folks.Is there away to use nmap to scan for open resolvers in ones network.I have this command from the nmap page but it seems itsnot working
nmap -sU -p 53 --script=dns-recursion <target>
I did the command and It is working as spected.
[root#Golgota /home/test]# nmap -sU -p 53 --script=dns-recursion 8.8.8.8
Starting Nmap 6.47 ( http://nmap.org ) at 2015-02-26 22:39 CET
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.021s latency).
PORT STATE SERVICE
53/udp open domain
|_dns-recursion: Recursion appears to be enabled
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
Related
As I know, ping is a tool that requires root permission (set-uid) or CAP_NET_RAW Capability.
But I found that, when I start a Nmap ping scan(-sn), no privilege permission required:
# getcap /usr/bin/nmap
# ls -al /usr/bin/nmap
-rwxr-xr-x 1 root root 2445920 May 28 2016 /usr/bin/nmap
# su -s /bin/bash www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ nmap -sn example.com
Starting Nmap 6.47 ( http://nmap.org ) at 2020-02-17 16:35 CST
Nmap scan report for example.com (93.184.216.34)
Host is up (0.011s latency).
Nmap done: 1 IP address (1 host up) scanned in 11.05 seconds
So how does ping scan of Nmap work? Why does ping need root permission and the nmap doesn't?
When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)
From the nmap website.
Env- Centos 7 , nmap 6.40
Currently I'm trying to fetch MAC/HW addresses for few list of IP's via nmap command utility and with root user its working perfectly.
As root user
nmap -sP -PE -iL <list-of-IPs>
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:05 EDT
Nmap scan report for 192.168.xx.xx
Host is up (0.0015s latency).
MAC Address: XX:XX:XX:XX:XX:XX
As non-root user
nmap -sP -PE -iL <list-of-IPs>
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-19 07:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds
Requesting your suggestion/help how the same to be achieve via normal user.
Thanks
Nmap must be run as root in order to retrieve this information. Fortunately, there are other sources of MAC address information on a Linux system: the system's ARP tables. After making an attempt to contact an IP address (either using Nmap or some other tool like ping), run arp -n to print the table of IP-to-MAC address mappings.
It is possible to run nmap as non-root user. This Wiki describes pretty good how to set everything up to run it as an unprivileged user. The linked tutorial also describes this for Ubuntu and Red Hat systems, which should be good for you since you are on CentOS.
I think it is important to keep this security warning in mind:
WARNING: This is dangerous. The Nmap Scripting Engine (NSE) allows scripts to sniff the network, change firewall roules and interface configuration, or exploit vulnerabilities including on localhost. It's possible, especially with elevated capabilities, for a clever person to use Nmap and NSE to escalate to full root privileges. If you do not understand these risks, do not do this.
Summary from the Wiki:
1. Restrict access to certain groups, for example adm. Make sure that you use the right location of nmap. In my case, this was /usr/bin/nmap:
sudo chgrp adm /usr/bin/nmap
sudo chmod 750 /usr/bin/nmap
2. Make sure the setcap command is installed (more information about capabilities here):
sudo yum install libcap
3. Now, set the capabilities. Once again, make sure to use the right location.
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
4. Finally, you are able to run nmap as unprivileged user. But, you have to explicitly define that you want to do so. You can define it as an argument of nmap
nmap --privileged -sP -PE -iL <list-of-IPs>
or as an environmental variable:
export NMAP_PRIVILEGED=""
Edit: I don't exactly know why this answer is being down-voted since this is one possible answer to the question (although the question is of course better suited for Super User or Unix & Linux Stack Exchange). I added the results from my own systems with and without --privileged below:
$ nmap -sP -PE 192.168.0.1
Warning: You are not root -- using TCP pingscan rather than ICMP
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0011s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap --privileged -sP -PE 192.168.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2018-06-20 08:52 CEST
Nmap scan report for <HOST NAME> (192.168.0.1)
Host is up (0.0014s latency).
MAC Address: XX:XX:XX:XX:XX:XX (<MANUFACTURER NAME>)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
What is the meaning of the following command and why its not given at help menu of nmap?
Sample command: sudo nmap -sP -n 192.168.0.0-255
Sample output:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 16:09 +06
Nmap scan report for 192.168.0.1
Host is up (0.0035s latency).
MAC Address: 20:L6:A7:55:3D:44 (D-link Technologies)
Nmap scan report for 192.168.0.104
Host is up (0.20s latency).
MAC Address: 18:97:F8:15:26:D9 (Zen Mobile Communication Technology)
Nmap scan report for 192.168.0.118
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 6.31 seconds
What does -sP mean and why is it used?
This command works properly, but it is not listed to man and help menu.
Please elaborate the circumstances.
From the man page:
In previous releases of Nmap, -sn was known as -sP..
I'm looking for methods (iptables rules, etc...) to prevent the asterisk version from showing on a nmap udp scan without closing (drop) the port. If I open it for some ip address, a nmap udp scan to port 5060 from this ip address can resolve the asterisk version(nmap -sU -sV -p 5060 <ipaddress>):
PORT STATE SERVICE VERSION
5060/udp open sip Asterisk PBX 1.8.13.0
Is there some way that only shows port 5060 open? Is it possible to hide this asterisk info or change it?
I think you can use pbx info by followin in sip.conf
useragent=SIPClient XXX
But actualy on my host that command show:
[root#pro-sip ~]# nmap -sU -sV -p 5060 78.47.XXX.XXX
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-12-05 22:35 UTC
Interesting ports on pro-sip.net (78.47.XXX.XXX):
PORT STATE SERVICE VERSION
5060/udp open|filtered sip
Nmap finished: 1 IP address (1 host up) scanned in 52.025 seconds
so maybe on your host it just find some issue and guess it is asterisk version XXX
This is Ubuntu 12.04 env. I have a TCP service running on port 8020 on the box:
My question is:
Why port 8020 is not discovered in nmap as an open port while nestat says it's listening?
if i run
netstat -tuplen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN 0 10564 1917/python
tcp 0 0 127.0.0.1:8020 0.0.0.0:* LISTEN 117 29259 4448/java
But if i run
nmap -v -sT 127.0.0.1
Starting Nmap 5.21 ( http://nmap.org ) at 2012-08-10 08:51 PDT
Initiating Connect Scan at 08:51
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 53/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9000/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Discovered open port 9001/tcp on 127.0.0.1
Completed Connect Scan at 08:51, 0.04s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: hadoop-namenode-01
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp
9000/tcp open cslistener
9001/tcp open tor-orport
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
By default nmap doesn't scan all ports. try this one.
nmap -sT -sU -p- 127.0.0.1
#Satish, you don't need to add -sU which will scan the UDP ports too, and take a while.
nmap -v -p 8020 127.0.0.1
This should be enough and instant.
By default nmap scans only the well know ports.
You specify a port by using the -p parameter.
To scan all ports : nmap -v -p "*" 127.0.0.1
To scan only port 8020 : nmap -v -p 8020 127.0.0.1