Nmap v3.45

[Guest leeach]

Would any nmap users happen to know what ports it uses to scan a remote computer? As in what ports I should open up in my firewall so I won't have to completely disable it every time I use nmap?

Thanks in advance... :wink:

[jlc]

This is one of those lovely tools that I really have to point you to there site and man pages for. There is just so much you can do with it that is COOL! 8)

 

http://www.insecure.org/nmap/nmap_documentation.html

 

This is an option I use a lot

 

-sS TCP SYN scan: This technique is often referred to

as "half-open" scanning, because you don't open a

full TCP connection. You send a SYN packet, as if

you are going to open a real connection and you

wait for a response. A SYN|ACK indicates the port

is listening. A RST is indicative of a non-lis­

tener. If a SYN|ACK is received, a RST is immedi­

ately sent to tear down the connection (actually

our OS kernel does this for us). The primary advan­

tage to this scanning technique is that fewer sites

will log it. Unfortunately you need root privi­

leges to build these custom SYN packets. This is

the default scan type for privileged users.

 

I hate to be the READ the MAN page person, but this is one tool that I really thing you would benifit most from if you read all about it! :P

 

Not to mention, if your doing it at work or just on your ISP, you really better know what options your using, if they catch you on there router or server logs, you don't want to have to explain you weren't trying to hack them you were just playing around "wink, wink". Hacking nowaday's wether it was intintianl or not isn't taken lightly by the goverment or corporations. They illegally throw you in jail for years before you can get a fair trial for not really doing anything that major.

 

If you can, I would recommend using this in a closed network enviroment, like at home with several box's. Just so the men in black don't make a stop at your house. 8)

[Guest leeach]

Needless to say, I've already read all the docs, and articles, and am not an Nmap newbie...

 

Nowhere have I found what ports it uses outbound or inbound if any..

If anyone comes across any info on this, please reply.

[jlc]

Needless to say, I've already read all the docs, and articles, and am not an Nmap newbie...

 

Nowhere have I found what ports it uses outbound or inbound if any..

If anyone comes across any info on this, please reply.

 

Actually, I think you did need to say that because I don't believe you know how TCP works (RFC 793)

 

If you have TCP on your box, and I would bet 100% without a doubt you do, it will be working. When you do a scan, do you not see things like

 

22/tcp open ssh

25/tcp open smtp

53/tcp open domain

80/tcp open http

 

Along with udp ports. That doesn't mean that you have to have ports 22,25,53 & 80 open on your box to scan those ports on another box.

 

If I may, let me copy the DESCRIPTION out of the MAN page that you read.

  Nmap  is designed to allow system administrators and curi­

    ous individuals to scan large networks to determine  which

    hosts  are  up  and what services they are offering.  nmap

    supports a large number of scanning  techniques  such  as:

    UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce

    attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,

    Xmas Tree, SYN sweep, IP Protocol, and Null scan.  See the

    Scan Types section for more details.  nmap also  offers  a

    number  of  advanced  features such as remote OS detection

    via TCP/IP fingerprinting, stealth scanning, dynamic delay

    and retransmission calculations, parallel scanning, detec­

    tion of down hosts via  parallel  pings,  decoy  scanning,

    port  filtering  detection,  direct  (non-portmapper)  RPC

    scanning, fragmentation scanning, and flexible target  and

    port specification.

 

I would suggest even though your not an nmap noobie that you go back and read RFC793 and all the information on insecure.org again. Sometimes its easy to miss stuff.

 

8)

[tyme]

If I may interject....

 

from personal experience with watching netstat on my box from time to time, it seems that outbound ports for connections are rather random. it seems to be that most outbound connections, regardless of what they are connecting to on the other end, use random high port numbers (in the 3000) that are unassigned to any services. this would make sense, because you would not want to use up a service related port on an outbound connection.

 

as an example:

tcp        0      0 prajna.geektyme.o:32790 baym-cs78.msgr.hot:1863 ESTABLISHED

tcp        0      0 prajna.geektyme.o:32816 orwell.freenode.ne:6667 ESTABLISHED

tcp        0      0 prajna.geektyme.o:34905 192.168.1.6:22          ESTABLISHED

tcp        0      0 prajna.geektyme.o:32789 205.188.8.201:5190      ESTABLISHED

tcp        0      0 prajna.geektyme.o:32791 205.188.11.200:5190     ESTABLISHED

 

if you notice the connection to 192.168.1.6 port 22, this is an ssh session i have open to my server system (on the local network). If you notice the port being used on my computer, it's 34905. I don't believe nmap itself chooses the port, as it relies on services that the system provides to do it's testing (in the way of the tcp service, for example). So, that is to say, I don't think you can really get an answer on what nmap uses, as nmap uses whatever port it is allowed to use by the system. It's outbound connections, not inbound ones. You can predict inbound based on the service, but outbound connections are given basically random, high number ports for use.

 

Atleast, that's my slight bit of understanding on the subject. I could be wrong, however.

[Guest leeach]

Thank you, tyme.

[jlc]

OH yea, I don't think I've see you before so "Welcome to the Board"

 

Sorry If I came off GRUFF!

[linux_learner]

knowing which ports to block can be tough to know. the best policy is if you dont need it or use it, block it. other than that, here is an extensive list of trojan ports to block http://doshelp.com/trojanports.htm