Tag Archives: Nmap

Scanning SSH Servers

For administrative purposes, SSH is used quite often. Almost everyone in IT knows it. Keywords: OpenSSH, simply using “ssh <hostname>” on your machine, PuTTY for Windows, username + password or public key authentication, TCP port 22, simple firewall rules, ignoring the fingerprints ?‍♂️, SCP and SFTP. That’s it – basically.

However, it gets much more complicated if you look into the details. You have to deal with many different types and representations of fingerprints, as well as crypto algorithms. Troubleshooting specific connection problems is challenging.

To get an overview of your SSH server’s configuration is to scan them with appropriate tools. I’m showing two of them here: ssh_scan and the Nmap script “ssh2-enum-algos“.

Continue reading Scanning SSH Servers

Yamaha R-N500 Network Receiver Port Scan

During my analysis of Apple AirPlay connections to my Yamaha Network Receiver I was also interested in which TCP/UDP ports are opened on this audio device at all. Hence I did a basic port scan with Nmap for both transport layer protocols. (In an upcoming blogpost I am analyzing a packet capture from the Yamaha receiver which will show more details about the used ports and outgoing connections.) At first here are the Nmap results:

Continue reading Yamaha R-N500 Network Receiver Port Scan

Generating SSHFP Records Remotely

Until now I generated all SSHFP resource records on the SSH destination server itself via ssh-keygen -r <name>. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third-party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found a way to generate SSHFP resource records remotely. Here we go:

Continue reading Generating SSHFP Records Remotely

All-in-One DNS Tool: Domain Analyzer

Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.” Nice one. If you’re running your own DNS servers you should check e.g. whether your firewall rules are correct (scanned with Nmap) or whether you’re not allowing zone transfer, etc.

Continue reading All-in-One DNS Tool: Domain Analyzer

Nmap Packet Capture

I am using Nmap every time I installed a new server/appliance/whatever in order to check some unknown open ports from the outside. In most situations I am only doing a very basic run of Nmap without additional options or NSE scripts.

Likewise I am interested in how the Nmap connections appear on the wire. Hence I captured a complete Nmap run (TCP and UDP) and had a look at it with Wireshark. If you’re interested too, feel free to download the following pcap and have a look at it by yourself. At least I took some Wireshark screenshots to give a first glance about the scan.

Continue reading Nmap Packet Capture

My Nmap Command

I am using Nmap to do basic port scans for customers that requested them. The Nmap GUI “Zenmap” offers some profiles to choose the appropriate options for the scan. But when using a mere ssh session, these profiles are not given.

On the Internet, there are many good and detailed examples of how to use Nmap, such as here or here. However, I mostly need a simple and standard Nmap command for my basic scans. Here I list the command that I am using by default as a short memo for myself: :)

Continue reading My Nmap Command