Skip to main content
NMAP

Obscuring Services from Port Scans with NMAP

By October 14, 2016No Comments

Obscuring ServicesIf you have services that are internet facing then you certainly need to consider protecting those services. Changing the port number to a non-default value can help. Reading through this blog, you will learn how to accomplish this. More importantly, we will take you inside the workings of Nmap to show you why obscuring services from Nmap works as a simple deterrent. If you have not already come across this tool Nmap is a port scanner available on Linux and other platforms. You can find more about this product from nmap.org.

The Lab Environment


When using tools like Nmap it is probably best to work on your own systems and on you own network. In some jurisdictions, you may find it deemed as inappropriate to run port scans through your ISP. The idea behind these series of blogs is to teach you how to make your systems more secure from potential attacks. Learning to do this in your own private network is the best way to become accustomed to the tool and its usage. Once evaluated on a test lab you can then move the tested techniques into protecting your internet facing devices. Or target system is a CentOS 6.7 system which runs SSH and XRDP. SSH which is the secure shell server and XRDP which is the Remote Desktop Protocol service allow users remote access to the Desktop. I am ruinningNmap 6.4 from a Ubuntu 14,04 host on the same network as the target.

The Initial Scan

I am only scanning the one system and it is an internal test so I am not concerned with minimising my footprint. With this in mind, I am happy to run a very simple scan without concern for  stealth. I am more interested in what the Internet can see on my system. Additionally, it has to be noted that it is not easy to protect these ports using a firewall. In my environment, these ports would be used by remote students needing to access their lab machines so a traditional firewall filtering is not an option.

nmap 192.168.238.102

simplenmap

From the result that is returned, as we see in the screenshot , it is not difficult for users to see the services available. If this was internet facing then these services are now passively advertised for all to see. Both of these ports are likely to see unwanted script based attacks where users try to login to your system.

What is Nmap Doing

To get a better understanding of whey we are so vulnerable we need to understand what Nmap is doing. Starting off I am going to advise you to Read The Screen. The whole screen and nothing but the screen. So often we scan for what we think is important, the open ports in this case, and ignore anything else.  This is gold dust and we should never ignore it. We have found 2 open ports and 998 closed ports. Nmap has scanned only 1000 ports. So if we do not specify which ports to scan then Nmap will choose the top 1000 ports. This is decided by the frequency  these ports occur on the Internet and the information comes from the text file, /usr/share/nmap/nmap-services. Firstly this file is very similar to the /etc/services file but more detailed and contains frequency field which lists the frequency a service appears. This is a decimal number from 0.000000 to 0.999999 where the high number indicates a more frequently found service.

nmap-services

We can see from the screenshot that the Nmap services file contains many more entries than the standard services file in Ubuntu.

List Most Frequent Ports

Both SSH and RDP protocols appear in the top 10 frequently found services, but even if they appeared in the top 1000 they would appear in a default scan. To reduce a lot of the script attacks, not appearing in the default scan is a great idea. To be able to list the top ports we can use the following command.

nmap -v -oG -

This does not initiate a scan as we have not set a target. Again really useful to us as we just want to list the ports. The output from nmap will be long as it list the top 1000 ports. Breaking down the command w can learn that:

-v Turns on verbose more needed to see the ports.

-oG Sends the output to a file in grepable format.

–  Is used in place of a file name, indicating we should print to standard output.

To reduce the output, we can view just the top 10 ports.

nmap --top-ports 10 -v -oG -

top-ports

If we can set the ports that our services use to something other than a port in the top 1000 so much the better.

Changing the Ports

Securing the SSH service we can change the port to 2252 which is not in the top 1000 ports and we can use 3395 for RDP. In the example, we leave the SSH port in pace as I am connected to it. However, it is not difficult to connect to. Simply having to use the -p option with the SSH client to connect to a different port. The same with the RDP port, the client would need to know the port to connect to. For me, this is provided to my client in their course confirmation. Making the SSH change would mean editing  the /etc/ssh/sshd_config file an  the RDP port is set in the /etc/xrdp/xrdp.ini. With the edit made and the service restarted we can repeat the initial scan and we now can only detect SSH and not RDP as a running service. To detect the service we need to know the port number being used or increase the scan range.

nmap -p 3395 192.168.238.102

The video follows.



Leave a Reply