Tony Virelli - Web Developer - HTML, xHTML, PHP, MySQL, JavaScript» Networking

Using NMAP To Detect Server Type

John Hass — Mon, 28 Dec 2009 14:33:55 +0000

When you talk power utilities on any *nix it’s hard to skip nmap. Ever since it’s introduction nmap has been used for good and evil. If you’ve ever had a server hacked chances are they used nmap or some sort of nmap code to get the job done. Just how easy is it to detect the server type from nmap? Try my windows 2003 server (I know kick me in the nuts and call me sally).

nmap -A -T4 192.168.10.1

it took over a minute to get the results, but here is what I got.

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:42 CST
Interesting ports on server1.local.example.com (192.168.10.1):
Not shown: 963 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
25/tcp    open  smtp          Microsoft ESMTP 6.0.3790.3959
|  smtp-commands: EHLO example.com Hello [192.168.10.34], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, X-EXPS GSSAPI NTLM LOGIN, X-EXPS=LOGIN, AUTH GSSAPI NTLM LOGIN, AUTH=LOGIN, X-LINK2STATE, XEXCH50
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
80/tcp    open  http          Microsoft IIS webserver 6.0
|_ html-title: Under Construction
110/tcp   open  pop3          MS Exchange 2003 pop3d 6.5.7638.1
|_ pop3-capabilities: USER EXPIRE(NEVER) UIDL PIPELINING TOP SASL(NTLM)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
143/tcp   open  imap          Microsoft Exchange Server 2003 imapd 6.5.7638.1
|_ imap-capabilities: LOGIN-REFERRALS IMAP4 AUTH=NTLM IMAP4rev1 MAILBOX-REFERRALS UIDPLUS LITERAL+ IDLE NAMESPACE CHILDREN
445/tcp   open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
691/tcp   open  resvc         Microsoft Exchange routing server 6.5.7638.138.1
993/tcp   open  tcpwrapped
995/tcp   open  tcpwrapped
1037/tcp  open  msrpc         Microsoft Windows RPC
1073/tcp  open  msrpc         Microsoft Windows RPC
1074/tcp  open  msrpc         Microsoft Windows RPC
1076/tcp  open  msrpc         Microsoft Windows RPC
1088/tcp  open  msrpc         Microsoft Windows RPC
1089/tcp  open  msrpc         Microsoft Windows RPC
1137/tcp  open  msrpc         Microsoft Windows RPC
1801/tcp  open  unknown
2103/tcp  open  msrpc         Microsoft Windows RPC
2105/tcp  open  msrpc         Microsoft Windows RPC
2107/tcp  open  msrpc         Microsoft Windows RPC
3389/tcp  open  microsoft-rdp Microsoft Terminal Service
4343/tcp  open  ssl/http      Microsoft IIS webserver 6.0
|_ sslv2: server still supports SSLv2
|  http-auth: HTTP Service requires authentication
|    Auth type: Negotiate
|_   Auth type: NTLM
|_ html-title: You are not authorized to view this page
5900/tcp  open  vnc           VNC (protocol 3.8)
6001/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6002/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6004/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
8080/tcp  open  http          Microsoft IIS webserver 6.0
|  http-auth: HTTP Service requires authentication
|    Auth type: Negotiate
|_   Auth type: NTLM
|_ html-title: You are not authorized to view this page
8181/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
|_ html-title: Site doesn't have a title (text/html).
8443/tcp  open  ssl/http      Apache Tomcat/Coyote JSP engine 1.1
|_ html-title: Site doesn't have a title (text/html).
9000/tcp  open  http          Veritas backup exec continuous protection httpd
|_ html-title: Site doesn't have a title (text/xml).
9001/tcp  open  http          Veritas backup exec continuous protection httpd
|_ html-title: Site doesn't have a title (text/plain).
9002/tcp  open  http          Veritas backup exec continuous protection httpd (unauthorized)
|_ html-title: Site doesn't have a title (text/html).
9003/tcp  open  http          Veritas backup exec continuous protection httpd (unauthorized)
|_ html-title: Site doesn't have a title (text/plain).
10000/tcp open  backupexec    Veritas Backup Exec 9.0
Service Info: OS: Windows
Host script results:
|  smb-os-discovery: Windows Server 2003 3790 Service Pack 2
|  LAN Manager: Windows Server 2003 5.2
|  Name: example\SERVER1
|_ System time: 2009-12-15 15:38:06 UTC-6
|_ nbstat: NetBIOS name: SERVER1, NetBIOS user: , NetBIOS MAC: 00:11:43:e3:d5:f2
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.23 seconds

Surely this can’t work in Windows Server 2008?

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:47 CST
Interesting ports on server.local.example.com (192.168.10.5):
Not shown: 970 closed ports
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          Microsoft ESMTP
|  smtp-commands: EHLO exchange.example.com Hello [192.168.10.34], SIZE 41943040, PIPELINING, DSN, ENHANCEDSTATUSCODES, AUTH, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
80/tcp   open  http          Microsoft IIS webserver 7.0
|_ html-title: 403 - Forbidden: Access is denied.
88/tcp   open  kerberos-sec  Microsoft Windows kerberos-sec
110/tcp  open  pop3          MS Exchange 2007 pop3d
|_ pop3-capabilities: USER SASL(NTLM GSSAPI PLAIN) TOP UIDL
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
143/tcp  open  imap          Microsoft Exchange 2007 imapd
|_ imap-capabilities: IMAP4rev1 AUTH=GSSAPI LITERAL+ IMAP4 AUTH=NTLM AUTH=PLAIN NAMESPACE IDLE
389/tcp  open  ldap
443/tcp  open  ssl/http      Microsoft IIS webserver 7.0
|_ sslv2: server still supports SSLv2
|_ html-title: IIS7
445/tcp  open  microsoft-ds  Microsoft Windows 2003 microsoft-ds
464/tcp  open  kpasswd5?
587/tcp  open  smtp          Microsoft ESMTP
|  smtp-commands: EHLO exchange.example.com Hello [192.168.10.34], SIZE 41943040, PIPELINING, DSN, ENHANCEDSTATUSCODES, AUTH GSSAPI NTLM, 8BITMIME, BINARYMIME, CHUNKING
|_ HELP This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
993/tcp  open  imaps?
995/tcp  open  pop3s?
1025/tcp open  msrpc         Microsoft Windows RPC
1026/tcp open  msrpc         Microsoft Windows RPC
1027/tcp open  msrpc         Microsoft Windows RPC
1029/tcp open  msrpc         Microsoft Windows RPC
1030/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
1031/tcp open  msrpc         Microsoft Windows RPC
1048/tcp open  msrpc         Microsoft Windows RPC
3268/tcp open  ldap
3269/tcp open  tcpwrapped
3389/tcp open  microsoft-rdp Microsoft Terminal Service
6001/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6002/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
6004/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port993-TCP:V=5.00%I=7%D=12/15%Time=4B2803DB%P=x86_64-unknown-linux-gnu
SF:%r(NULL,20,"\*\x20BYE\x20Connection\x20is\x20closed\.\x2014\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port995-TCP:V=5.00%I=7%D=12/15%Time=4B2803DB%P=x86_64-unknown-linux-gnu
SF:%r(NULL,1F,"-ERR\x20Connection\x20is\x20closed\.\x2013\r\n");
Service Info: Host: exchange.example.com; OS: Windows
Host script results:
|_ nbstat: NetBIOS name: SERVER, NetBIOS user: , NetBIOS MAC: 00:22:19:54:ea:4d
|  smb-os-discovery: Windows Server (R) 2008 Standard 6001 Service Pack 1
|  LAN Manager: Windows Server (R) 2008 Standard 6.0
|  Name: example\SERVER
|_ System time: 2009-12-15 15:42:39 UTC-6

And Next time, don’t call me Shirley!

Now I am sure Linux is immune to this though!

Now I don’t want to brag, but all the linux servers first responded with

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:53 CST
All 1000 scanned ports on 192.168.10.20 are filtered
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.04 seconds

This was from default Ubuntu installs, eventually I did a scan on our webserver

Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-15 15:54 CST
Interesting ports on mail.sipmeeting.com (example.com):
Not shown: 988 closed ports
PORT     STATE SERVICE   VERSION
21/tcp   open  ftp       ProFTPD 1.3.0a
22/tcp   open  ssh       OpenSSH 4.6 (protocol 1.99)
|_ sshv1: Server supports SSHv1
|  ssh-hostkey: 2048 da:5e:f2:1e:63:47:14:29:bd:f9:e3:ca:aa:4e:2b:20 (RSA1)
|  1024 4a:6d:a3:75:d9:8d:c8:dc:32:82:6d:81:d8:39:81:d4 (DSA)
|_ 2048 92:90:42:06:61:70:f8:a0:38:f6:2c:54:27:b2:2b:a8 (RSA)
25/tcp   open  smtp      Sendmail 8.14.1/8.14.1
|  smtp-commands: EHLO mail.example.com Hello [1.1.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP
|_ HELP 2.0.0 This is sendmail version 8.14.1 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
37/tcp   open  time      (32 bits)
80/tcp   open  http      Apache httpd 2.2.4 ((Unix) DAV/2 PHP/5.2.4)
|  html-title: Online Global Resource
|_ Requested resource was http://example.com/src/login.php
110/tcp  open  pop3      Openwall popa3d
|_ pop3-capabilities: capa
111/tcp  open  rpcbind
|  rpcinfo:
|  100000  2        111/udp  rpcbind
|  100011  1,2      929/udp  rquotad
|  100003  2,3,4   2049/udp  nfs
|  100024  1      55627/udp  status
|  100021  1,3,4  55629/udp  nlockmgr
|  100005  1,2,3  55630/udp  mountd
|  100000  2        111/tcp  rpcbind
|  100011  1,2      932/tcp  rquotad
|  100003  2,3,4   2049/tcp  nfs
|  100024  1      50902/tcp  status
|  100021  1,3,4  51522/tcp  nlockmgr
|_ 100005  1,2,3  60993/tcp  mountd
143/tcp  open  imap      UW imapd 2004.357
|_ imap-capabilities: BINARY THREAD=ORDEREDSUBJECT IMAP4REV1 STARTTLS LOGIN-REFERRALS UNSELECT SCAN SASL-IR THREAD=REFERENCES MAILBOX-REFERRALS SORT AUTH=LOGIN LITERAL+ IDLE NAMESPACE MULTIAPPEND
587/tcp  open  smtp      Sendmail 8.14.1/8.14.1
|  smtp-commands: EHLO mail.example.com Hello [1.1.1.1], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP
|_ HELP 2.0.0 This is sendmail version 8.14.1 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
2000/tcp open  callbook?
2049/tcp open  rpcbind
3306/tcp open  mysql     MySQL 5.0.37
|  mysql-info: Protocol: 10
|  Version: 5.0.37
|  Thread ID: 2757516
|  Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: qD@R\V{,c2kG_+SA/b#%
Service Info: Host: mail.example.com; OS: Unix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.31 seconds

It was only able to detect Unix not Slackware Linux. Have fun and don’t do anything I wouldn’t do!

Test Your Network With Ping

John Hass — Wed, 23 Dec 2009 14:30:05 +0000

Ping is a great utility to use to test if a server is up or if a server is responding in the correct time, but what if you could use ping to actually test your network infrastructure. Lets call it a “poor mans test”.

Linux ping allows you to specify the number of bytes that are sent to the server your pinging.

ping -s  127.0.0.1

The maximum packet size it 65507, this is 63.9990234 kilobytes, not a very big packet at all, but what if you sent hundreds of them a second?

Enter ping flood.

ping -s 65507 -f 127.0.0.1

To quote the ping man page:

Flood ping. For every ECHO_REQUEST sent a period “.” is printed, while for ever ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped. If interval is not given, it sets interval to zero and outputs packets as fast as they come back or one hundred times per second, whichever is more. Only the super-user may use this option with zero interval.

Here is an example of the output

ping 192.168.10.27 -s 65507 -f
PING 192.168.10.27 (192.168.10.27) 65507(65535) bytes of data.
.
--- 192.168.10.27 ping statistics ---
267 packets transmitted, 266 received, 0% packet loss, time 4321ms
rtt min/avg/max/mdev = 11.476/14.489/30.344/5.301 ms, pipe 3, ipg/ewma 16.245/11.551 ms

If I had lost a packet it should show a packet loss. As you can see, the server is sitting on the same switch as my desktop. It dropped 0 packets and had a rtt of 11.476 ms.

Not bad!

SSH Key Sharing

John Hass — Tue, 22 Dec 2009 14:30:27 +0000

SSH allows you to do key sharing which allows you to log into a machine without typing your password, or even for that matter, having a password at all. Best of all, it does the key sharing completely encrypted, so the chance of you losing your keys in the process is very unlikely.

In my example I have 2 machines. A desktop and server. I want to be able to connect to server without entering my password.

On Desktop (there is no need to be root)

ssh-keygen -b 2048 -t rsa

A message will prompt you for the location: leave it the default.
The next menu will ask you for a pass phrase: leave it blank.
Leave the next pass phrase blank as well.

Your keys will now be generated in ~/.ssh
you can “cd ~/.ssh”
type “cat id_rsa.pub”
You will now see your public key this is the key you share with everyone. The other is your private you share this with no one.

The next step is to get your key over to server

scp id_rsa.pub username@server:~/username_id_rsa.pub

Then you must put the info in ~/.ssh/authorized_keys2

ssh username@server "cat ~/username_id_rsa.pub >> ~/.ssh/authorized_keys2"

You will now be able to ssh to server without entering your password.

Using SSH To Get Around Those Pesky Firewalls

John Hass — Mon, 21 Dec 2009 14:30:34 +0000

Firewalls are important for safety on the internet, but sometimes they just get in the way, so why not remedy that by using what you can to your advantage. At my home I am required to have an SSH connection back to the office. The office is able to connect to all of our remote sites, but I am not able to have VNC to my home, so I must tunnel VNC. In order to do that I do a SSH local port forward

ssh john@example.com -L8080:127.0.0.1:5590

This will connect to my desktop at work and create a tunnel. The tunnel is from the machine I am sshing from to my desktop at work on port 5590. So to connect to VNC I just do:

vncviewer 127.0.0.1:8080

Then I am connected via the ssh tunnel to work.

Now lets say you wanted to connect off site to somewhere else, but your always having to ssh to work then to the site so:

Laptop ====> work (example.com)====> site (site.com)

and you have to ssh in 3 times to run different processes or view logs. Why not create a tunnel to do all the work?

ssh john@example.com -L8080:site.com:22

You can then ssh right into site.com by typing

ssh john@localhost -P 8080

this is because the connection is tunneled.

I will get into more ssh stuff as needed like remote port sharing and sharing keys, but the above example really does show the power of ssh.