nmap is a commonly used tool distributed with Linux (and available for many OSes) for mapping networks and port scanning. Since almost every networked application runs on TCP/IP it is crucial to have the ability to troubleshoot every layer of the stack(OSI model). A misconfigured firewall can easily cause hours of frustration.
We will use Asterisk as an example but the following tutorial could easily be applied to any network application. If you run Asterisk PBX systems across many networks you have probably encountered firewalls. Errant firewalls can cause huge headaches. In some cases you may question if access to SIP & IAX2 ports on the firewall are being blocked.
Conventional wisdom:
[matt@mattcom1 ~]$ telnet localhost 22
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.1
Using Telnet to verify that a port is listening for incoming connections is great for a host of common TCP applications like smtp(25), http(80) or FTP(21). But for large scale port mapping and network scanning you may need a beefier tool. In comes nmap.
Lets start with some nmap basics then run through the IAX2/SIP scenario. Below is nmap with the ‘-O’ switch and my local subnet at home. The ‘-O’ switch will set nmap to determine remote host Operating System. 192.168.1.0 means network (range) and ‘/24’ tells us that it is a 24 bit subnet mask or ‘255.255.255.0’.
[root@mattcom1 ~]# nmap -O 192.168.1.0/24
Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 16:31 PST
Interesting ports on 192.168.1.1:
Not shown: 1714 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0F:66:CA:B7:B7 (Cisco-Linksys)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.68%D=1/23%OT=80%CT=1%CU=39191%PV=Y%DS=1%G=Y%M=000F66%TM=497A617
OS:A%P=i386-redhat-linux-gnu)SEQ(SP=0%GCD=64%ISR=50%TI=I%II=I%SS=S%TS=U)SEQ
OS:(SP=A%GCD=A%ISR=50%TI=I%II=I%SS=S%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5
OS:B4%O5=M5B4%O6=M5B4)WIN(W1=16D0%W2=16D0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)E
OS:CN(R=Y%DF=N%T=96%W=3%O=%CC=N%Q=U)T1(R=Y%DF=N%T=96%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=Y%DF=N%T=96%W=80%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=N%T=96%W=100%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=96%W=400%S=A%A=S%F=AR%O=%RD=0%Q=)T5(
OS:R=Y%DF=N%T=96%W=7A69%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=96%W=8000%S=
OS:A%A=S%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=96%W=FFFF%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=96%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=
OS:G)IE(R=Y%DFI=N%T=96%TOSI=Z%CD=S%SI=S%DLI=S)
Network Distance: 1 hop
Interesting ports on 192.168.1.2:
Not shown: 1714 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:90:4C:91:00:01 (Epigram)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 – 2.4.32 (likely embedded)
Uptime: 0.115 days (since Fri Jan 23 13:45:46 2009)
Network Distance: 1 hop
All 1715 scanned ports on 192.168.1.105 are filtered
MAC Address: 00:1E:8C:B4:17:D8 (Asustek Computer)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Interesting ports on 192.168.1.108:
Not shown: 1711 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-term-serv
MAC Address: 00:1C:C4:2E:7F:33 (Hewlett Packard)
Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista
Uptime: 0.055 days (since Fri Jan 23 15:12:49 2009)
Network Distance: 1 hop
Interesting ports on 192.168.1.254:
Not shown: 1709 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2000/tcp open callbook
6000/tcp open X11
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.24
Uptime: 0.207 days (since Fri Jan 23 11:34:02 2009)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 32.049 seconds
Okay so if you look at my local Asterisk server(192.168.1.254) you will notice that many ports are open but none of them are SIP(5060)or IAX2(4569). Why is that? Below the ‘-sT’ switch means SYN scan of TCP ports.
[root@mattcom1 ~]# nmap -sT 192.168.1.254
Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 17:37 PST
Interesting ports on 192.168.1.254:
Not shown: 1709 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2000/tcp open callbook
6000/tcp open X11
Even though Asterisk is up with a Polycom Soundpoint IP attached no SIP port appears open. The mystery is solved if we take a close look at how a SIP calls are initiated. SIP calls are initiated on UDP port 5060. After the initial handshake the client opens up a series of RTP streams for audio, video, or whatever media is being relayed through SIP. If we change the flags on the nmap tool we can see if the port is open.
[root@mattcom1 ~]# nmap -sU -p 5060 192.168.1.254
Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 18:51 PST
Interesting ports on 192.168.1.254:
PORT STATE SERVICE
5060/udp open|filtered sip
We SYN scanned port UDP 5060 and the ‘STATE’ is ‘open|filtered’. When asterisk is shut down… or the port is blocked, as we can see below…
[root@mattcom1 ~]# nmap -sU -p 5060 192.168.1.254
Starting Nmap 4.68 ( http://nmap.org ) at 2009-01-23 19:12 PST
Interesting ports on 192.168.1.254:
PORT STATE SERVICE
5060/udp closed sip
Nmap done: 1 IP address (1 host up) scanned in 0.114 seconds
The same is true for IAX2 as SIP. When Asterisk is off the ‘STATE’ shows ‘closed’. One last note, the ‘open|filtered’ state could legitimately be filtered, but by checking when Asterisk(or whatever UDP service) is on and off you can tell for sure. I got some great information at nmap.org, I encourage anyone interested to check it out.