open.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Open Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Unix Tip: Finding services on a subnet

 ITworld.com 5/14/2007

Sandra Henry-Stocker, ITworld.com



Send in your Unix questions today! | See additional Unix tips and tricks

If you have ever needed to survey a large group of systems to find out which of them supported some particular service, such as ftp, telnet, ssh or some other particular application, you have probably thought of numerous ways to query the systems for the required information and display it in some usable fashion. Many methods of obtaining information from servers, however, require some sort of login or a remote shell request that either takes more time than you want to spend or requires you to configure some sort of trust on the part of the systems with the information for the system on which it is being collected. In today's column, we will look at a way to find out about services running on systems without setting up any access ahead of time. In fact, you don't need an account, never mind access to the root account to collect information in an expedient way. By using nmap to query particular ports and some perl text processing to streamline your output, you can produce a list of systems on which a particular port (say 21 for ftp or 23 for telnet) is listening for requests.

To understand how this works, you need to know a little about how nmap works. One of the most well-known port scanners, nmap is mostly used to scan systems from the outside (i.e., without logging into the system) to determine what ports are active. By acquiring a list of responsive ports, you will have an idea what services and applications are likely running on that system. Hackers use tools such as nmap as a starting point in determining what kinds of exploits they might be able to use to attack particular systems.

Nmap isn't just for hackers looking for systems to attach, however. It can also be used to help legitimate systems administrators to inventory applications and services on their systems. You might want to know, for example, which systems on a network you manage are hosting web services, Which provide ssh login support or which systems are providing services.

To use nmap to query a particular port on a subnet, you need to know what port you are interested in and you need to know the subnet you want to query. The command below, for example, attempts a connection to port 1521 on the particular server. This port is the most commonly used by Oracle. You can use a command like this to get the answer: 

# nmap -p 1521 10.1.2.34
However, you will get a much speedier response if you include some additional options with your nmap request: 

# nmap -p 1521 -P0 -sT 10.1.2.34
The P0 (P and zero) option tells nmap to skip host discovery (i.e., not to ping the systems). The sT option says to use a simple connect() system call to detect port status. While this is an easy scan for intrusion detection systems to pick up, making this request for a single port is unlikely to set off any alarms. This query is likely to respond in a matter of seconds where, without the additional arguments, you might wait a minute or more for the answer. The output that you receive will include one of four possible status indicators: open, closed, filtered or unfiltered. Open and closed are fairly obvious. If the particular port is in use (i.e., if some service is listening on that port), you will see the response "open". If no service is responding on that port, you will see "closed". When you see either of the other two status indicators, you won't really know what is going on. Filtered means that a firewall or a similar obstacle is blocking the port. You might have to run your nmap query from a system on the same subnet as the system or systems you are curious about. Unfiltered, on the other hand, means that the port is responsive to the probe, but nmap cannot determine whether the port is open or closed. Compared with many of the more aggressive scans that nmap is capable of, querying a single port, even across a subnet, is quick and is not going to cause even the slightest load on the systems you're examining even if they are configured to report port probing. Full scans with OS detection take very much longer and are likely to gather more information than you are likely to find interesting. In the output below, we can see that Oracle is running on the system in question -- or, at least something is running on the port normally used by Oracle. Notice how quickly the response came back (less than half a second). 

Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-11 16:45 EDT
Interesting ports on 10.1.2.3:
PORT     STATE SERVICE
1521/tcp open  oracle

Nmap finished: 1 IP address (1 host up) scanned in 0.490 seconds
Scanning a subnet will take longer than scanning a single system, but it's still quite fast. Here, we scan a class C equivalent (up to 254 nodes) subnet in less than 18 seconds. Notice that we are also getting a report on the number of systems detected on the subnet. 

# nmap -p 23 -P0 -sT 10.3.2.0/24

Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) at 2007-05-12 15:58 EDT
Interesting ports on 10.3.2.0:
PORT   STATE  SERVICE
23/tcp closed telnet

Interesting ports on 4006-router.annlab.telecomsys.com (10.3.2.1):
PORT   STATE SERVICE
23/tcp open  telnet

...

Interesting ports on 10.3.2.255:
PORT   STATE  SERVICE
23/tcp closed telnet

Nmap run completed -- 256 IP addresses (256 hosts up) scanned in 15.735 seconds
Of course, that's easy enough that you hardly need a script to handle the nmap command for you. However, if you don't want to have to remember the arguments to use with nmap to make this query quick and you don't really want to see anything more than the name of each system on which the particular service is running, a script can save you time and trouble. 

#!/usr/bin/perl -w
#
# Find services on a subnet:  findAppl port subnet
#                     e.g.,:  findAppl 80 10.3.2.0/24
#
# NOTE: The output we're handling looks like this:
#   Interesting ports on 10.3.2.11:
#   PORT     STATE SERVICE
#   1521/tcp open  oracle

if ( $#ARGV >= 1 ) {
    $port=$ARGV[0];
    $subnet=$ARGV[1];
} else {
    print "Please provide a port> ";
    $port=;
    print "Please provide a subnet> ";
    $subnet=;
}

@results=`nmap -p $port -P0 -sT $subnet 2> /dev/null`;

foreach (@results) {
    if ($_ =~ /Interesting/)
    {
        ($IP)=/(\d+\.\d+\.\d+\.\d+)/;
    }
    if ($_ =~ /open/)
    {
        ($SVC)=/(\S+)\s*$/;
        print "$IP $SVC\n";
    }
}
This script expects two arguments -- the port number and the IP address or subnet to be used in the probing. It will prompt for that information if it doesn't appear on the command line. The script then runs the nmap command and stuffs the output into an array. It then looks through the data in the array, saving IP addresses in case they are relevant and printing them out when it encounters "open" in the status line. What you see, therefore, is something like this: 

# ./findAppl 21 10.1.2.0/24
10.1.2.25 ftp
10.1.2.39 ftp
10.1.2.49 ftp
10.1.2.120 ftp
Nmap can be compiled from source and is distributed under the terms of the GNU General Public License. Packages are available for Solaris and many Linux distributions.

Finding services on a Subnet, part 2

On this topic
Unix Tip: Reassembling Very Large "split" Files
Unix Tip: Experimenting with Rsync
Unix Tip: Shuffling file systems with rsync
Building a Monitoring Infrastructure with Nagios
Get practical tips, IT news, how-tos, and the best in tech humor.

 

 Sandra Henry-Stocker has been administering Unix systems for more than 18 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She currently works for TeleCommunication Systems, a wireless communications company, in Annapolis, Maryland, where no one else necessarily shares any of her opinions. She lives with her second family on a small farm on Maryland's Eastern Shore. Send comments and suggestions to bugfarm@gmail.com.
Sponsored Links

Sign up for a Microsoft Dynamics® CRM WEBCAST
Hear globally recognized leaders in customer strategy discuss the importance and evolution of CRM.
TRY NEW SUN SERVERS FREE for 60 Days!
Test The Latest Sun Servers In Your Environment BEFORE YOU BUY. Pay Nothing, Not Even Shipping.
Workflow Enabled Help Desk & IT Service Management
Automate service desk activities and integrate processes across IT. Learn more here.
Sign up for a FREE NETWORK RISK ASSESSMENT!
MORE THAN 70% OF NETWORKS ARE INFECTED by hidden Malware. Find out if your network is infected now!
Enterprise IP Goes Mobile
To maximize full productivity, companies must integrate their mobile applications with the IP network.
» Buy a link now

Advertisements
Sponsored links
Top 5 Reasons to Combine App Performance and Security
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Open source Operating systems Unix
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.