Unix Tip: Finding services on a subnet

By , ITworld.com |  Operating Systems, find, nmap


# nmap -p 1521 10.1.2.34

However, you will get a much speedier response if you include some additional options with your nmap request:


# nmap -p 1521 -P0 -sT 10.1.2.34

The P0 (P and zero) option tells nmap to skip host discovery (i.e., not to ping the systems). The sT option says to use a simple connect() system call to detect port status. While this is an easy scan for intrusion detection systems to pick up, making this request for a single port is unlikely to set off any alarms.

This query is likely to respond in a matter of seconds where, without the additional arguments, you might wait a minute or more for the answer.

The output that you receive will include one of four possible status indicators: open, closed, filtered or unfiltered. Open and closed are fairly obvious. If the particular port is in use (i.e., if some service is listening on that port), you will see the response "open". If no service is responding on that port, you will see "closed". When you see either of the other two status indicators, you won't really know what is going on. Filtered means that a firewall or a similar obstacle is blocking the port. You might have to run your nmap query from a system on the same subnet as the system or systems you are curious about. Unfiltered, on the other hand, means that the port is responsive to the probe, but nmap cannot determine whether the port is open or closed.

Compared with many of the more aggressive scans that nmap is capable of, querying a single port, even across a subnet, is quick and is not going to cause even the slightest load on the systems you're examining even if they are configured to report port probing. Full scans with OS detection take very much longer and are likely to gather more information than you are likely to find interesting.

In the output below, we can see that Oracle is running on the system in question -- or, at least something is running on the port normally used by Oracle. Notice how quickly the response came back (less than half a second).


Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-11 16:45 EDT
Interesting ports on 10.1.2.3:
PORT     STATE SERVICE
1521/tcp open  oracle

Nmap finished: 1 IP address (1 host up) scanned in 0.490 seconds

Scanning a subnet will take longer than scanning a single system, but it's still quite fast. Here, we scan a class C equivalent (up to 254 nodes) subnet in less than 18 seconds. Notice that we are also getting a report on the number of systems detected on the subnet.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question