nmap is the most
powerful, most flexible network exploration tool and security
scanner. It’s the tool of choice for auditing your network for
vulnerabilities. Search for the same weaknesses intruders are looking
for. nmap’s slogan is “audit your network before the bad guys do.”
A more accurate definition of nmap is “TCP stack analyzer.” nmap
builds different types of TCP packets, sends them to the target, then
analyzes the responses. It is quite amazing what the author of nmap,
Fyodor, has accomplished by studying and analyzing TCP packets, and
what different operating systems do to them.
Because nmap is so good at what it does, it
is the tool of choice for evil crackers, which raises some ethical
questions: is it OK to portscan other people’s networks? It is not an
intrusion device. It’s more akin to ‘casing the joint,’ just looking
around to see what there is. Not touching, just being nosy.
It’s not just a technical issue. Be aware that emotions run high
on this subject. If someone objects to being portscanned, there could
be consequences- such as losing your ISP account. The script kiddies
employ automated tools that follow up a scan with intrusion attempts,
so some admins run automated scan-detection/send-angry-email-to-ISP
utilities, or even retaliatory attacks. Someday there will be no human
intervention at all, just warring scripts.
However, there is a limit to what you can learn by using nmap on a
single system. In my little gang, we play it safe and scan each
other’s systems, with explicit permission. We gain additional
experience without running the risk of getting in trouble.
nmap comes with most Linux distributions,
and it’s supported or runs on almost every other UNIX variant,
including Solaris and OS X; and there’s a port in the works for Win32. It runs in the console, no need to fire up
X just for nmap. Nmapfe is a nice GUI for nmap, and also comes on most
Linux distributions. Nmapfe is a nice introduction to nmap’s basic
scans, however, it has only a small set of nmap’s features. As always,
true power lies at the command line.
nmap does three things: ping to find live hosts, portscan to find
active, listening services, and attempt to identify the target’s
operating system. Why should you care if your OS or other apps are
known? Because a successful attack depends on knowing the target, to
exploit known weaknesses.
The easy way to identify a system is to connect on an open port,
and simply read the login banner. It doesn’t even require a successful
login, just a successful initial connection. Email, Web, and FTP
servers identify themselves, and the operating system as
well. Cautious admins edit these banners to foil intruders. No point
in making it easy. Email headers are the biggest tattletales of all:
they give away everything.
nmap contains a database of nearly
260+ operating system signatures. These include all manner of devices:
computers, routers, printers &emdash; anything that can be networked. See
/nmap-os-fingerprints for the complete list, and their rulesets. nmap
sends 7, count ’em, 7 different TCP packets to the target machine,
then analyzes the responses. It needs 1 open and 1 closed port to be
Snort knows the structures of these packets, and is able to
identify an nmap scan. Another characteristic is each packet uses the
same TCP sequence number. If you’re writing your own rulesets to
identify and block portscans, Ethereal is marvelous for plucking this
sort of thing out of packet headers.
Ping (ICMP Echo Request) is losing its
usefulness as more firewalls block ICMP echoes. Ping is such a nice
little thing, all it does is ask “Are you alive?” When ping is
blocked, it is difficult to know if the host even exists. However,
nmap has other ways of making them talk.
nmap command syntax:
# nmap [Scan Type] [Options]
A simple, useful scan on your local machine:
#nmap -sS -O 127.0.0.1
Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
Interesting ports on windbag (127.0.0.1):
(The 1597 ports scanned but not shown below are in state: closed)
22/tcp       open     ssh
111/tcp      open     sunrpc
515/tcp      open     printer
6000/tcp     open     X11
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime
3.949 days (since Wed Jul 4 21:21:39 2002) Nmap run completed -- 1 IP
address (1 host up) scanned in 2 seconds
TCP connect() scan, option -sT, opens a connection to every
interesting port on the target machine. Any open ports will
connect. It’s fast and noisy- this sort of scan will fill up a logfile
quick as a wink. Any user can run it.
TCP SYN scanning, option -sS, is sneakier. nmap sends a SYN
packet, pretending to want to open a connection. When a SYN|ACK
response is received, nmap hangs up on them. (Sends a RST for you
techie types.) Fewer sites log these, though that’s changing
fast. This, like most of nmap’s functions, must run as root.
-O means identify target OS.
TCP FIN is even sneakier, option -sF. Closed ports tend to reply
to a FIN packet with RST. Open ports ignore it. At least on systems
that follow TCP standards; Microsoft systems do not respond this way,
they send RSTs from open and closed ports. Which is another way to
identify the OS.
TCP Xmas Tree Scan, option -sX, sends FIN, PSH, and URG
flags. Again, a closed port will send RST, an open port
nothing. Except on Microsoft systems.
There are a number of other interesting and useful options:
Paranoid, Sneaky, Polite, Normal, Aggressive, and Insane. These
determine nmap’s timing. A system can be overloaded by a portscan,
this lets you make adjustments. Use -T [Option], or numbering: -T
[0-5]. nmap by default uses parallel scanning, which is very
fast. Paranoid runs serially, at longer intervals.
Targets can be identified by hostname, IP number, port numbers,
and ranges of both. Both standard and CIDR IP notations work.
nmap of course will log its results in various formats:
-oN [logfilename] normal text file
-oX [logfilename] XML
-oS [logfilename] sKripT kiDd|3 f0rM
It pays to scan your network from both sides of
your firewall. This is a good reason to keep a dialup account, for
cheap and easy external testing. Combine with Ethereal, system, and
firewall logs for a comprehensive picture.
If you’ve been wanting a reason to dig into the guts of TCP/IP,
here it is. See nmap’s home page for extensive documentation, and
excellent links to useful resources. Especially the exploit page, for
a reminder on why there is constant nagging to keep your systems
patched and updated – old exploits don’t go away.