Using the ZenMap GUI to run port scans
Last Modified: 1/21/2009 1:09:09 PM
Messaging Architects M+ Guardian
NMAP is a powerful tool that will allow you to scan IPs, Hosts and Ports to see if they are open and listening. ZenMap is the GUI interfaced Windows version. This article will explain how to use ZenMap and will go over some of it's benefits.
In short, this utility can be useful for diagnosing rogue spam or viruses that may make it into your email system leaving you to believe that it circumvented M+ Guardian. Such may not be the case, as you may have another server listening on port 25 for incoming email that has access to the internet.
First step is to download the ZenMap Windows package. It can be found at the following website:
Scroll down until you see the section titled "Windows (NT/ME/2K/XP/Vista) binaries" and click on the link to download. Note that the link is somewhat hard to find.. here is a screenshot to help:
After you have it downloaded, run the executable and install everything. Once installed, there will be a shortcut to run it within your start menu under NMAP > ZenMap. Run the application and you should see an interface like so:
The area outlined in RED is the one we want to focus on. This is where we will put our command line for nmap. A simple scan contains the following parameters:
So, in the following example we use:
Here is an explanation of the switches and what they do:
-v = verbose mode. Displays more information than a standard output
-PN = Assume host is up without running a PING check first. Normally NMAP will PING the host you specify first to make sure they are running. This switch simply bypasses that. This is useful if ICMP packets are being blocked so the system wont respond to a PING.
-p = port to scan on. You can specify multiples with a comma separating them and also ranges if needed.
(ip or host) = the IP or Hostname you want to scan ports on. This can also be an IP range such as 22.214.171.124/24 (denoted with CIDR notation)
We are going to focus on port 25 (SMTP) to see if this particular IP (126.96.36.199) is listening on port 25. Here's the results:
As you can see, port 25 shows as "Filtered" for whatever reason. Now lets run the scan again with an IP that we know is listening on port 25:
We can now see that the state is "Open" instead of "Filtered." Why? Because this is my M+ Guardian VM that is up and listening on port 25. You can perform the same test with any of your public IP addresses that are NATted to M+.
Why would this be useful? Well for one, it shows if a host is listening on a port or not. If you see an open port, you can then initiate a telnet connection test to that IP/Host on port 25 and verify that it is in fact listening. Why else? Simply because if you have more than one IP address listening on port 25 and that server has access to the outside world (such as a public IP assigned or natted to it) then that server can receive email from the internet. I've drawn up a diagram to help explain below:
In short, If your backend email server (Exchange, Groupwise GWIA, etc.) has a Public or Natted IP and is accessible from the internet, SPAMMERS CAN AND WILL HARVEST THAT IP/HOSTNAME. More than likely they will attempt to send spam, viruses or any number of other things through that server.
In other words, this circumvents M+ Guardian's protection. If there is more than 1 way into your email system then we CANNOT be held 100% accountable for spam that gets through.
You can also check the message header or MIME of the message to see if the message travelled through M+ Guardian. Below is an example of a message that DID travel through and was scanned:
As you can see, the RED outline indicates that the message was scanned and passed through M+ Guardian. If you DO NOT see this information in the header then there is no guarantee that M+ scanned the message.
Happy Port Scanning!
Former KB Article: 1287