nmap on Redhat?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMCraig White at <-
MMWes Bateman at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Alexander
Date:  
Subject: nmap on Redhat?
Lots of great info, Wes! Thanks! Wanna give a presentation on security
sometime? :-)
~M

On Sat, 22 Dec 2001, Wes Bateman wrote:

> Hey Carl:
>
> As was mentioned before, netstat can help you.
>
> netstat -l
>
> or, I like to do
>
> netstat -nap
>
> the -p is helpful to tell you what process is bound to that
> "listening" port
>
> lsof can also be helpful (especially if somebody trojaned your netstat,
> but didn't think about lsof :)
>
> If you really don't trust the box, then you might want to go ahead and
> nmap it from another, trusted host. You might want to include the full
> range of ports, as nmap will default to only scanning 1-1024 and ports
> listed in nmap's (rather comprehensive) services file. People like to
> bind rogue services to all sorts of weird port numbers, usually high
> numbered, as non-stateful firewalls often allow connections to ephemeral
> ports.
>
> Also, always good to see what's in a ps axf command, and maybe what lurks
> in your startup scripts and cron.
>
> If you really don't trust the box, then in addition to the nmap scan, I
> wouldn't trust anything the running kernel told you (or told your
> userspace tools like ps, netstat, etc.). Rather, I'd boot from trusted
> media (like a rescue disk) or pull the drive and mount it in a trusted
> host. Then you can really be certain that what you see is what you
> get/have ;) But that's me, YPMV (your paranoia may vary) ;D
>
> I might also throw a sniffer on the network(s) that the host is connected
> to and capture all traffic for a period. Then you could see illicit icmp,
> udp, ecp, etc. traffic going on, in addition to the tcp stuff you scanned
> for with nmap. You could scan udp with nmap...but that can take a
> painfully long time :) UDP has no way to say "rst" on its own ;) Anyhow,
> if you do sniff the traffic, you probably want a snaplen of 1514 or so
> (1500 MTU for ethernet, plus the 14 bytes for the ethernet frame
> header). If it's a real busy network segment, then you might not be able
> to do that. In that case you could set a snaplen of 96 or something and
> get all the headers, and a little peak at the contents. Of course, when
> you see something interesting on the wire, you'll be kicking yourself for
> not having the whole packets. Ah, the trials and tribulations of a
> network voyeur ;D
>
> Good luck,
>
> Wes
>
> --
> Wes Bateman, GCIA
> Chief Security Officer
> ManISec, Inc. - "Managed Internet Security Services"
> http://www.manisec.com
>
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-nmap on Redhat?e-Smith->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)