I am building a web app that uses some nmap flags, such as -O, which require a root user to run. Since I'm running this through a Java application, I don't want to run everything as root to accomplish this. Is it possible to change the nmap privs to all be non-root? Alternatively, what other options are there?
Nmap requires root privileges for some operations because the underlying OS requires them for the kinds of behavior Nmap uses: raw sockets and network sniffing, primarily. It's not something you can just change.
One option would be to only use the features of Nmap that do not require root. These features include:
Reverse name resolution
TCP host discovery (e.g. not ICMP ping or ARP)
TCP Connect scan (-sT)
Service version scan (-sV)
Most NSE scripts (e.g. not the broadcast or sniffer scripts)
The features that require root are:
ICMP and UDP host discovery
TCP SYN, FIN, NULL, XMAS, and other scan modes
UDP scan
OS fingerprinting
Traceroute
A few NSE scripts
It's important to note that Nmap doesn't have protections to prevent a root user from executing arbitrary code. This means that it is very unsafe to use it as a setuid program or to allow a non-admin user to run it with sudo.
A little research has been done into running Nmap with Linux file capabilities. You can see how to do this on the Running nmap as an unprivileged user page on SecWiki.org.
Related
I'm trying to understand the basics of nmap and its functionality. I am using wireshark to check the network flow. I have a question regarding the following option.
What is the difference between the following commands. Is it recommended to use the -P0 option or not?
nmap -p113 scanme.nmap.org
nmap -p113 -P0 scanme.nmap.org
I have been trying to find what the -P0 option does but i can't find it in any nmap options cheat sheet.
From the nmap manual we learn:
In previous versions of Nmap, -Pn was -P0. and -PN..
Therefore, -P0 is now -Pn.
Now what is -Pn?
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. [...]
I am attempting to run the FreeRTOS+TCP demo (release 10.1.1):
The code is written for the Windows Simulator, but I am attempting to target the Xilinx Zynq, emulated by QEMU (version 4.2.0). The host machine is Ubuntu 16.04. There exists a
Network Interface port for the TCP part of FreeRTOS+TCP, so this should be possible.
One of the obvious modifications to the demo is changing the way messages are printed, and removing calls to the Windows Sleep function. Also, I am using ARM semihosting to view the output of the print statements.
Besides these changes, what changes will I need to make to the command line call? The demo creates a TCP echo server and client. If these are tied together, then no traffic should need to go to the host, right? Is there anything special I would need to do to get this to work? I don't have a ton of experience with networking.
Since this is technically a baremetal application, CLI options like -nic user,hostfwd=tcp::5022-:22 give the warning qemu-system-arm: warning: nic cadence_gem.1 has no peer.
(Found at How to replace `qemu-system -redir` command argument?).
If I ever did want to send traffic between the host and guest (like having a ncat echo server, instead of in FreeRTOS), how would I go about doing that?
Here is a related problem, with no solution:
Running LWIP TCP/IP Stack with QEMU
Current command line arguments:
qemu-system-arm -semihosting --semihosting-config enable=on,target=native -nographic -serial mon:stdio -machine xilinx-zynq-a9 -m 512M -cpu cortex-a9 -nic user,hostfwd=tcp::12346-:7 -kernel build/rtos_demo_tcp/rtos_demo_tcp.elf
Current output (I enabled extra debug messages):
qemu-system-arm: warning: nic cadence_gem.1 has no peer
Seed for randomiser: 1591112953
Random numbers: 00001294 00001925 000022D0 00005CC3
FreeRTOS_IPInit
vTaskStartScheduler
prvIPTask started
Network buffers: 30 lowest 30
IP Address: 10.2.118.223
Subnet Mask: 255.255.255.0
Gateway Address: 10.2.118.1
DNS Server Address: 208.67.222.222
Socket 7 -> 0ip:0 State eCLOSED->eTCP_LISTEN
Then this next bit repeats indefinitely, with a different socket number each time:
FreeRTOS_connect: 14207 to a0276dfip:7
Socket 14207 -> a0276dfip:7 State eCLOSED->eCONNECT_SYN
ARP for a0276dfip (using a0276dfip): rc=0 00:00:00 00:00:00
Network buffers: 30 lowest 29
Connect[a0276dfip:7]: next timeout 1: 500 ms
ARP for a0276dfip (using a0276dfip): rc=0 00:00:00 00:00:00
Connect[a0276dfip:7]: next timeout 2: 500 ms
ARP for a0276dfip (using a0276dfip): rc=0 00:00:00 00:00:00
Connect[a0276dfip:7]: next timeout 3: 500 ms
Connect: giving up a0276dfip:7
Socket 14207 -> a0276dfip:7 State eCONNECT_SYN->eCLOSE_WAIT
FreeRTOS_closesocket[14207 to a0276dfip:7]: buffers 30 socks 1
Summary: How do I change the way I am calling QEMU so that the TCP client and server can connect to each other?
I would recommend trying out all of the options enumerated in the qemu networking guide:
- SLIRP: -netdev user,id=mynet0,net=192.168.76.0/24,dhcpstart=192.168.76.9
- TAP: -netdev tap,id=mynet0
- SOCKET: -netdev socket,id=mynet0,listen=:1234 and -netdev socket,id=mynet0,connect=:1234
And there is much more in the guide. Something you might also consider is that it might be difficult for you to port-forward directly from the VM you care about to the host, and it might be easier to connect that VM to another VM and port-forward from that second VM to your host.
Sounds a bit odd, but that's something I've needed to do before. To talk between two VM's I find sockets to be the best method. They work sort of like a "virtual crossover cable".
This VM to VM method would allow you to simply have to set up corresponding static IP's and subnets on each VM and then ncat's would work between them. Do away with all of the complexity of a DHCP server and any sort of port-forwarding.
I can't seem to get nmap brute force to work. I ran a scan with nmap which told me there is an open http port. This is just an example though, I've never got it to work. Anyways, I run this script:
nmap -p 81 --script rlogin-brute <IP> on the the target.
But unlike what it's supposed to to, this is the only response I am getting:
Host is up (0.070s latency).
PORT STATE SERVICE
81/tcp open hosts2-ns
Nmap done: 1 IP address (1 host up) scanned in 4.01 seconds
What am I doing wrong here? Like I said, I always get the same thing, no matter what script I am running or if it's tcp, ftp, http etc.
Thanks
You are using the rlogin-brute script, which works with the rlogin Unix service on port 513. Because the service name hosts2-ns and number 81 do not match, the script will not run. If you happen to know that the rlogin service is really running on this port, then adding -sV to your scan will detect the service and allow the script to run.
Take a look at the portrule:
portrule = shortport.port_or_service(513, "login", "tcp")
This means that it needs to detect port 513 as open. Since you specified -p 81, you're only scanning port 81 (bypassing 513).
You can't just pick which port you want to use no matter what servive if any is running on it and use a script developed for a different port and service.
scan types, begin with -s, such as nmap -s* target_host
ping options, begin with -P, such as nmap -P* target_host
I have used wireshark and nmap to see underlying actions options -P*.
When I run both command
nmap -p9527 target_host
and
nmap -sP target_host
I found that the only distinction is that -sP cannot be used with port scan option, such as -p9525.
I wanna to clarify, whether both of two option -s* and -P* are used to detect the liveness of target host.
By the way, my environment is on kali which is running on virtual host. I used tcpdump to catch packets and wireshark to analyze.And I run commands as root user.
There are many phases to an Nmap scan, and the two that these options refer to are host discovery and port or protocol scan.
The -P* family of options are all different ways to do host discovery. The default scan (if none of these is chosen) performs host discovery using the best method available. The -Pn option tells Nmap to skip this phase altogether. It used to be documented as -PN, but we changed it to conform with the other "turn this feature off" options. Before that, it was -P0, but there was confusion between that and -PO.
The -s* family of options are all different types of port and protocol scans. The default scan is a TCP port scan with either -sS or -sT, depending on privilege level. The -sn option tells Nmap to skip this phase altogether. It used to be documented as -sP (for "Ping scan"), but that caused the kind of confusion that you and others have reported.
Usually aping scan of some sort is done first, and then the hosts that have been found to be up are scanned for open ports.
You can turn the ping scan off (-Pn). There are also many types of ping scans, including TCP on an optionally specified port. Which varieties of scan are availabledepends on whether you have root privileges. IF you are not root, then ICMP echo ping is not available.
nmap -p9527 target_host with no other options will first ping the target, and then scan TCP port 9527.
A ping scan with sP (i.e. ping only) is only for testing which hosts are up. The port scan is omitted. So yeah, it's incompatible with specifying which ports should be scanned.
I need to scan the open ports of my server.
I tried nmap by: nmap ***.dyndns.info from within my local network.
It gave me:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-09 16:05 JST
Nmap scan report for ***.dyndns.info (***.***.***.39)
Host is up (0.00097s latency).
rDNS record for ***.***.***.39: ************.ne.jp
Not shown: 994 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
Then I tried the open ports tool provided by dyndns.com by specifying a specific port like:
global ip address 23
global ip address 53
global ip address 80
For each of those tests, it gave me "timed out" as a result, which is contradictory with the nmap results.
I know that depending on the way that nmap performs the tests, it may turn out that the result is "open".
So, I think the best way to test the ports of a given server is from outside, like the dyndns open ports tool.
But I'd like to test all ports at once, as opposed to one by one.
Is there any reliable tool for that, especially that I can use in command line?
I am on ubuntu 10.10.
Try Gibson Research Corporation ShieldsUP. It will test your firewall.
Note that whether or not a port is 'open' is also a function of the requesting source host and port; it is pretty easy to configure a firewall system to open a port for a specific set of source IP and port ranges. So there's no sure-fire way to tell if a port is open or not from the outside; netstat -an or similar tools will more reliably tell you which ports are open. (Except in the case of a rootkit, but any respectable rootkit would probably limit access to the open ports to a handful of netblocks as well, just to keep their property theirs.)
It'd be a piece of cake to buy a VPS slice from your favorite hosting provider for $10 for a month and portscan your own machine; nmap's default -T3 scanning option already parallelizes the scan, which is useful, but if your network connection is decent, -T4 may go more quickly.