editor's note - 10.10.01

A cracker who knows what operating system you are running has an idea of what vulnerabilities you may have left exposed. When you combine operating system information with information about what ports are open, you are leaving those script kiddies a map to cracking your machine(s). As a system administrator you can prevent many cracks just by trying to crack your own system(s) and repairing any holes or exploits that you may have found. Today's article deals with nmap, which is probably the most configurable and complete scanner available. This article is just the first of what I suspect will turn into several articles covering the use of nmap and what it can do for you. Read on and enjoy!

The SecurityProNews Team

» Subscribe For Free! DevWebPro WebSiteNotes WebmasterFree NetworkNewz NetDummy

'The Most Customizable Network Scanner Ever'

nmap, by Fyodor, is an extremely powerful, open source (i.e. GPL license, which can be found here) port scanner that offers a host of features including remote OS detection, SYN stealth scanning, fin scanning, and more. In the right hands, nmap is more powerful than even the most expensive commercial scanners, and, if you have priced any commercial port scanners, you already know that they can run into many thousands of dollars for a single user license. In fact, eEye Digital Security (the makers of the Retina security scanner for Windows) have this to say about it: "nmap is the most customizable network scanner ever. It has various options to perform stealth scans, ping scans, UDP scans, as well as a handful of other scan types." eEye is so impressed with Fyodor's nmap that they have ported it to Windows NT so that you Windows folks can take advantage of one of the best scanners on earth. You can find the Windows port here.The home page for nmap is Insecure.org and ports for most flavors of Unix can be found there as well.

If you prefer a GUI be sure to check out nmapfe (also available at insecure.org), a graphical frontend for nmap based on the GTK libraries (and only available for Unix flavors, as far as I am aware; if you know of or have written a frontend for Windows, let me know). All of the examples in this article will give the command line switches. If you are using the nmapfe frontend, you will still be able to see theseswitches in the interface.

The 'readme's included with the original Unix-based version and eEye's version are thorough and will walk you through installation. As far as the Linux/Unix version goes, it is your typical install from source (./configure, make, make install) or rpm (rpm -ivh nmap-2.xx.i386.rpm). The eEye version includes an executable and source code in a *.zip file, although I am unaware of how to compile the source under Windows. nmapNT will have to be run from the directory that it was extracted to. Make certain that the nmap-os-fingerprint,nmap-rpc, and nmap-services files reside in the same place as the binary (nmapNT.exe). You will now be able to execute nmapNT from the command line. Now that you have nmap (and have installed it!), let's take a look at how it works and what it will tell you. If you have the source, open the document 'nmap_doc.html' in your favorite browser for an excellent reference on the use of nmap.

The man page 'nmap_manpage.html', which can be found in the source directory, or 'man nmap' from the command line (for Unices), covers all of the switches nicely along with providing some examples of nmap's use. If you were to type 'nmap -help' at the command line (for Unix variants) or 'nmapNT' for Windows, a small summary of switches would be displayed as follows:

Some Common Options (none are required, most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive| Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG Output normal/XML/grepable scan logs to -iL Get targets from file; Use '-' for stdin * -S /-e Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

Let's quickly go over these switches. First of all, all of those that are marked with an asterisk are only available to root on the Unix variants. This is not the case with the Windows version; all options are available to Windows users.

The first option, '-sT' is a typical scan that will attempt to connect to each port that it tries to check. If the port is listening, a connection will be made; otherwise it will be considered closed. This type of scan is relatively reliable, but anyone logging connections to their machine will see that you have been there.

The next option, '-sS', is the SYN stealth scan. This option is also known as a half-open scan. This type of scan sends a SYN (synchronize or start) packet and then waits for the return of an ACK (acknowledge) packet. If it recieves an ACK, it knows the target is listening on this port. This is very similar to the connect scan previously mentioned except that a RST (reset) packet is sent to cancel the connection, rather than completing the connection. This will help to avoid being logged, but is still not fool-proof.

The '-sU' option is for a UDP port scan. A request for a connection is sent, and if an ICMP port unreachable message is received, the port is assumed closed.

The '-sP' option is for scanning a range of IP addresses to see what machines are there. This is sometimes known as a ping sweep, however it is much more configurable for nmap than other tools that are used for this. See the man page for more info on this switch.

The '-sF, -sX, -sN' switches are for more advanced (and discrete) types of scans. Look for more information on these types of scans in the man pages and in future articles.

The technique used for detecting operating systems is known as fingerprinting and is useful, not only for crackers, but for system administrators who want to know exactly what their boxes are telling those who are interested enough to look. This option is invoked by passing the -O argument to nmap. Using the '-O' option signals nmap to try and determine the operating system of the target machine by comparing the OS fingerprint of the target with those in nmap's database of known OS fingerprints. To find out more than you probably need to know about fingerprinting operating systems, go here.

Most of the remaining options are self-explanatory. If any of these are confusing, see the man pages - I cannot emphasize enough how well these pages are put together and how informative they are. Also, while I am at it, look for more in-depth articles on nmap and what it can reveal (by way of examples) in future issues.