LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-29-2004, 01:34 PM   #1
ch4s3r
Member
 
Registered: Sep 2003
Posts: 97

Rep: Reputation: 15
Nmap on a college network


I've read some articles on the web for nmap and most say that admins don't like it. Would using nmap get me into trouble? Would they know i'm using it? Why would network administrators get upset if I used it? Just curious. I don't have any intention to break into other computers(i wouldn't know how even if i wanted to).
 
Old 02-29-2004, 01:54 PM   #2
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Nmap is a program that looks for open ports on a computer. If I was going to break into your computer, one of the programs I might use would be nmap. It is also capapble of seeing the OS type and some other info that a hacker might use to penetrate the computer. When you run nmap on a computer it can get logged on that computer that a port scan has occurred. It will also log who did it (the ip address, anyways).

Basically, if you see that someone has run a port scan against you, then it is likely that someone is trying to get in. Or at least it is a possibility that should be considered. If they see you port scanning them, then they can come to you to see why. It could be against the policy of the school you are at.

Best policy? Don't port scan anything that is not yours.
 
Old 02-29-2004, 02:47 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
benji covered most of your questions, and I'll answer the last one.
Quote:
Would they know i'm using it?
Absolutely. Most Intrusion Detection Systems (IDS) have specific rules that look for nmap scans. Since nmap works by sending packets on the network (usually a LOT of packets), it's pretty obvious that it's being used. Now there are some very advanced options to nmap for networking guru's that in some rare cases may allow you to scan without being noticed, but if they're monitoring all the switches (which could be likely, since the RIAA likes to sue universities when their students download MP3s), then even that won't go undetected.

Like benji said, don't scan anything that isn't yours.
 
Old 02-29-2004, 06:40 PM   #4
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Quote:
Originally posted by chort

Now there are some very advanced options to nmap for networking guru's that in some rare cases may allow you to scan without being noticed, but if they're monitoring all the switches (which could be likely, since the RIAA likes to sue universities when their students download MP3s), then even that won't go undetected.

First I would like to concur with the previous responses; agreeing that nmap can get you into trouble. I also advise against port scanning any machine that you do not own or scanning across any network that you do not own.

Now regarding the excerpt from chort. There are options that can help you attempt to avoid detection. Read about them in the man page for nmap. Speaking from personal experience, the best tactics I've found are to use at least 5 additional decoys, and scan with one of the slower speeds. Also with this approach, you may just want to use SYN scans so that systems are not completing handshakes and connecting with eachother. You may also want to disable the initial pings sent out in order to help avoid detection. Again all of this is just speaking from personal experience, so may not be 100% technically accurate.
 
Old 02-29-2004, 07:20 PM   #5
ch4s3r
Member
 
Registered: Sep 2003
Posts: 97

Original Poster
Rep: Reputation: 15
thank you to all
 
Old 02-29-2004, 07:35 PM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
if your are curiouse, and want to use it to help you further understand security..
(as i do on my own computers)

ask the system Administrator....
maybe he will let you use it on ip 127.0.0.1
or some other local machine when network load is low.
 
Old 02-29-2004, 09:04 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
GNUbie, none of those evasion techniques will help you if they're monitoring the switches (that your NIC is wired to). They have your MAC address, case closed. In fact, using decoy IPs just makes it insanely obvious that you're running some type of abnormal program because they know those decoy IPs shouldn't exist on the private net. Even if you use other private IPs as your decoys, it will still be inconsistent with the MAC address of your NIC, so either way...

qwijibow, 127.0.0.1 is the loopback address on your own computer. Assuming you're scanning from your own box, it's completely safe to target 127.0.0.1--that traffic will never go "on the wire".
 
Old 02-29-2004, 09:35 PM   #8
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
yeah, thats what i meant,
scanning you loopback ip is very boreing... but atleast you see what happens.

i just mentioned it because my default firewall still logs incoming packets on certain ports, even on loopback, which may be annoying to the network manager / administrator...
(assuming they do there job and read the logs )
 
Old 02-29-2004, 09:52 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well, I'm assuming he/she is using their own box, not one that belongs to the university. Probably that's a bad assumption to make.
 
Old 02-29-2004, 11:58 PM   #10
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Quote:
Originally posted by chort

GNUbie, none of those evasion techniques will help you if they're monitoring the switches (that your NIC is wired to). They have your MAC address, case closed. In fact, using decoy IPs just makes it insanely obvious that you're running some type of abnormal program because they know those decoy IPs shouldn't exist on the private net. Even if you use other private IPs as your decoys, it will still be inconsistent with the MAC address of your NIC, so either way...
True. In this thread, I defer to your posts. Just wanted to quickly point out that with being on a college campus, he could most likely float public IP addresses as being decoys. At least that's the case on my campus. None of the networks are setup with private IP blocks. But as you said, if they are monitoring, and they have your MAC address, the case is indeed closed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
College wireless network needs? subnet_rx Linux - Wireless Networking 5 12-27-2004 07:44 PM
help connecting to college network primus___sucks Linux - Networking 9 09-01-2004 03:17 PM
scan my network with nmap. amer_58 Linux - Networking 3 06-17-2004 12:11 AM
College Linux FileShare Samba Network? Wiz22 Linux - Newbie 5 05-20-2004 04:43 PM
Connecting to a college network... redkazan Slackware 20 01-23-2004 09:43 AM


All times are GMT -5. The time now is 01:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration