Friday, June 20, 2008

Use nmap to scan for ssh servers on subnet

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. If you don't have it - get it:
sudo apt-get install nmap
There's also a GUI called Zenmap that I use sometimes. But I'm trying to learn my way around the powerful command line interface...

Here's a simple example that will scan all computers on your 255.255.255.0 subnet and report any devices listening on port 22 - the default for SSH. All of this along with the version of SSH that the server is running is output to a text file 'sshservers':
nmap -p 22 --open -sV 10.0.0.0/24 > sshservers
They say "necessity is the mother of invention" - See what happened was the DHCP server at worked assigned one of my machines a new ip and I wanted to try and track it down remotely. The only thing I could really think of that I knew - was that it was running sshd and it was somewhere in on this one 'VLAN'. To narrow down possible candidates I wanted to gather a list of all the machines on this one subnet listening on port 22. Nmap is perfect for this kind of job!

Lets break it down
nmap : the executable name
-p 22 : specifies the port to test
--open : suppress output for clients that are not listening
-sV : display the version string reported by the scanned server
10.0.0.0/24 : the target network, could have been 192.168.0.0/24
(/24 specifies a subnet of 255.255.255.0, look up slash notation)
> sshservers : redirects standard output to a file named 'sshservers'
Here was me:
Interesting ports on [ipaddressremoved]:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
MAC Address: [macaddressremoved] (Intel)
Service Info: OS: Linux

8 comments:

Anonymous said...

Here's an interesting article.

http://www.theage.com.au/news/Breaking/FBI-serves-subpoenas-on-Nmap-creator/2004/11/24/1101219605187.html

Jobeth

emanuel said...

I got to work and realized I had forgotten to push from my local repo at home. I ssh:d to my home desktop computer which uses a no-ip-adress, and which happened to be on. Then I called my girlfriend who happened to be at home and asked her to turn on my laptop. I googled "nmap find ssh lan", found your blog, cut&paste, found IP of laptop, which happened to be running an ssh server.
ssh laptop, cd to src-dir, hg push.

Thanks for your help in saving my day! :-)

Anonymous said...

THANK YOU! Exactly what I wanted. Find a ubuntu machine with DHCP!

Anonymous said...

Brilliant, just what I was looking for. Cheers! :)

Anonymous said...

So grateful!!

I plugged in a headless beaglebone black to the network and couldn't hit it by its hostname or find it on the router's DHCP table. I'd been working through the nmap man pages trying to figure out how to ONLY scan for ssh so I could get through this quickly and find my beaglebone. Your command (edited for my 192.168 subnet) executed in just a few seconds and returned only the few linux boxes on the network.

Thanks for sharing your experience!

Anonymous said...

Cheers this was just what I needed to use. Thank you.

Anonymous said...

Brilliant! Found that pesky sever.

Luke said...

Your dog is awesome.