Use nmap to scan for ssh servers on subnet

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. If you don't have it - get it:

sudo apt-get install nmap

There's also a GUI called Zenmap that I use sometimes. But I'm trying to learn my way around the powerful command line interface...

Here's a simple example that will scan all computers on your 255.255.255.0 subnet and report any devices listening on port 22 - the default for SSH. All of this along with the version of SSH that the server is running is output to a text file 'sshservers':

nmap -p 22 --open -sV 10.0.0.0/24 > sshservers

They say "necessity is the mother of invention" - See what happened was the DHCP server at worked assigned one of my machines a new ip and I wanted to try and track it down remotely. The only thing I could really think of that I knew - was that it was running sshd and it was somewhere in on this one 'VLAN'. To narrow down possible candidates I wanted to gather a list of all the machines on this one subnet listening on port 22. Nmap is perfect for this kind of job!

Lets break it down

nmap : the executable name
-p 22 : specifies the port to test
--open : suppress output for clients that are not listening
-sV : display the version string reported by the scanned server
10.0.0.0/24 : the target network, could have been 192.168.0.0/24
(/24 specifies a subnet of 255.255.255.0, look up slash notation)
> sshservers : redirects standard output to a file named 'sshservers'

Here was me:

Interesting ports on [ipaddressremoved]:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
MAC Address: [macaddressremoved] (Intel)
Service Info: OS: Linux

Rambling

I bought a domain - it's clayg.info

Godaddy said it was only $0.99 - but it ended up being $1.19 after some kind of ICANN tax. I also got a dyndns.org account that I'm going to use keep a pointer to my computer at home. And I'm going to have a few cname records for static private ips around the office - 10.0.0.0 stuff. I'd never even thought of it, but if you're on a network where you don't control the dns records - it IS surprisingly handy.

I bought a used e machine that I'm going to clean up into a project server. I want to install a few different things. FreeBSD, Apache, PHP, JBoss, MySQL & PostgreSQL. I'll have it setup here at home and use the godaddy/dyndns address like my own little web host.

I got that Ubuntu and Windows XP secure synergy tunneled through ssh setup working. But I didn't take very good notes. The highlights were definitely:
a) use CopSSH for the ssh server on the windows box
b) start the synergy client from /etc/gdm/PreSession/Default

Just after the fi, and before the exit
ssh -f -N -L 24800:[synergy server ip]:24800 [username]@[synergy server ip]
synergyc -f localhost > /dev/null &

Obviously setting up ssh keys for passwordless authentication is key. Generate the key on the client, and then append the public key to the ~/.ssh/authorized_key file on the server.

The SWT project is coming along. I've updated the engine to better support multiple 'views' in the right pane. I'll post the source here when I get a chance.

Oh and I'm a dad: