nmap


Using nmap to scan a network and identify which hosts are alive

The command “nmap -sP 192.168.100.0/24” scans a network and identifies which hosts are alive (i.e., which IP addresses are being used) within the specified range.

In more detail, the “nmap” command is a widely used network exploration tool that can be used for tasks such as host discovery, port scanning, and service enumeration.

The “-sP” option tells nmap to perform a “ping scan,” where it sends an ICMP echo request to each host in the specified IP range and checks for responses. This method is typically faster than other scanning techniques because it only determines whether a host is up or not without gathering additional information about the host’s ports or services.

The “192.168.100.0/24” argument specifies the IP range to be scanned, specifically the subnet mask “255.255.255.0,” which corresponds to the range of IP addresses from 192.168.100.0 to 192.168.100.255. The “/24” suffix is a shorthand notation for the subnet mask.

Overall, the command “nmap -sP 192.168.100.0/24” is a helpful tool for network administrators or security professionals who need to identify which hosts are active on a particular network quickly. It can help to identify potential security vulnerabilities or unauthorized devices connected to the network.


Playing with ChatGPT to create python scripts

In the following post, we asked ChatGPT to write some code for us and this is the “conversation” we had:

write a python script that accepts http request in rest format, executes nmap with the parameters given from the http request and returns the results in json format.

Here is an example of a Python script that can handle HTTP requests in REST format, execute the nmap command with the parameters specified in the request, and return the results in JSON format:

from flask import Flask, request, jsonify
import subprocess

app = Flask(__name__)

@app.route('/scan', methods=['POST'])
def scan():
    data = request.get_json()
    target = data['target']
    options = data['options']
    result = subprocess.run(['nmap', target, options], capture_output=True, text=True)
    return jsonify({'output': result.stdout, 'error': result.stderr})

if __name__ == '__main__':
    app.run(debug=True)

You can run this script by executing python script.py in your terminal and then sending a POST request to http://localhost:5000/scan with a JSON payload containing the target and options for the nmap command, for example:

{
    "target": "example.com",
    "options": "-p 80,443"
}

It will execute the nmap command nmap example.com -p 80,443 and return the output and error in JSON format.

Note

  • Make sure you have nmap installed on your machine.
  • This script is not handling error case properly, it will return error as it is, you may want to handle it properly.
  • This script is not handling multiple targets, options and other complex use cases.
  • This script will run on single thread, you may want to use multi threading or asyncio to handle multiple requests.

update code to handle the error cases, multiple targets and options and use multi threading

Here is an updated version of the script that handles error cases, multiple targets and options, and uses multi-threading to handle multiple requests simultaneously:

import threading
from concurrent.futures import ThreadPoolExecutor
from flask import Flask, request, jsonify
import subprocess

app = Flask(__name__)
executor = ThreadPoolExecutor()

def nmap_scan(target, options):
    try:
        result = subprocess.run(['nmap', target, options], capture_output=True, text=True)
        return jsonify({'output': result.stdout, 'error': result.stderr}), 200
    except Exception as e:
        return jsonify({'error': str(e)}), 500

@app.route('/scan', methods=['POST'])
def scan():
    data = request.get_json()
    targets = data['targets']
    options = data['options']
    futures = [executor.submit(nmap_scan, target, options) for target in targets]
    results = [future.result() for future in futures]
    return results

if __name__ == '__main__':
    app.run(debug=True)

In this updated version, the nmap_scan() function uses a try-except block to catch any errors that occur during the execution of the nmap command. If an error occurs, it returns a JSON object containing an error message and a status code of 500. If the command completes successfully, it returns the output and error in a JSON object and a status code of 200.

The scan() function now takes a list of targets and options as input, and uses a ThreadPoolExecutor to execute the nmap_scan() function for each target in the list. The results of all the scans are returned as a list of JSON objects.

This version of the script can handle multiple targets and options, and it can handle multiple requests simultaneously thanks to the use of multi-threading.

Note

  • Make sure you have nmap installed on your machine.
  • In this script, all the requests are handled by single process, you may want to use multiple process or containers to handle high traffic.
  • This script is not handling other complex use cases, you may want to handle it as per your requirement.

update to handle high traffic

Handling high traffic can be achieved using multiple processes or by running the script in a containerized environment such as Docker.

One way to handle high traffic with multiple processes is to use a process manager such as Gunicorn. Gunicorn is a pre-fork worker model which means it forks multiple worker processes to handle incoming requests. Here is an example of how you can run the script using Gunicorn with 4 worker processes:

gunicorn script:app -w 4

Another way to handle high traffic is to run the script in a containerized environment. You can use a container orchestration platform like Kubernetes to manage multiple containers running the script. This allows you to easily scale up or down the number of containers based on the traffic, and also provides other benefits such as automatic load balancing.

Here is an example of a Dockerfile that builds an image of your script:

FROM python:3.8

COPY . /app

WORKDIR /app

RUN pip install -r requirements.txt

CMD ["gunicorn", "script:app", "-w", "4"]

You can build the image using:

docker build -t script .

And then run the container using:

docker run -p 5000:5000 script

You can then use Kubernetes to manage multiple replicas of this container, and also use other features such as automatic load balancing, automatic failover, and monitoring of the containers.

This version of the script should be able to handle high traffic by using multiple processes or running in a containerized environment, however, it’s not a silver bullet, you may want to test it with different traffic patterns and tweak the configurations as per your requirement.

The best part about this engine is that it reuses previous content and produces new results like having a conversion.


Ubuntu server 16.04+ MySQL port is only accessible from localhost (127.0.0.1)

Recently, we got access to an Ubuntu 16.04 LTS server that had MySQL server installed on it but was not accessible to our external servers.
The service was accessible when testing from localhost but it was not when testing from any other machine.
Executing nmap from another machine would return the value 3306/tcp closed mysql   conn-refused as below.

[bytefreaks@fedora ~]$ nmap -vv -p 3306 192.168.10.11


 
 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-06 17:21 EET
 Initiating Ping Scan at 17:21
 Scanning 192.168.10.11 [2 ports]
 Completed Ping Scan at 17:21, 0.06s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 17:21
 Completed Parallel DNS resolution of 1 host. at 17:21, 0.00s elapsed
 Initiating Connect Scan at 17:21
 Scanning 192.168.10.11 [1 port]
 Completed Connect Scan at 17:21, 0.06s elapsed (1 total ports)
 Nmap scan report for 46.101.137.70
 Host is up, received syn-ack (0.061s latency).
 Scanned at 2017-03-06 17:21:31 EET for 1s
 PORT     STATE  SERVICE REASON
 3306/tcp closed mysql   conn-refused
 
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

The problem was with the default configuration of mysqld that is found in the file /etc/mysql/mysql.conf.d/mysqld.cnf.
At line 41 we got the following snippet:

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address            = 127.0.0.1

What the line bind-address            = 127.0.0.1 says is that, the service will only listen on localhost.
At this stage there are two solutions that you can apply using your favorite text editor (e.g. sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf):

Solution A:

Completely remove the line bind-address            = 127.0.0.1 or comment it out by adding a # in front of it as follows #bind-address            = 127.0.0.1.

Solution B:

Replace 127.0.0.1 with the IP that you want mysql service to be available to. In our case the line became bind-address            = 192.168.10.11.

After you are done with the change, you need to restart the service for the change to take place:

bytefreaks@OSUbuntu:~$ sudo /etc/init.d/mysql restart
 [ ok ] Restarting mysql (via systemctl): mysql.service.

From an external machine you can verify that the configuration was applied correctly using nmap as below:

[bytefreaks@fedora ~]$ nmap -vv -p 3306 192.168.10.11
 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-06 17:24 EET
 Initiating Ping Scan at 17:24
 Scanning 192.168.10.11 [2 ports]
 Completed Ping Scan at 17:24, 0.06s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 17:24
 Completed Parallel DNS resolution of 1 host. at 17:24, 0.00s elapsed
 Initiating Connect Scan at 17:24
 Scanning 192.168.10.11 [1 port]
 Discovered open port 3306/tcp on 46.101.137.70
 Completed Connect Scan at 17:24, 0.06s elapsed (1 total ports)
 Nmap scan report for 46.101.137.70
 Host is up, received syn-ack (0.061s latency).
 Scanned at 2017-03-06 17:24:30 EET for 0s
 PORT     STATE SERVICE REASON
 3306/tcp open  mysql   syn-ack
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

You should get the value 3306/tcp open  mysql   syn-ack.


Find which Ports are listening on Linux using netstat

netstat prints network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Using the parameter -l (or --listening) it will show only listening sockets/ports (which are omitted by default.).
--numeric-ports shows numerical port numbers but does not affect the resolution of host or user names (e.g. instead of showing the name ssh, it will show the value 22).

We used netstat using the following syntax to check which sockets/ports are open on the current machine:

netstat --listening --numeric-ports;

The results appeared as follows:

[george@bytefreaks ~]$ netstat --listening --numeric-ports
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State      
 tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
 tcp        0      0 localhost:25            0.0.0.0:*               LISTEN     
 tcp6       0      0 [::]:44300              [::]:*                  LISTEN     
 tcp6       0      0 [::]:8080               [::]:*                  LISTEN     
 tcp6       0      0 [::]:22                 [::]:*                  LISTEN     
 tcp6       0      0 localhost:25            [::]:*                  LISTEN     
 udp        0      0 0.0.0.0:39925           0.0.0.0:*                          
 udp        0      0 0.0.0.0:24186           0.0.0.0:*                          
 udp        0      0 0.0.0.0:68              0.0.0.0:*                          
 udp        0      0 localhost:323           0.0.0.0:*                          
 udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
 udp6       0      0 localhost:323           [::]:*                             
 udp6       0      0 [::]:33848              [::]:*                             
 udp6       0      0 [::]:61453              [::]:*                             
 raw6       0      0 [::]:58                 [::]:*                  7          
 Active UNIX domain sockets (only servers)
 Proto RefCnt Flags       Type       State         I-Node   Path
 unix  2      [ ACC ]     STREAM     LISTENING     22489    public/showq
 unix  2      [ ACC ]     STREAM     LISTENING     22445    public/pickup
 unix  2      [ ACC ]     STREAM     LISTENING     22449    public/cleanup
 unix  2      [ ACC ]     STREAM     LISTENING     22477    private/proxymap
 unix  2      [ ACC ]     STREAM     LISTENING     22480    private/proxywrite
 unix  2      [ ACC ]     STREAM     LISTENING     15452    /run/systemd/private
 unix  2      [ ACC ]     STREAM     LISTENING     22483    private/smtp
 unix  2      [ ACC ]     STREAM     LISTENING     22486    private/relay
 unix  2      [ ACC ]     STREAM     LISTENING     22492    private/error
 unix  2      [ ACC ]     STREAM     LISTENING     22495    private/retry
 unix  2      [ ACC ]     STREAM     LISTENING     22498    private/discard
 unix  2      [ ACC ]     STREAM     LISTENING     22501    private/local
 unix  2      [ ACC ]     STREAM     LISTENING     22504    private/virtual
 unix  2      [ ACC ]     STREAM     LISTENING     22507    private/lmtp
 unix  2      [ ACC ]     STREAM     LISTENING     22510    private/anvil
 unix  2      [ ACC ]     STREAM     LISTENING     22513    private/scache
 unix  2      [ ACC ]     STREAM     LISTENING     14445    /var/run/NetworkManager/private-dhcp
 unix  2      [ ACC ]     SEQPACKET  LISTENING     15476    /run/udev/control
 unix  2      [ ACC ]     STREAM     LISTENING     1404     /run/systemd/journal/stdout
 unix  2      [ ACC ]     STREAM     LISTENING     22452    public/qmgr
 unix  2      [ ACC ]     STREAM     LISTENING     15498    /run/lvm/lvmpolld.socket
 unix  2      [ ACC ]     STREAM     LISTENING     22474    public/flush
 unix  2      [ ACC ]     STREAM     LISTENING     22471    private/verify
 unix  2      [ ACC ]     STREAM     LISTENING     16034    /var/run/dbus/system_bus_socket
 unix  2      [ ACC ]     STREAM     LISTENING     16037    /var/run/avahi-daemon/socket
 unix  2      [ ACC ]     STREAM     LISTENING     15537    /run/lvm/lvmetad.socket
 unix  2      [ ACC ]     STREAM     LISTENING     22456    private/tlsmgr
 unix  2      [ ACC ]     STREAM     LISTENING     22459    private/rewrite
 unix  2      [ ACC ]     STREAM     LISTENING     22462    private/bounce
 unix  2      [ ACC ]     STREAM     LISTENING     22465    private/defer
 unix  2      [ ACC ]     STREAM     LISTENING     22468    private/trace

Check a specific port if it is open from a remote machine

In case you want to check a specific port if it is open from a remote machine, you can use nmap.
Using nmap to scan specific ports allows you to check if a remote machine appears to have open ports available to you.
nmap is a network exploration tool and security / port scanner.

The following example checks ports 80 and 8080 on 192.168.1.199 if they are open.

[george@bytefreaks ~]$ nmap -vv -p 80,8080 192.168.1.199
 
 Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-22 14:10 EET
 Initiating Ping Scan at 14:10
 Scanning 192.168.1.199 [2 ports]
 Completed Ping Scan at 14:10, 0.00s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 14:10
 Completed Parallel DNS resolution of 1 host. at 14:10, 0.00s elapsed
 Initiating Connect Scan at 14:10
 Scanning 192.168.1.199 [2 ports]
 Discovered open port 8080/tcp on 192.168.1.199
 Completed Connect Scan at 14:10, 0.00s elapsed (2 total ports)
 Nmap scan report for 192.168.1.199
 Host is up (0.000060s latency).
 Scanned at 2017-02-22 14:10:29 EET for 0s
 PORT     STATE  SERVICE
 80/tcp   closed http
 8080/tcp open   http-proxy
 
 Read data files from: /usr/bin/../share/nmap
 Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

The -vv parameter for nmap increases the verbosity of the results.
The -p parameter defines the ports to be checked.