An attack to gain access to a host must be launched against a service running on
the system.The service must be vulnerable to a problem that will allow the
attacker to gain access. It is possible to guess what services the system uses from
some methods of intelligence gathering. It is also possible to manually probe
ports on a system with utilities such as netcat to see if connectivity can be made
to the service.
The process of gathering information on the available services on a system is
simplified by tools such as the Network Mapper, or Nmap. Nmap, as we previously
mentioned, uses numerous advanced features when launched against a
system to identify characteristics of a host.These features include things such as
variable TCP flag scanning and IP response analysis to guess the operating system
and identify listening services on a host.
Nmap can be used to identify services on a system that are open to public
use. It can also identify services that are listening on a system but are filtered
through an infrastructure such as TCP Wrappers, or firewalling. Observe the following
elliptic@ellipse:~$ nmap -sS -O derivative.cipherpunks.com
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Interesting ports on derivative.cipherpunks.com (
(The 1533 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp filtered telnet
25/tcp open smtp
37/tcp open time
53/tcp open domain
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
Remote operating system guess: Solaris 2.6 - 2.7
Uptime 11.096 days (since Thu Nov 29 08:03:12 2001)
Nmap run completed -- 1 IP address (1 host up) scanned in 60 seconds
Let’s examine this scan a piece at a time. First, we have the execution of Nmap
with the sS and O flags (options).These flags tell Nmap to conduct a SYN scan
on the host, and identify the operating system from the IP responses received.
Next, we see three columns of data. In the first column from the left to right, we
see the port and protocol that the service is listening on. In the second column,
we see the state of the state of the port, either being filtered (as is the telnet service,
which is TCP Wrapped), or open to public connectivity, like the rest.