As I know, ping is a tool that requires root permission (set-uid) or CAP_NET_RAW Capability.
But I found that, when I start a Nmap ping scan(-sn), no privilege permission required:
# getcap /usr/bin/nmap
# ls -al /usr/bin/nmap
-rwxr-xr-x 1 root root 2445920 May 28 2016 /usr/bin/nmap
# su -s /bin/bash www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ nmap -sn example.com
Starting Nmap 6.47 ( http://nmap.org ) at 2020-02-17 16:35 CST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.011s latency).
Nmap done: 1 IP address (1 host up) scanned in 11.05 seconds
So how does ping scan of Nmap work? Why does ping need root permission and the nmap doesn't?
When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)
From the nmap website.
Related
Env- Centos 7 , nmap 6.40
Currently I'm trying to fetch MAC/HW addresses for few list of IP's via nmap command utility and with root user its working perfectly.
As root user
nmap -sP -PE -iL <list-of-IPs>
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:05 EDT
Nmap scan report for 192.168.xx.xx
Host is up (0.0015s latency).
MAC Address: XX:XX:XX:XX:XX:XX
As non-root user
nmap -sP -PE -iL <list-of-IPs>
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds
Requesting your suggestion/help how the same to be achieve via normal user.
Thanks
Nmap must be run as root in order to retrieve this information. Fortunately, there are other sources of MAC address information on a Linux system: the system's ARP tables. After making an attempt to contact an IP address (either using Nmap or some other tool like ping), run arp -n to print the table of IP-to-MAC address mappings.
It is possible to run nmap as non-root user. This Wiki describes pretty good how to set everything up to run it as an unprivileged user. The linked tutorial also describes this for Ubuntu and Red Hat systems, which should be good for you since you are on CentOS.
I think it is important to keep this security warning in mind:
WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It's possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.
Summary from the Wiki:
1. Restrict access to certain groups, for example adm. Make sure that you use the right location of nmap. In my case, this was /usr/bin/nmap:
sudo chgrp adm /usr/bin/nmap
sudo chmod 750 /usr/bin/nmap
2. Make sure the setcap command is installed (more information about capabilities here):
sudo yum install libcap
3. Now, set the capabilities. Once again, make sure to use the right location.
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
4. Finally, you are able to run nmap as unprivileged user. But, you have to explicitly define that you want to do so. You can define it as an argument of nmap
nmap --privileged -sP -PE -iL <list-of-IPs>
or as an environmental variable:
export NMAP_PRIVILEGED=""
Edit: I don't exactly know why this answer is being down-voted since this is one possible answer to the question (although the question is of course better suited for Super User or Unix & Linux Stack Exchange). I added the results from my own systems with and without --privileged below:
$ nmap -sP -PE 192.168.0.1
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0011s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap --privileged -sP -PE 192.168.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0014s latency).
MAC Address: XX:XX:XX:XX:XX:XX (<MANUFACTURER NAME>)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
What is the meaning of the following command and why its not given at help menu of nmap?
Sample command: sudo nmap -sP -n 192.168.0.0-255
Sample output:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 16:09 +06
Nmap scan report for 192.168.0.1
Host is up (0.0035s latency).
MAC Address: 20:L6:A7:55:3D:44 (D-link Technologies)
Nmap scan report for 192.168.0.104
Host is up (0.20s latency).
MAC Address: 18:97:F8:15:26:D9 (Zen Mobile Communication Technology)
Nmap scan report for 192.168.0.118
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.31 seconds
What does -sP mean and why is it used?
This command works properly, but it is not listed to man and help menu.
Please elaborate the circumstances.
From the man page:
In previous releases of Nmap, -sn was known as -sP..
I've installed LDAP on a raspberryPI running Raspian, which is a Debian fork I think.
I have a DB and entries and can do an LDAP search successfully from the server if I use -h localhost or -h 127.0.0.1. But if I use the hostname or IP I get an error message:
root#rpi1:~# ldapsearch -d 1 -x -h 10.10.0.11 -b "ou=Groups,dc=pi,dc=home"
ldap_create
ldap_url_parse_ext(ldap://10.10.0.11)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.0.11:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.10.0.11:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The weird thing for me is that the service is running an listening on the port:
root#rpi1:~# nmap 10.10.0.11
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-30 22:16 UTC
Nmap scan report for rpi1.pi.home (10.10.0.11)
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 26.78 seconds
root#rpi1:~#
root#rpi1:~#
root#rpi1:~#
root#rpi1:~#
root#rpi1:~# nmap localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-30 22:17 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
636/tcp open ldapssl
Nmap done: 1 IP address (1 host up) scanned in 26.82 seconds
You can see that scanning localhost shows that the service is listening on 389, but not if I use the server's IP or hostname.
So I have no way of getting a client on another server to connect, because it only seems to be listening on localhost..... This is beyond my limited understanding I'm afraid.
As far as I can see I am resolving the name ok:
root#rpi1:~# host rpi1
rpi1 has address 10.10.0.11
root#rpi1:~# host rpi1.pi.home
rpi1.pi.home has address 10.10.0.11
root#rpi1:~# host ldap.pi.home
ldap.pi.home has address 10.10.0.11
Proof that the DB is working:
root#rpi1:~# ldapsearch -x -h 127.0.0.1 -b "cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home"
# extended LDIF
#
# LDAPv3
# base <cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Bradley Atkins, musedev, Groups, pi.home
dn: cn=Bradley Atkins,cn=musedev,ou=Groups,dc=pi,dc=home
cn: Bradley Atkins
givenName: Bradley
gidNumber: 501
homeDirectory: /home/users/batkins
sn: Atkins
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1001
uid: batkins
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Can anyone suggest a way forward?
thanks
As the nmap output shows clearly, it's listening at 127.0.0.1, not 0.0.0.0.
folks.Is there away to use nmap to scan for open resolvers in ones network.I have this command from the nmap page but it seems itsnot working
nmap -sU -p 53 --script=dns-recursion <target>
I did the command and It is working as spected.
[root#Golgota /home/test]# nmap -sU -p 53 --script=dns-recursion 8.8.8.8
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-26 22:39 CET
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open domain
|_dns-recursion: Recursion appears to be enabled
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
I'm looking for methods (iptables rules, etc...) to prevent the asterisk version from showing on a nmap udp scan without closing (drop) the port. If I open it for some ip address, a nmap udp scan to port 5060 from this ip address can resolve the asterisk version(nmap -sU -sV -p 5060 <ipaddress>):
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 1.8.13.0
Is there some way that only shows port 5060 open? Is it possible to hide this asterisk info or change it?
I think you can use pbx info by followin in sip.conf
useragent=SIPClient XXX
But actualy on my host that command show:
[root#pro-sip ~]# nmap -sU -sV -p 5060 78.47.XXX.XXX
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-12-05 22:35 UTC
Interesting ports on pro-sip.net (78.47.XXX.XXX):
PORT STATE SERVICE VERSION
5060/udp open|filtered sip
Nmap finished: 1 IP address (1 host up) scanned in 52.025 seconds
so maybe on your host it just find some issue and guess it is asterisk version XXX