2 minutes reading
Run nmap without root privileges
Currently, I have to run a lot of Nmap a network scanner for a client. One part of these scans is to check in different ways for open ports. Create new connections isn’t enough. Instead, you use an SYN scan. SYNC scans are fast and harder to detect because the TCP connection is never closed by Nmap correctly.
Because SYN scans are only half-open scans, it requires more privilege to the local network stack. Nmap sends ‘raw’ TCP packages, hence running
nmap as root becomes necessary. However, this is a bad practice to run with root privileges.
Instead of executing
nmap always with
sudo, we could grant the executable the necessary rights it needs with capabilities. Capabilities are additional information about privileges a process can have, that can be stored within the extended attributes of a file. For modern
ping commands, this often becomes necessary too, because users aren’t allowed to create a raw socket for ICMP connections.
To set the capabilities of a file, we use
setcap, to receive them we use
~ $ sudo getcap /usr/bin/nmap
The result here is not missing, but
getcap will not return anything when nothing is set. Thanks to the secwiki, we get the necessary flags for the capabilities quite comfortable and do not have to guess much.
~ $ sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
When we re-run the
getcap command, we get the following:
~ $ sudo getcap /usr/bin/nmap /usr/bin/nmap = cap_net_bind_service,cap_net_admin,cap_net_raw+eip
To make use of this option now, we merely telling
nmap to assume that we do have all the necessary privileges with the
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-25 18:03 CET Nmap scan report for akendo.eu (220.127.116.11) Host is up (0.024s latency). Other addresses for akendo.eu (not scanned): 2a03:b0c0:3:d0::41:c001 rDNS record for 18.104.22.168: mail.akendo.eu Not shown: 989 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 444/tcp open snpp 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 43.17 seconds
Sometimes you receive varying results. Even ports are displayed that the scanned system not offer. The reason can be the locale firewall that messes with your TCP connection. It is vital to make sure that your local network firewall does not mess with your packages.
That’s a lot of open services. Maybe the owner of this domain should reduce it a bit? :-)
so far, akendo