Top 8 Nmap options

Here are 8 excellent Nmap options, what they do, and why you would use them.

Most of the options can be run together. You will normally want to perform scans with administrator or root privileges.

OptionWhat is doesWhy you would use
1.-snNo port scanHelpful for quickly discovering hosts that are up
2.-iL file.lstScan IP addresses in file.lstHelpful if you already have a list IP addresses to scan
3. -nSkip reverse DNS lookupThis can help speed up scanning
4.-PnPretend host is upUse when hosts have Ping disabled. e.g. Windows
5. -OOS detectionUse to detect OS version
6.-T4Speed up scanIncreases scan speed (Default is -T3)
7.-AAggressive scan optionsShorthand option. Enables OS detection (-O), version Scanning (-sV), script scanning (-sC), and runs a traceroute
8.-oA filenameSave output to ALL formatsThis saves the output to separate files for XML and grepable formats
Nmap table: 8 common options.

Cambium R195W cnPilot Routers Randomly Dropping

The Problem

We have been experiencing a problem with our Cambium routers where they randomly drop and are unresponsive till a reboot. They’ll also stop handing out addresses on the LAN side.

A reboot “fixes” the problem, until it does it again. You can trigger the behavior by running a port scan against the router. Wondering if the CPU/Memory get overloaded?

nmap -T4 -A -v 192.168.11.1

While running a scan on the LAN side, the web interface slows down, but doesn’t seem to take it down as fast as a scan on the WAN side.

goahead.sh is a script that may be maxing out the cpu, but could be completely unrelated.

Resolution

Configuring the “Allowed Remote IP(IP1;IP2;)” to limit WAN access effectively blocks port scans and resolves the issue. Setting is under Administration -> Management -> Web Settings. You can add multiple ranges with

10.0.0.0/8;172.16.0.0/12;192.168.0.0/16
Configure Allowed Remote IP cnPilot R195W

It looks like the public ip ranges are limited to /24’s so if you you have a block of public IP addresses larger than a /24, you’ll need to break it down into 24’s to work properly.

Template for cnMaestro

You can also create a template in the Cambium Cloud so you can apply the change to multiple routers fairly easily.

Go to Configuration -> Templates and add a new template.

WebRemoteLegalIP=10.0.0.0/8;192.168.0.0/16;172.16.0.0/12
WebRemoteLegalIP template for cnMaestro

And then you can go to your device -> Configuration and apply your new config.

Apply Allowed WAN IPs Template

Do note that if you run a scan from an allowed range, it still seems to cause problems. But at least setting the Allowed Remote IPs will keep others from scanning your network and causing problems on your R195’s.

Baicells – nmap scan of eNodeB shows connected subscribers

Doing a port scan on the 50000-59999 port range reveals all the connected subscriber modules.

Alfred@localhost:~$ nmap -p 1-65535 10.0.0.2
 Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-30 23:55 CDT
 Nmap scan report for 10.0.0.2
 Host is up (0.026s latency).
 Not shown: 65520 closed ports
 PORT      STATE    SERVICE
 80/tcp    open     http
 7547/tcp  open     cwmp
 27149/tcp open     unknown
 59423/tcp open     unknown
 54984/tcp open     unknown
 51241/tcp open     unknown
 Nmap done: 1 IP address (1 host up) scanned in 19.18 seconds

Should be able to access the login page for the subscriber module by going to https://enodb-ip:xxxxx

Where xxxxx is the port number from the scan. Should be 5 with the last four IMSI numbers of the subscriber unit.

SSH into Baicells eNodeB

Based upon multiple nmap scans on Baicells eNoceB’s it appears that they use port 27149 as the default SSH port.

Example scan

Alfred@localhost:~$ nmap -p 1-28999 10.0.0.2
Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-27 21:19 CDT
 Nmap scan report for 10.0.0.2
 Host is up (0.044s latency).
 Not shown: 28996 closed ports
 PORT      STATE SERVICE
 80/tcp    open  http
 7547/tcp  open  cwmp
 27149/tcp open  unknown  <-- SSH Port 
Nmap done: 1 IP address (1 host up) scanned in 10.81 seconds

SSH into eNodeB

ssh -p 27149 admin@10.0.0.2 

Example:

ssh -p27149 admin@10.0.0.2 
 Password: 
 CELL> ?
   enable      Turn on privileged mode command
   exit        Exit current mode and down to previous mode
   list        Print command list
   passwd      User password
   ping        Send echo messages
   quit        Exit current mode and down to previous mode
   show        Show running system information
   ssh         Open an ssh connection
   telnet      Open a telnet connection
   terminal    Set terminal line parameters
   traceroute  Trace route to destination
   whoami      Show current user in system
 CELL>