shown: 997 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp filtered domain
> 8888/tcp open sun-answerbook
Попробовал подключится к его проксе
> Access denied
> The administrator of this proxy has not configured it to service requests from your host.
> Generated by tinyproxy version 1.8.3.
Их личная прокся? Может и другие троли на ней висят.
Nmap did.
http://nmap.org/book/legal-issues.html
>Reports of systems being crashed by Nmap are rare, but they do happen. Many of these systems were probably unstable in the first place and Nmap either pushed them over the top
Several of these systems are old and crash prone.
He's right.
>We have all seen many movies like Hackers which pass off ridiculous 3D animated eye-candy scenes as hacking. So Fyodor was shocked to find that Trinity does it properly in The Matrix Reloaded. Needing to hack the city power grid, she whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Shame on the city for being vulnerable (timing notes).
A video of the exploit is available on YouTube or as matrix-nmap.mp4. Click on the following thumbnails for higher resolution or view more pictures here.
Banners are general information given out by a program running on a networking port that indicates the program name and version. This page should help you where you need to go. http://nmap.org/book/osdetect-usage.html
This computer you can get remote access to is plugged into the switch in question, yes? And the IPs are the only thing that changed, no new VLANs or anything? I'd suggest adding a secondary IP in .1.0/24 to the computer you can get to, and then using nmap (http://nmap.org/) or a broadcast ping to .1.255 to see if anything responds. I assume forward or reverse DNS is too much to hope for?
Mostly true, but not completely! Random kinda-cool fact: in The Matrix Reloaded, I think in the scene where they break into a power facility (?) you can see Trinity on a laptop trying to hack using a program called Nmap... a pretty realistic portrayal of hacking, actually.
Well it obviously died then didn't it.
It's not a good idea to think of "Mirrors" being available for these. If anything, they are the mirrors. Albeit unintentionally.
Which is also why this one has gone away.
[09:05:08 fb@edge01:~ ] # host home.innet.pro home.innet.pro has address 95.73.137.183
The host actually still exists and resolves.
[09:01:03 fb@edge01:~ ] # nmap -Pn home.innet.pro -p 21,80,443
Starting Nmap 6.40 ( http://nmap.org ) at 2018-08-28 09:05 AEST Nmap scan report for home.innet.pro (95.73.137.183) Host is up. PORT STATE SERVICE 21/tcp filtered ftp 80/tcp filtered http 443/tcp filtered https
But no longer has any open ports. Either the IP was changed or the more likely answer; the hosting webserver was taken down or told to not listen publicly.
Not sure where you got this from - but it is incorrect. '-lvp' is used to setup a listener (L) in Verbose mode (V) on a specified port (P).
example:
nc -lvp 8080
would setup a listener on port 8080.
Source: https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
Edit: Example output:
[user@server ~]$ nc -lvp 8080
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
What if this is a job application to be a consultant on Season 2?
sudo nmap -Pn -sS 67.228.205.169 yields:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-16 11:29 EDT Nmap scan report for hs27.name.com (67.228.205.169) Host is up (0.084s latency). Not shown: 988 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 8888/tcp closed sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 8.73 seconds
AnswerBook had a vuln a few years back. If we're meant to break in, this might be a way in, assuming it's running an old verion
> The older Diebold machines had a plasma torch vulnerability that allowed a thief to open the safe after about 30 seconds of work.
This makes me wonder if there's a fulldisclosure mailing list for physical security devices.
There's actually a VERY realistic hacking scene in the Matrix 2 (where they hack the powerplant). They actually use a real network mapper (the very popular Nmap) and show an exploit against a real vulnerability in SSHv1 (CVE-2001-0144).
The rest of the movie is nonsense of course, which is why it's so ironic that that particular movie has one of the more realistic hacking scenes out there.
See this page for more info on the scene from the author of Nmap.
Run a brute force/dict attack using a password database. http://nmap.org/nsedoc/scripts/telnet-brute.html You could also install nessus and run it to see if the surveillance system is vulnerable to any known exploits. Then install Metasploit, read up on the exploits and how to execute them. Obtain root escalation and change telnet password
I am surprised that no one has mentioned this even though this is more of a security type issue. That you might want to use a tool like NMAP. You can specify the range of IP's you want to scan. If you are on your own network segment that's part of a larger WAN you can scan your range of IP's for your part of the network, and it shouldn't cause issues across the WAN.
Is there a particular service that you can check for that's open to public interfaces? I'd fire up nmap and scan your block. If you have something specific to check for that's probably best, otherwise scan all the privileged ports and see what comes up.
How things in buffalo? Well done my friend ( ͡° ͜ʖ ͡°)
PING 45.46.xxx.xxx (45.46.xxx.xxx) from xx.xx.xx.xx: 56 data bytes
--- 45.46.xxx.xx ping statistics --- 10 packets transmitted, 0 packets received, 100.0% packet loss
Running: /usr/local/bin/nmap -sS -sV -O -e em0 '45.46.xxx.xxx'
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 0x:29 Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.59 seconds
Absolutely. Use whatever interface monitoring tool you want (tcpdump, wireshark, etc...).
- While sniffing, run a tool that has the existing functionality. I recommend using Nmap and then use some fragment options. http://nmap.org/book/man-bypass-firewalls-ids.html
- Once you have a saved pcap, use the rdpcap() option in Scapy. So...
pckt_array = rdpcap("/path/to/fragment_scan.pcap")
Then you can roll through the array objects (each packet) with pckt_array[0], pckt_array[1], etc...
--You can cut down a lot of manual searching by using a good capture filter--
... You can also manipulate and then forward on packets in-script using the lfilter value passed to the sniff function.
It will respond with a RST packet. I was pretty sure this was the case but could not find a source, but then I remembered nmaps idle scan.
"A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored."
Source:
Here's what I've got so far:
Seems to be a home based setup. Ran NMAP against it:
HTTPs requires client based certificate auth.
FTP doesn't respond to anonymous requests.
Interesting...
Starting Nmap 6.00 ( http://nmap.org ) at 2014-05-22 16:11 IST Nmap scan report for john.com (162.252.156.212) Host is up (0.16s latency). rDNS record for 162.252.156.212: perfora.net Not shown: 995 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 22/tcp open ssh Linksys WRT45G modified dropbear sshd (protocol 2.0) |ssh-hostkey: 1024 34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 (DSA) 80/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: John.com 81/tcp open http Apache httpd | http-auth: | HTTP/1.1 401 Authorization Required | Basic realm=WebDAV |_http-title: 401 Authorization Required |_http-methods: No Allow or Public header in OPTIONS response (status code 401) 443/tcp open http Apache httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: John.com Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: storage-misc Running (JUST GUESSING): Linksys Linux 2.6.X (86%)
There's a scene in Matrix where Trinity uses nmap to find a vulnerable SSH server. She then uses a known SSH overflow attack to execute arbitrary code to gain root access. Here is some more info.
I would say you have a socket open (a live connection with an IP address and a port -- TCP state ESTABLISHED), not a port open. If you nmap it, it will say that the port is closed (to new connections) even if there is a live connection on that port.
To me "Open" mean accepting (TCP state LISTENING) or passing (in the case of a firewall) new inbound connections.
I'm not saying you can't use the term that way. I'm saying that I would not use the term that way because I think it's confusing.
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 10.1.20.49:22 10.1.20.18:50734 ESTABLISHED
Port 22 is open on the first line. I don't know anyone who would say that port 50734 is open.
The socket 10.1.20.18:50734 is open in the sense that it's an active connection.
[root@backup oid]# nmap 10.1.20.18 -p 50734
Starting Nmap 6.40 ( http://nmap.org ) at 2017-10-17 09:10 MDT Nmap scan report for ldillon-win10.tech-time.local (10.1.20.18) Host is up (0.00025s latency). PORT STATE SERVICE 50734/tcp closed unknown MAC Address: AC:16:2D:02:EE:E4 (Hewlett Packard)
Nmap done: 1 IP address (1 host up) scanned in 11.10 seconds
Matrix Reloaded also features rather realistic depiction of a hack in a scene where Trinity abuses a circa 2001 SSH exploit. There's a nice list of movies that feature the abuse of a popular network scanning tool called nmap here.
Something is odd on the modem. My C1000 only shows these on /proc/net/tcp:
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:AD71 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 213 1 81ee5a20 299 0 0 2 -1 1: 00000000:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13691 1 81ee5180 299 0 0 2 -1 2: 00000000:1537 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 126364498 1 81ee4040 299 0 0 2 -1 3: 00000000:C117 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 13690 1 81ee55d0 299 0 0 2 -1
And yet scanning it with NMAP (on the LAN side) shows all this open:
Starting Nmap 6.40-2 ( http://nmap.org ) at 2014-04-28 23:26 PDT Nmap scan report for 192.168.0.1 Host is up (0.020s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 53/tcp open domain 80/tcp open http 443/tcp open https 4567/tcp open tram 5431/tcp open park-agent
That isn't right. The /proc/net/tcp isn't even showing my open telnet connection. It is just showing listening on Port 53, 44401, 5431 and 49431. I'm confused...
Nmap is by far the best tool to discover hosts on a network. What problems are you having?
Simple ping scan of network: nmap -PE <network range>
This should be a pretty decent scan for clients on a LAN.
Simple List scan: nmap -sL <network range>
This will give you a list of hosts with a reverse DNS check for host names. It sends no packets, only receives.
You might try reading this section of the Nmap manual: http://nmap.org/book/man-host-discovery.html
Look into a program called Nmap. It should be able to do what you want. Here is a link to the reference guide on their website: http://nmap.org/book/man.html - I do believe it will do what you want (or at least get you started), but it can be a little comlicated. Spend some time learning it's syntax and give it s shot. Report back and let us know if you were successful, or if you run into trouble.
EDIT: There are a couple other programs I remembered. Wireshark is one, it is also very powerful and might accomplish what you want. Check out this list for some more ides: http://sectools.org/tag/sniffers/
> 9gag doesn't even listen on port 80
Orly?
$ nc 9gag.com 80 -vv Connection to 9gag.com 80 port [tcp/www] succeeded! ^C $ nmap 9gag.com -p80
Starting Nmap 5.21 ( http://nmap.org ) at 2012-09-05 10:22 CEST Nmap scan report for 9gag.com (204.236.130.234) Host is up (0.18s latency). rDNS record for 204.236.130.234: ec2-204-236-130-234.us-west-1.compute.amazonaws.com PORT STATE SERVICE 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds $
Every webserver on the internet listens on port 80, google probably won't even consider looking at a website that isn't on port 80.
I tried and it asked for a password. I tried using a few episode names, but it ended up refusing my connection after 3 failures. Any thoughts?
Quick edit, nmap results if they're useful to anyone smarter than me:
Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-16 10:57 EDT
Nmap scan report for samsepiol.com (67.228.205.169)
Host is up (0.11s latency).
rDNS record for 67.228.205.169: hs27.name.com
Not shown: 995 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
80/tcp closed http
443/tcp closed https
8888/tcp closed sun-answerbook
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.38
Embedded devices frequently have abysmal security. Manufacturers often don't bother securing anything - in some cases there's no password, or the password is validated on the client side (which is basically the same as not having a password). This doesn't just apply to consumer devices even a hydroelectric power plants have been found on the open internet, unprotected.
In addition, many users don't bother to secure their devices. They don't change the default password, or expose the device to the public internet without even realizing they've done so.
If every server you are running is behind a NAT, it shouldn't be accessible from outside your LAN - but you can check by running a port scan on your public IP with a tool like NMAP.
Someone who has access to your LAN, however, will be able to read the traffic unless it's encrypted. This will depend on how the video monitor itself is set up. If it doesn't support encryption and you still want to prevent it from being seen by other people on the LAN, you might be able to make it route traffic through a VPN. Encrypting your WiFi is necessary to prevent strangers from accessing your LAN, but won't prevent people who already have access from decrypting traffic (if they can see your device authenticate).
Also you may be interested in this. When scanning or probing a system, different responses occur when a firewall is in place vs no firewall.
http://nmap.org/book/man-port-scanning-basics.html
Closed Port (Tells the attacker - no firewall / no UFW in place)
Send a SYN packet -> get RST packet
Open Port
Send a SYN packet -> get SYN/ACK
Filtered Port (firewall / UFW in place - best security)
Send a SYN packet -> no response
Random fun fact: In Matrix Reloaded, Trinity actually hacks the matrix properly.
>"Needing to hack the city power grid, she whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001."
She also uses a SSH1 CRC32 exploit to gain access.
nmap also keep a list of movies that feature the program.
Do you have a unix system you can use?
You could try out nping http://nmap.org/nping/
Try using the -mtu option to see if pings over a a certain size are getting dropped.
Also try pinging via different ports.
Since you are having trouble posting, I'll wager its an MTU issue somewhere
Port forwarding can be tricky. Even if you've forwarded the ports (or "Opened" them) if the ip, port, or protocol internally is wrong it wont connect.
- Be sure to set the Raspi a static IP (or static DHCP address via the router - just want it to maintain the same address)
- Ensure (as others have said) you can connect to those ports from within the lan.
- Set up the port forwarding
- If you cant connect via those ports (and using the external ip, not the no-ip address), get nmap and run a scan of your external IP with the -P and -sV flags (p for ports to scan, sV to identify services)
- if the external ip works check to make sure your no-ip.com address is resolving correctly. Does "ping blah.no-ip.com" = replies from your external ip?
Or just skip straight to step 4 - nmap is a fantastic tool for diagnostics of this type. I hope your isp will help, though in my experience it'll be faster (and more rewarding) for you to figure out whats not working on your end. If using a high port didn't work its doubtful the problem is them blocking or filtering anything - most likely the router or port forwarding settings.
That's a good way to check, but you can just use nmap to quickly scan every port on a target system and report back on which ones are open or blocked.
anothercomuteronmyneywork:~$ nmap 10.0.0.150
Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-06 14:35 CST
Interesting ports on 10.0.0.150:
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds
So, my Mac runs a SSH server (which I put there), HTTP (which I also put there). Assuming I know what the hell I am doing with securing ssh and http, what risks do you think I have by running a mac as opposed to any other unix variant?
"Updated far less securely"
Macs download software updates from Apple which they then check for proper cryptographic signature. That is, if you somehow manage to compromise the SSL. MITMing the software update wouldn't do anything. What does 'far less' mean in this case?
Once again, authentication tokens are information stored on a protected computer system.
Furthermore, if you take a look at the screenshot he pulled down the size of inboxes. That is information.
Finally, this law (and others internationally) has been used to prosecute against things as small as port scanning. It didn't stick in the US case, but it has in other countries..
Really man, you're wrong here. I work in the industry and have shown very specific knowledge of the task at hand. I'm done discussing this with you - go ahead and give it a try. Firesheep will help you pull it off - then go tell the cops you did it.
Last note: https://www.freeweev.info/#!/weev
you can use telnet to connect ("ping") TCP ports. For example if I wanted to test connectivity to a web server. I would type:
telnet www.webserver.com 80
edit: expected result would be a blinking cursor. If the connection hangs that means the port is unreachable.
80 is the well known port for WWW.
Or you can use NMap to do it automagically.
nmap -O ;) Doesn't address the auto-triggering, but could be written into something trying to pull DHCP.
nmap -O 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-20 16:23 EDT Nmap scan report for [REDACTED] (127.0.0.1) Host is up (0.000026s latency). Not shown: 995 closed ports PORT STATE SERVICE 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 5900/tcp open vnc Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.19 - 2.6.36 Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds
Not 100%, but pretty awesome.
just a bit of info, in case you want it
>Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-27 20:35 PDT Interesting ports on 208.43.179.14-static.reverse.softlayer.com (208.43.179.14): Not shown: 991 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s
TRON:Legacy, barring the backdoor login non-since, had some of the most realistic depictions of computer use I have seen in a move. The closest second is the Nmap scene from Matrix:Reloaded. Real tools, a real (although very old when the movie came out) SSHv1 buffer overflow exploit.
> if the attacking script tried 22 and got a successful ssh response, it probably stops there and won't try 24
Though "gut" might make you think otherwise, that's often not how port enumeration scans/attacks work (at least out of the box with tools such as nmap.
Instead of probing 65k TCP and UDP ports "straight through," they often tend to probe a subset of "the most popular" ports in-use (eg. nmap-services). Port 24 (priv-mail) is in the top 2000 ports and, as a consequence, will still see regular probes from "smart" script kiddies using these tools in such configurations (ie. ones that are ambitious enough to tweak command line arguments or similar to be more aggressive/thorough in their scanning efforts).
More-over, even though SSH (and other services) often put out a fairly recognizable handshake/hello, scanners either may not complete the full TCP handshake to see it or may simply ignore it (making it appear as some random "open" port to the unwary kiddie).
I can tell you that I move my SSH ports as a matter of practice (and not to something like port 24). As such, I've seen an average of one probe every year or two (or longer).
"Prior to writing nmap, I spent a lot of time with other scanners exploring the Internet and various private networks (note the avoidance of the "intranet" buzzword). I have used many of the top scanners available today, including strobe by Julian Assange...." -Fyodor
And nmap was written in 1997.... So Assange has been at this for awhile...
Thanks for the links. I tried making /etc/odbc.ini like so, but it does not work
[testdb] Driver = ODBC Driver 17 for SQL Server Server = tcp:192.168.100.103,1433
Then I test with isql
$ isql -v testdb [28000][unixODBC][Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user ''. [ISQL]ERROR: Could not SQLConnect
I tried adding UID=zabbix in /etc/odbc.ini but I get the same error. Port 1433 is open and it is listening on that port
nmap 192.168.100.103 -p 1433
Starting Nmap 6.40 ( http://nmap.org ) at 2020-09-02 22:00 UTC Nmap scan report for 192.168.100.103 Host is up (0.00027s latency). PORT STATE SERVICE 1433/tcp open ms-sql-s
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
That's the confusing part, when I print the variable, this is what I get verbatim:
Starting Nmap 5.51 ( http://nmap.org ) at 2017-07-28 11:46 UTC Nmap scan report for static-x- x (x) Host is up (0.0044s latency). PORT STATE SERVICE 5100/tcp open admd
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
*IP's & ISP removed with X's, but I assure you it's pulling them up
What's that? WebUI not loading on a Checkpoint? No problem, let me SSH into the thing real quick and see what's going on.
Starting Nmap 6.00 ( http://nmap.org ) at 2017-05-10 06:29 PDT Nmap scan report for my.firewall (172.30.12.190) Host is up (0.0078s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp filtered ssh 53/tcp open domain 80/tcp open http 264/tcp open bgmp 443/tcp open https 444/tcp filtered snpp 1720/tcp open H.323/Q.931
Oh, SSH now being filtered inbound on the LAN? Why the flying fuck is that a thing when I SSH into all the devices behind in the Checkpoint and regularly SSH into Checkpoints to fetch policies.
I'm on Linux, I'm just installing nmap...
Ugh, didn't find anything...
$ nmap astu.sh Starting Nmap 6.47 ( http://nmap.org ) at 2015-08-26 21:37 BST Nmap scan report for astu.sh (104.236.64.72) Host is up (0.086s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds
I'm confused as to what you're asking. Ports are used to allow more than one server to run on the same machine - the port number specifies which application should process the request.
Applications can bind to a specific port, and then the OS will forward all the data sent to that port to the application. Applications can bind to any port they want (although the port numbers less than 1024 may require special privileges to use), as long as there isn't already an application listening on that port (because then there'd be no way to tell which application the traffic was meant for). If a port is "open" that means there's an application listening on that port.
Clients can send data to whatever port they want. Most common protocols have standard ports allocated to them - for example, HTTP traffic is on port 80 and FTP is on port 21. If the service you're trying to connect to doesn't have an allocated port (or the server isn't running on the standard port), then you'll have to know the port it's running on in order to connect. You can explicitly specify the port to use in a URL by appending a colon and then the port number. The data will be processed by whatever application is listening on that port. If no application is listening, you won't get a response.
You can find out what ports are open on your network with a tool like nmap. It will send requests to every IP address within a specified range, and report which ones got a response. This is called a port scan.
This achieves little; there are plenty of other ways to discover hosts.
An SSH brute-force bot probably scans by simply sending SYN to TCP port 22, since 1) that's no slower than an ICMP ping 2) that's what it is going to do next anyway, so there is no point wasting time on ICMP, and 3) machines that listen on TCP 22 but do not return pings are much more likely to be useful to them than machines that return pings but do not listen on TCP 22.
You can use nmap (you will need to be root for OS X/Linux/* so you get the ARP ping):
$ sudo nmap -sP 192.168.6.0/24 ...snip... Nmap scan report for 192.168.6.24 Host is up (0.26s latency). MAC Address: A0:02:DC:83:BE:DE (Amazon Technologies)
I don't have any other Amazon devices on my network, so that one is it.
Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-23 10:27 EDT Nmap scan report for 174-21-47-245.tukw.qwest.net (174.21.47.245) Host is up (0.0047s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.18 seconds
My trick
$ nmap -n -sL 192.168.23.56/28
Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-30 09:56 CDT Nmap scan report for 192.168.23.48 Nmap scan report for 192.168.23.49 Nmap scan report for 192.168.23.50 Nmap scan report for 192.168.23.51 Nmap scan report for 192.168.23.52 Nmap scan report for 192.168.23.53 Nmap scan report for 192.168.23.54 Nmap scan report for 192.168.23.55 Nmap scan report for 192.168.23.56 Nmap scan report for 192.168.23.57 Nmap scan report for 192.168.23.58 Nmap scan report for 192.168.23.59 Nmap scan report for 192.168.23.60 Nmap scan report for 192.168.23.61 Nmap scan report for 192.168.23.62 Nmap scan report for 192.168.23.63 Nmap done: 16 IP addresses (0 hosts up) scanned in 0.00 seconds
First IP will be your network address. Some pipes through grep and awk should make it scriptable.
Something like this maybe:
"sudo nmap -sS -O 192.168.0.1/24".
See further options:
Nmap.org online manual,
http://nmap.org/book/man-host-discovery.html.
And then here's partial edited output of up or active lan hosts in this case:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-19 07:02 CDT Nmap scan report for 192.168.1.1 Host is up (0.00011s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 8099/tcp open unknown MAC Address: xx:xx:xx:xx:xx:xx (Router ID) Device type: foo Running: Router ID OS details: The router ID & details Network Distance: 1 hop
Nmap scan report for Host is up (0.00018s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh port number/tcp open foo MAC Address: xx:xx:xx:xx:xx:xx (hardware foo ID ) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.xx - 3.xx Network Distance: 1 hop
hth
Hacking. Or at least what is supposed to be hacking. Sometimes it is so ridiculous. "I will trace his IP" .. 4 seconds after booting they are like "Found him. His name is John Doe and he lives in foostreet XY". Nmap.org collected a few examples where they at least used nmap to fake hacking. Here
A OTP implementation of nc.
Instead of dealing with syncing two sets of the same data securely. You could use ncat with SSL. http://nmap.org/ncat/. Something to note as well is even if the data is encrypted you may be missing authentication and integrity verification that you get with other more standard encryption protocols like SSL.
Not sure what you are asking. Some possibilities:
- Non-ICMP host discovery. Check out the various
-P*options. - Parallel host scanning. Nmap already does this: it won't wait around for one host to be completely done before starting the next. On the other hand:
- Host timeouts. Nmap scans hosts in large groups. If one host in a group is being super-slow, it has to wait before starting the next group even though the rest of them are done. You can use
--host-timeout 15mto avoid any host taking longer than 15 minutes to scan.-T5also enables this, along with other timing and performance tweaks.
This video starts with definitions and an overview of the steps involved in performing a penetration test. Using BackTrack (predecessor of Kali Linux), the presenter scans a target with nmap and uses the Metasploit framework to search for known vulnerabilities in the services discovered. One such vulnerability is exploited to gain access to the target machine.
The video concludes with general tips for maintaining the security of an information system and advice/resources for getting started in penetration testing.
>You realize it takes me about 30ms to determine what the new port is?
>3389/tcp open ms-wbt-server
You just scanned 3389., and 3389 is open.
Wtf are you harping on about
>nmap -p80,443 google.com
>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-24 19:49 BST
Nmap scan report for google.com (64.15.115.25)
Host is up (0.013s latency).
Other addresses for google.com (not scanned): 64.15.115.35 64.15.115.59 64.15.115.24 64.15.115.50 64.15.115.55 64.15.115.39 64.15.115.40 64.15.115.54 64.15.115.29 64.15.115.20 64.15.115.44 64.15.115.45 64.15.115.49 64.15.115.34 64.15.115.30
rDNS record for 64.15.115.25: cache.google.com
PORT STATE SERVICE
80/tcp open http
443/tcp open https
>Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
I HAS H4XX0R3D LE GOOGLE
WE R ANNONYMOOSE
HAK ZA PLAN3T
How is networking set up in the VM settings? This can greatly effect how you access the system.
You could load up a port scanner (nmap) just to make sure everything is visible.
It's my understanding that it's a legal gray area in the US. There's actually a page on the nmap site that discusses the legality of port scanning. What I'd be more concerned about is your ISP's reaction to it. Often they will have systems in place to automatically detect large-scale port scanning. Additionally, one of the networks that you scan might send a complaint to the abuse department of your ISP.
Sneakers used a lot of social engineering exploits and some phone-line shenanigans (physically tapping into a system to intercept phone calls out, for instance), but didn't really use anything involving "hacking" as the OP probably means it other than maybe the opening scene where Cosmo and Martin are messing with bank records and anything done with the black-box MacGuffin.
Actually, The Matrix is an interesting case: the first one with Neo waking up in his little room where his computers are humming away on their own doing whatever "hacking" he's sent them to do without him having to actually actively do anything. More importantly, however, is The Matrix Reloaded where Trinity uses a real exploit. (edit - it occurs to me that this is actually what /u/praesartus was referring to in the 3rd paragraph above).
This isn't really the right subreddit for this question. Also, circumventing these restrictions may not sit well with your school; there is the possibility of the university getting a bit upset with you.
.
.
.
That said, look into tools like nmap to better understand what services are available/open. You can set up a machine on a trusted network outside of the university network (home perhaps), and VPN to that machine in order to gain unrestricted internet access.
>only allows people to use the browser
Expound. Are they blocking all ports except 80,443 (HTTP,HTTPS)?
You'll get an output similar to this:
@Ubuntu-Owncloud:~$ nmap -sP 192.168.1.*
Starting Nmap 5.21 ( http://nmap.org ) at 2014-08-01 14:26 CDT
Nmap scan report for Linksys21272 (192.168.1.1) Host is up (0.00072s latency).
Nmap scan report for 192.168.1.105 Host is up (0.0049s latency).
Nmap scan report for Ubuntu-Plex (192.168.1.111)Host is up (0.00091s latency).
Nmap scan report for Office (192.168.1.112) Host is up (0.0094s latency).
Nmap scan report for Ubuntu-Owncloud (192.168.1.119) Host is up (0.00036s latency).
Nmap scan report for 192.168.1.120 Host is up (0.0036s latency).
Nmap scan report for 192.168.1.122 Host is up (0.0037s latency).
Nmap scan report for raspberrypiserver-cloud (192.168.1.135) Host is up (0.00083s latency).
Nmap scan report for 192.168.1.140 Host is up (0.0026s latency).
Nmap scan report for 192.168.1.141 Host is up (0.0025s latency).
Nmap scan report for ubuntu-VPN (192.168.1.145) Host is up (0.0024s latency).
Nmap done: 256 IP addresses (11 hosts up) scanned in 2.63 seconds
You can run nmap on any OS. If you're running it from Linux, it'll be in any distros repositories. For Windows, you can just download nmap and install it. After it's installed, it will run via command line.
The Matrix used nmap, not wireshark. Also a real program though, actually used in the way shown. They work on opposite ends of the spectrum though. Wireshark analyzes the packets you can read on the network, nmap sends out crafted packets to probe and map (hence the name) the network.
This might work.......it did for me as a test anyway.
1) setup a new pcl printer with whatever driver
2) for the port create a new 'standard tcp/ip port' and use 127.0.0.1 for the address. when it comes back and says the printer isnt responding change the port type to custom and for settings use port '9100' and 'RAW' and SNMP disabled
3) go to the printer properties....on the ports tab make sure your new port is selected and that 'bidirectional printing' is disabled. on the advanced tab, change it from 'spool documents' to 'print directly to the printer'
download the '.zip' (command line) version of netcat for windows (included with nmap) : http://nmap.org/download.html
extract the zip and create a .cmd file in the same folder as ncat.exe the .cmd file should contain:
@echo off set filenum=0 :spawnnewnetcat set /a filenum=%filenum% + 1 set filetag=00000000%filenum% set filetag=%filetag:~-8% echo filetag=%filetag% ncat.exe --listen --recv-only --output file_%filetag%.pcl 127.0.0.1 9100>NUL goto spawnnewnetcat :end
Then launch the cmd file and try printing to your printer. It should output a file_0000000n.pcl for each print job. Give it a shot.
EDIT: wrong filename/clarified
I assume you mean MS SQL Server instances?
Just use nmap -
nmap --open -p 1433 [subnet]
Output looks like this (for postgresql so -p is 5432) -
nmap --open -p 5432 192.168.0.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-09 16:38 EDT Nmap scan report for dbserver (192.168.0.3) Host is up (0.00013s latency). PORT STATE SERVICE 5432/tcp open postgresql MAC Address: 00:00:00:00:00:00 (Intel)
not sure how complex your network topology is, but make sure to login to all of your Routers and L3 switches and document your Local, WAN, VPN subnets -- point your discovery tools (nmap) at those subnets and start scanning. also check out NSE (nmap scripting engine) (handy stuff there) and the -oG switch (grepable output) is incredibly helpful when trying to make the output more manageable.
The gateway address doesn't matter until you connect it to the internet (and then it would be the address of the router your university uses and will be set automatically if you use DHCP.)
I'm just confused at how you're initially telnetting into it. Is there a "failsafe mode" switch on it or something? What was the original IP before you changed it? Can you still ping the miner (open up a command prompt and type "ping <ip address of miner>."
You can always try running a program like Nmap to scan the whole IP block to find open ports. It's possible they put the WebUI on an alternate port (in which case you would have to type <ip address:port number> into your web browser to access it.)
W większości przypadków ciężko powiedzieć czy to co widzimy to Linux czy inny uniksowy system, ale oto kilka przykładów , które mi przychodzą na myśl:
- Trinity w Matriksie korzystała z Fluxboksa i hackowała przy pomocy nmapa (dość często zresztą pojawia sie on na ekranie w najdziwniejszych zastosowaniach),
- w którymś odcinku Klanu czy innej tego typu szmiry na ekranie komputera było środowisko KDE,
- w kultowym fragmencie zupełnie niekultowej komedii Haker co prawda nie zostają pokazane, ale są wspomniane Emacs i sendmail.
Jak zaczynałem pisać posta miałem jeszcze jakiś czwarty przykład, ale wyleciał mi z głowy.
NMap has a GUI until you get used to the command line switches a bit more. I'd find one practice target to use first, and then once you get used to the different scans, expand it to whatever IP range you want.
Example: I test a server on 10.1.1.8, I know my gateway is at 10.1.1.1, and I have a DHCP scope that starts at 10.1.2.0. I can safely do a quick scan on 10.1.1.0/24 to check for live hosts. After I know what IPs are live, I can do an intense scan to find open ports and get an OS print.
WARNING: If your network has a SonicWall firewall, you will end up flooding the log and disabling it for a while. This is not the fun "hey look, it flooded and failed open, FREE ACCESS" disabled, but the "oh fuck, no one can get on the internet" kind.
NCat has the support for multiple connections that netcat is missing and you can use it as a drop-in replacement for netcat.
http://nmap.org/ncat/guide/ http://junker.org/~tkh16/ncat-for-netcat-users.php
Maybe that could solve your problem faster.
First, thanks for your reply.
Nmap seems to be a handy tool. I don't know much about routing/networking, but it seems to be powerful.
Ok, so here is what I got. I tried to do this command:
nmap -sV -p 1-65000 187.191.xx.xxx (I redacted the actual i.p.)
It came up with this:
+++++++++++++
Starting Nmap 6.40 ( http://nmap.org )
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 5.14 seconds
++++++++++++++
So, I changed to the -Pn flag they recommended, and I got this:
||||||||||||||||||||
Starting Nmap 6.40 ( http://nmap.org )
Nmap scan report for fixed-191-13-xxx.iusacell.net (187.191.xx.xxx)
Host is up (0.013s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
179/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.26 seconds
|||||||||||||||||
Honestly, I am lost and at a loss. I don't know what much of this means. However, I assume this is important:
> 179/tcp open tcpwrapped
Also, what does THIS mean?
> 999 filtered ports
So...what next? I scanned it with the port 80 forwarded in the router. I can hit my RPi at the DHCP assigned address from WITHIN the network, but cannot from outside. If I enter my external ip address with or without :80, the request goes no where.
I enabled a high port - 33100. I tried to ping my external address with :33100 and got nothing.
Thanks for all your help. I am pretty frustrated at this point.
A particular example of this remote approach would be that of the nmap program.
$ nmap -O reddit.com
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-04 22:40 Canada Central Standard Time Nmap scan report for reddit.com (184.84.183.225) Host is up (0.065s latency). Other addresses for reddit.com (not scanned): 184.84.183.211 rDNS record for 184.84.183.225: a184-84-183-225.deploy.static.akamaitechnologies.com Not shown: 996 filtered ports PORT STATE SERVICE 53/tcp closed domain 80/tcp open http 443/tcp open https 8000/tcp closed http-alt Aggressive OS guesses: Linux 2.6.32 - 3.9 (93%), Linux 3.0 - 3.9 (93%), Tomato 1.28 (Linux 2.6.22) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), Linux 2.6.32 - 3.2 (91%), Lexmark X644e printer (91%), Asus RT-N16 WAP (Linux 2.6) (91%), Asus RT-AC66U router (Linux 2.6) (91%), Asus RT-N66U WAP (Linux 2.6) (91%), Linux 3.5 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 15 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.95 seconds
As we can see here, nmap guesses that Reddit may be running many kinds of OSes, most guesses which are some variant of Linux (alternatively, it could be a printer *shrugs*).
Ze*<em>nmap</em>* is a gui front end for nmap. If you use it to run a ping scan on the network, it will show who the vendor is by MAC address on all returned pings.
I just tried the same scan with Angry IP Scanner that I had done with Zenmap. You can get the same information by changing the fetchers that you are using.
I can never get Cain to work. It always just sits there looking dumb and I can't tell if it's not working or just trying to be terse. I prefer the windows build of Zenmap since it's a lot more verbose and has a lot of nice profiling capabilities.
thought I'd throw this out there.
http://nmap.org/nsedoc/scripts/broadcast-dropbox-listener.html
and Snort can detect alert on dropbox traffic, too. It's in the emerging threats' policy rules. # 2012648
You might like: Movies featuring the Nmap Security Scanner
.e.g Matrix2
edit: i made a gui in visual basic to trace the IP and uploaded a virus to the internet. Checkmate jessek
I think you just inadvertently gave me some good advice, I hadn't looked into nmap far enough to reailze all the tweaking that can be done to scan timing. Now if I just can figure out what is optimal.
Just my two cents, I have FIOS, and there really dosn't seem to be much that is blocked by Verizon.
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-27 13:57 EDT Nmap scan report for pool-108-41-203-154.nycmny.fios.verizon.net (...) Host is up (0.0045s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http 443/tcp open https 992/tcp open telnets 4567/tcp open unknown 8080/tcp open http-proxy 8443/tcp open https-alt
This part got to me as well. Even if you don't know what you are doing (in which case you shouldn't be the one performing security audits), Nmap is now usually packaged with Zenmap - which is entirely point and click with prebuilt scan profiles.
A common mistake people make with SSH, is setting weak passwords or worse using the same password on multiple servers. By only allowing authentication via SSH keys, you kill any chance of bruteforcing SSH credentials. Some popular tools to test your password strength:
> What you really should do is create a new user with no privileges, which will only run your app. You may even go the extra mile and set a rvm environment just for that user.
Couldn't agree more! Your www/deploy/backend users should have zero privileges. Do the administration from a separate account.
So I have recently started doing network security, and love Nmap. The best method I have discovered so far for Nmap and just general ease of use is called zenmap. (http://nmap.org/zenmap/). You tell it what you want Nmap to do and it supplies the command necessary.