I can't seem to get nmap brute force to work. I ran a scan with nmap which told me there is an open http port. This is just an example though, I've never got it to work. Anyways, I run this script:
nmap -p 81 --script rlogin-brute <IP> on the the target.
But unlike what it's supposed to to, this is the only response I am getting:
Host is up (0.070s latency).
PORT STATE SERVICE
81/tcp open hosts2-ns
Nmap done: 1 IP address (1 host up) scanned in 4.01 seconds
What am I doing wrong here? Like I said, I always get the same thing, no matter what script I am running or if it's tcp, ftp, http etc.
Thanks
You are using the rlogin-brute script, which works with the rlogin Unix service on port 513. Because the service name hosts2-ns and number 81 do not match, the script will not run. If you happen to know that the rlogin service is really running on this port, then adding -sV to your scan will detect the service and allow the script to run.
Take a look at the portrule:
portrule = shortport.port_or_service(513, "login", "tcp")
This means that it needs to detect port 513 as open. Since you specified -p 81, you're only scanning port 81 (bypassing 513).
You can't just pick which port you want to use no matter what servive if any is running on it and use a script developed for a different port and service.
Related
Sorry for the basic question but im a complete noob on those matters.
I have a cloud server where i run a jup[yter notebook server, which normally is run on port 8888.
However when i try to connect to it from work, it doesnt work, which i suspect is due to the firewall.
I can connect from work to a regular ssh session through port 22 or 443.
However the jupyter notebook refuses to be run on those ports, probably because they are allocated already.
I tried to run PortQry to get the open ports on my work server (which is windows) and it reurned port 50248. I tried to have my jupyter server to listen on that one but it didnt work.
I also tried to scan the open port of my work server, but i received a warning from AWS! And the few ports that were returned as seemingly opened didnt work either when i set up my jupyter notebook to listen on them.
I would like to understand:
On my own server: How can i identify which port the jupyter server program can listen on?
On my work machine: How can i identify which one of my own server port would be let through the firewall of my work?
You need to use SSH local port forwarding.
https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
You will open a SSH connection to your server but a local port, lets say 4444, will connect over the SSH connection and resolve to 8888 on the remote server.
With this you'd be able to open a browser locally and go to localhost:4444 and it would resolve to your remote hosted site. The command for this locally would be something like -
ssh -L 4444:localhost:8080 yourremoteserveraddress
An alternative option would be to use a SOCKS proxy via dynamic forwarding but this would involve needing to reconfigure your browser.
Always keep in mind any company policies around this type of thing. Even though 22 and 443 are open to the internet, use of them in this manner may break a policy and there is always the possibility of the company using a MITM proxy to monitor for this type of usage, specifically on 443.
I have setup a simple HTTP java server running locally on port 8000. It simply prints a message "Hello world" when a request comes. When I try to ping it from the browser by running http://localhost:8000/test I get my message printed.
I want to get the same results from another computer that is not local. When I try to use my public IP lets say http:/43.xxx.xxx.xxx:8000/test (even from the same machine) I get an ERR_CONNECTION_REFUSED .
I probably suspect that has something to do with the firewall. Can anyone guide me a little more because I lack the experience?
Thanks in advance
You don't specify what host OS your server/firewall is running so I'll keep this generic...
Without knowing your application, it seems like the server is sending a reset (RST packet) when the first SYN packet shows up indicating that the port (on that interface [your external]) is closed. You can do a quick port scan from here (https://mxtoolbox.com/PortScan.aspx) if you don't have access to a remote machine to test with. Odds are, TCP/8000 will not be open.
If it is, in fact, closed, you'll have to look at the firewall that your host OS is running and find out how to allow TCP/8000 to your host. In a major firewall vendor, your rule would look similar to this:
Source: Any
Destination: Your Public IP Address
Service: TCP/8000
Action: Allow
Logging: Full
That being said, you mentioned this was a PC so look into "iptables" (if you're running *nix) or the Windows Firewall (if you're running Windows) on adding firewall rules (Unfortunately I just joined and can't ask questions/comments, yet).
If you really want to find out what packet is being sent, run a tcpdump on your external interface (let's say eth1) (assuming your remote IP is 1.2.3.4 and your home public IP is 4.5.6.7):
tcpdump -nn -vvv -e -s 0 -X -c 100 -i eth1 host 1.2.3.4 and host
4.5.6.7 and port 8000
Here you're looking for the SYN/SYN-ACK/ACK for a successful TCP negotiation or SYN/RST if there is a firewall rejecting (not dropping) the TCP stream to the port.
Once the port is open on the host OS firewall, take a look at the application to make sure it's configured properly. If this were a standard webserver, you could take a look at the configuration files for the "Allow from" directives to make sure that everyone can access the site. If this is a custom application that you've created, you'll have to check this yourself.
I finally solved my problem. I needed to open a forwarding port in my router that maps my local ip address to the public. My router is TP Link so this what I did:
http://www.tp-link.com/us/faq-72.html
Also in order for this to work every time and not to have to reconfigure this every time I reconected to the router (because I get a new local IP), I have created a static local ip for my server following this guide:
http://www.tp-link.com/us/faq-182.html
Thanks for all the replies.
Can anybody help me with using nmap? I don't quite get it when it comes to find out which port a specific server is running on.
To exemplify my issue, I have to install the apache2 web server on an Ubuntu OS. Then, I have to start its daemon (no problem, I simply ran "service apache2 start", which, I think, really did the job for me). Now, I just have to figure out on which port this service is running. I read about netstat and nmap, but I don't really know which parameters I should use in order to find out the port. So, my question is : Is there any way to find out the port this service is using? If yes, how could I do that?
Furthermore, if I wanna find out which ports are opened (in "established" or "listening" state) on a specific server, how should I proceed to find out?
Thanks very much in advance.
netstat -tlp does what you ask for. nmap would work (e.g. nmap -n localhost), but why scanning ports if you just can ask the system?
I am building a web app that uses some nmap flags, such as -O, which require a root user to run. Since I'm running this through a Java application, I don't want to run everything as root to accomplish this. Is it possible to change the nmap privs to all be non-root? Alternatively, what other options are there?
Nmap requires root privileges for some operations because the underlying OS requires them for the kinds of behavior Nmap uses: raw sockets and network sniffing, primarily. It's not something you can just change.
One option would be to only use the features of Nmap that do not require root. These features include:
Reverse name resolution
TCP host discovery (e.g. not ICMP ping or ARP)
TCP Connect scan (-sT)
Service version scan (-sV)
Most NSE scripts (e.g. not the broadcast or sniffer scripts)
The features that require root are:
ICMP and UDP host discovery
TCP SYN, FIN, NULL, XMAS, and other scan modes
UDP scan
OS fingerprinting
Traceroute
A few NSE scripts
It's important to note that Nmap doesn't have protections to prevent a root user from executing arbitrary code. This means that it is very unsafe to use it as a setuid program or to allow a non-admin user to run it with sudo.
A little research has been done into running Nmap with Linux file capabilities. You can see how to do this on the Running nmap as an unprivileged user page on SecWiki.org.
I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.