====== SNB Security - Extras ======
While this is optional - it's a useful tool and exercise to obtain, build, and install sourcecode that is not necessarily part of the repo's of the installation. Even if they are, sometimes one wants something more current/up to date than what is available via **apt**...
===== NMAP - Network Security Scanner =====
The best defense is a good offense - NMAP will help you discover 'issues' on your network (and others, nudge nudge)
<code>
___.-------.___
_.-' ___.--;--.___ `-._
.-' _.-' / .+. \ `-._ `-.
.' .-' |-|-o-|-| `-. `.
(_ <O__ \ `+' / __O> _)
`--._``-..__`._|_.'__..-''_.--'
``--._________.--''
____ _____ ____ ____ _ _______
|_ \|_ _||_ \ / _| / \ |_ __ \
| \ | | | \/ | / _ \ | |__) |
| |\ \| | | |\ /| | / ___ \ | ___/
_| |_\ |_ _| |_\/_| |_ _/ / \ \_ _| |_
|_____|\____||_____||_____||____| |____||_____|
NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
</code>
**What is NMAP?**
//Nmap is an open source and cross-platform software that provides users with one of the most powerful network discovery and security auditing utility appreciated by numerous system administrators and security professionals around the world.//
**Features at a glance**
//Key features include the ability to monitor service and host uptime, manage service upgrade schedules, do network inventory, discover available hosts on a network based on raw IP packets, as well as to discover running services and operating systems on a specific network.//
//In addition, it supports a wide range of advanced network mapping techniques, including ping sweeps, TCP/UDP port scanning mechanisms, as well as the ability to scan networks of hundreds of thousands of computers.//
==== Installing NMAP ====
Now there's a few ways to get this - can grab it directly from apt, download the tarball from nmap.org, or we can do it the old-school way.
It's a good chance to do it the old-school way
In this how-to we will
- install dependencies
- sync up to an online source code repository
- compile the software
- install by hand the NMAP
So let's get started:
sudo apt install build-essential subversion libssl-dev autoconf pwgen python-gtk2 python2.7-dev gksu
Checkout the NMAP source from NMAP's Subversion Repo
sudo svn co https://svn.nmap.org/nmap
This will place a local working copy in /home/test/nmap
cd /home/test/nmap
**Building NMAP**
This is generally a configure, make, make install
This builds the make file
sudo ./configure
Does the build
sudo make
This installs nmap - see the note below about ''su root''
su root
make install
**Whoa - what's this su root thing?**
NMAP gets installed into things that only root can do - even as admin with sudo powers, you can't go there - so if you haven't activated root, or don't remember the root passwd
<code>
sudo pwgen 24
[sudo] password for test:
xi0thaiguthohJ7OhDek8Eeb yohs5Keep4Ay3ailahna3ePo yuG6vai8zai0eeZ7hua0eibi
(and more)
</code>
pick one - put it on the clipboard and then
sudo passwd root
paste that clipboard item in, and when it asks to confirm, paste again
As the admin, you can change root's passwd any time you need to...
==== Running NMAP ====
NMAP is pretty easy to run, many options - go overboard, and that target host might crash - here's a quick command line example
sudo nmap -v -A 192.168.1.1
We're targeting that consumer grade Router/AP that is our WAN/LAN gateway - might be surprised at what you find... might need to power cycle it afterwards...
-v: Increase verbosity level (use -vv or more for greater effect)
-A, to enable OS and version detection, script scanning, and traceroute
Many, many more options are available - check the well documented man page for more details
man nmap
==== NMAP audit results of the SNB Basics Server config ====
Below is an NMAP audit of the SNB Basics configuration - I'm not too worried about things, as we know what services we've built, and we've done our best to secure them - the NETBIOS (Samba) is as good as we can make it, and if you don't need the SAMBA, you can turn it off...
Let's analyze this from a security perspective
* **SSH** - we have access control, and it is crypto secure
* **SMTP** - access control again, and while port 25 is open, only the gmailuser@gmail.com can use it (cryto again thru SASL), and we have it firewalled
* **HTTP/PHP** - runs as www-data, and is limited only to the document root in the apache2 configuration and security directives
* **NETBIOS/Samba** - runs as it's own user, and only has access to /var/share and /var/media - Samba only users cannot log in to unix if they don't have a Unix password (useradd vs. adduser)
<code>
Nmap scan report for 192.168.1.6
Host is up (0.00042s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: testbox, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=testbox
| Issuer: commonName=testbox
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-20T22:55:38
| Not valid after: 2026-05-18T22:55:38
| MD5: aabb 1122 4ab4 4c4f 3f7d 60a2 7f3a b7c9
|_SHA-1: ccdd 3344 6b46 4974 59b7 e5c1 016b b042 2c3e 619c
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache
|_http-title: the bluepill
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6001/tcp open X11 (access denied)
Service Info: Host: testbox
Host script results:
| nbstat: NetBIOS name: TESTBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| TESTBOX<00> Flags: <unique><active>
| TESTBOX<03> Flags: <unique><active>
| TESTBOX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: testbox
| NetBIOS computer name: TESTBOX
| Domain name:
| FQDN: testbox
|_ System time: 2016-05-22T14:39:58-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
</code>