The Joy of NMAP

A program I use on Linux a huge amount is NMAP. It was first written 21 years ago! It can be used a variety of ways but its simplest use is as a simple scan of what is on your network. I will document some very simple uses.

First of all see what is responding to pings on your local network.

nmap -sn 192.168.1.0/24 (I used to always use -sP. This was the old way and it still works)

gives a variety of hosts – e.g.

Nmap scan report for host1 (192.168.1.10)
Host is up (0.00021s latency).
Nmap scan report for host2 (192.168.1.11)
Host is up (0.00044s latency).

Very useful for a basic scan of what is out there. It simply uses ping to find out what is out there. As noted it uses ping which may well be blocked by a local firewall so some hosts might not appear.

The next use of nmap requires root permission. Lets see the MAC address of each host. We will run the same scan but this time with sudo.

sudo nmap -sn 192.168.1.0/24

gives the MAC address of each host. You should see under each host –

MAC Address: AA:BB:CC:DD:EE:11 (Unknown)

Right now let us look at a particular host. Let us see what ports are open.

nmap 192.168.1.10

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-20 13:28 BST
Nmap scan report for host1 (192.168.1.10)
Host is up (0.0066s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3128/tcp open squid-http

We can see that ports 22,111 and 3128 are open. As it says ssh and squid are open. You do not want SSH open to the whole world without other limitations but this is a local scan so fine.

What about seeing what other servers are listening to SSH? Again assuming we are in the local network 192.168.1.0/24 run

nmap -p 22 192.168.1.0/24

The lowercase p followed by the port you want to check. in this case 22 for SSH. You will see all hosts whether they have port 22 open or not. On hosts that are on but have no SSH server you will see CLOSED

On hosts that have a firewall you will see “filtered” meaning the host is on but not allowed a check of whether the port is open or not.

It is often handy to check that your host is firewalled correctly externally by running nmap from a host outside your network against your external IP address to check the ports are blocked or open.

Finally with root permissions you can get inmap to check the host to try and work out what OS it is running. This is not perfect but actually works better than you would think. Run with

sudo nmap -O 192.168.1.11

You will see back something like

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.0
Network Distance: 1 hop

Handy for that rogue host on the network that you have forgotten is plugged in!

Remote access to SystemrescueCD

There are lots of good rescue CD’s out there. The one I have used for the last 12 years is System Rescue CD. Why? As well as lots handy tools the key feature I have used countless times is that it easily runs a SSH server. Imagine you need to fix a machine that is in a difficult place to work. Imagine it is in a different office even a different country! You can SSH in and try and fix it. I have used this disk to work on servers thousands of miles away. It works happily on workstations and laptops even if they do not run Linux. Importantly it works well on VM’s that you can boot from CD

Getting remote access is easy. Boot from the CD, choose a keymap (or take the default), set the root password with

passwd

and finally find the IP address you have been given with

ifcofig

Connect to it as root. From there you have full access to command line tools to try and fix or recover files from the machine. Often it is a case of mounting the disk, and using rsync to copy everything off. For windows networks the CD can run a Samba share (just look at the /etc/smb.conf for more information.

Being a Linux based CD you can run chroot on a mounted disk to sometimes run a service from the broken install if it too is Linux based.

One very useful tool that only runs on the supplied Xwindows desktop is gparted. This allows you easily to modify partitions including allocating more space to partitions as long as they are Ext3 or Ext4. As I say it only works on Xwindows but if you have a Linux desktop you can use SSH to run programs from one machine to another so this works too. Simply connect to the machine running SystemRescue with ssh -X

Go to the homepage at – https://www.system-rescue.org/ – for lots of really useful ideas on how to fix things for both Linux and Windows.

Any version after 6.1 you also need to stop the firewall stopping access to SSHD. Have a look at https://wasteofserver.com/systemrescuecd-6-1-x-and-sshd/

You could simply run

iptables -F
systemctl sshd restart

Emergency Reboot/Power off

I posted it before on an old blog but I thought I would put it here. Nowadays most machines run as VM’s so it is not an issue to reboot them but just in case you have physical server that you do not have access to or it is stuck in a server room.

You can force an immediate reboot with the following:

echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

For an immediate power off

echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger

Using “Screen”

A command I use a lot is the screen commaned. What does this do? It creates a completely separate session on the machine you are on. You can leave it and come back to it. Even if you log off the machine. To start type screen. It will take you into the new session. If you type exit it will take you back to the screen you were in. If instead you simply want to disconnect from the session but leave it running hit Ctrl + a then immeadiately hit the d key. You can recreate by running screen -r.

This is a very useful way of using sessions for two reasons. Firstly if you are on a wobbly connection (for example a mobile) or a connection that timers out. I use this on a server that is on a connection that disconnects after 5 minutes of inactivity. Fine for email or web browsing but annoying if you are using SSH and need to go do something else for a little while. If you are in one office and in the middle of working then need to head to another office you can disconnect and reconnect from somewhere else using the Ctrl + a d then screen -r.

For example you can run top in a session, disconnect and reconnect to find it still running. This brings us to the second use of the screen command. As a cheating way of running a daemon process. If you start a process running you can disconnect the session an leave it running. When you want to stop it reconnect and stop it.

It is oftn useful to create multiple sessions that you want to reconnect to. If you do that running screen -r will show you a list of sessions. For example –

22188.pts-16.xen1 (01/10/20 13:35:41) (Detached
22175.pts-16.xen1 (01/10/20 13:35:32) (Detached)

To reconnect to a particular session run

screen -r NAME

e.g.

screen -r 22188.pts-16.xen1

It is useful to name each of these sessions when you create then. You do this by using screen -S NANE for example screen -S database. Reconnect with screen -r database.

The only difference between a screen session and a normal session is when text spools off the screen you cannot just scroll back.