Hi,

I am using scanning tools such as Nmap to identify vulnerable ports on remote Linux systems on the local network. I have virtualbox on my Windows 7 host where I have two Linux VM's that I am testing these techniques between. The two virtual machines are Fedora 14 and Backtrack R2 V5. When I scan these two VM's, according to Nmap all ports are filtered and not in use, but when I use netstat locally on them I can see available open ports such are 111 (SunRPC). Can anyone figure out why I can't see these available ports remotely?

Thanks  

What sort of networking do you have set up in VirtualBox?

Can you ping either box?  

I have bridged the two VM's to the local network so they have their own IP address.
Yes I can ping the two VM's from the host Windows 7, and the two VM's can also ping each other.  

What command line are you using to run nmap?

Is there a firewall enabled on either VM, or on the system from which you're scanning?  

I'm running arguments such as -sS (for TCP scan), sU (UDP scan) and the IP network address prefix (192.1.168.1.0/24) which scan's this home network, it successively identifies the VM's (host is up), and scans the default 1000 ports without specifying what ports to scan. But all ports are filtered?

I have Avira installed on the host Win7, but no such firewall or ani-virus software on the VM's.

Thanks  

BT by default has no open ports and boots with networking disabled, you have to bring the eth0 interface up and get an IP.

The reason that you are getting crap results is because you're using -sU to specify a UDP scan. Try this:

On your BT bring up the interface and get an IP, then start apache:

service apache2 start

Then try scanning the eth0 interface:

nmap 192.168.0.10 (or whatever)

You should get a response from port 80, then try some fun options:

nmap 192.168.0.10 -sV
nmap 192.168.0.10 -sC
nmap 192.168.0.10 -O

Avoid using the -sU switch for now, and dont mix options while you're learning how it works, I recommend some background reading from the nmap site.

You probably want to play with the various host discovery options and tools available, the -sn -PM -PP -Pn switches in nmap for example, and tools such as arp-scan (which is bloody useful when hosts dont respond to ping). Apparently theres this thing called unicornscan as well and netcat makes a great emergency scanner.  

Thanks for the reply.

How do I go about changing the adapter to eth0 connection? Because I had internet connection when I created the VM's from virtualbox.

When I do service apache2 start, I get the following error:

"apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName"

I dont understand why apache is using 127.0.1.1 when it should be 127.0.0.1?

Thanks