Michael Cobb kicks off his Nmap series today and will provide regular tips on how to get the most out of the free network scanner.
Like every business at the moment, management is probably pushing you to come up with savings on your IT budget. Nothing new there, but they're probably also looking at increasing the number of ways in which suppliers and customers can connect to your network. Better information sharing can obviously bring efficiencies, improved service delivery and reduced costs; all important goals in these tough economic times. But how do you, on a tight budget, keep track of what's running on your network and who's connecting to it?
Well, there's a free open source tool that could fit the bill. Now I know many of you have probably already starting mumbling "How can you rely on a tool with no help desk support, and that never gets past the beta version?" Surely, though, when choosing a security device or software, you're looking for the one that provides the most effective defence for the threats that you are trying to mitigate.
Some open source tools now compare favourably with commercial alternatives in terms of features, reliability and help forums. And one in particular, Nmap, has become the tool of choice for many network administrators who want to audit their networks and check for unexpected new applications and services.
What is Nmap?
Nmap (Network Mapper), written by Gordon Lyon (also known as Fyodor
The network mapping tool supports most Unix and Windows platforms, as well as Mac OS X and several mobile devices. It is also available in both command line and graphical user interface modes, which help Windows administrators who have less experience with the command prompt.
How Nmap port scans provide network visibility
So how can a network scanner help you keep control of your network? Well, a Windows machine, for example, may use hundreds of ports to communicate with other machines, and each of those open network ports is an attacker's way in. Once you have run an Nmap scan to identify the open ports, the services running on them, and the potential weak spots in your defenses, you can close any that are not required, thus reducing the number of potentially exploitable services.
Nmap also makes network inventory and asset management a lot easier. Once you have mapped your network, you can identify any unexpected changes since the last scan. Some administrators perceive Nmap as a tool for hackers, but this can be true of any tool used in computer security. To me, it makes sense to use an Nmap scan to see what ports are open and what network information is leaking to potential attackers. For example, a machine infected by a worm will try to open up ports in order to listen for instructions from its controller.
How to install Nmap
So if you want to add one of the most versatile network utilities to your toolbox for free, you should visit http://nmap.org and download a copy. Nmap was originally a command-line application for UNIX, but a Windows version has been available since 2000. This article will look at how to install and configure the Windows version.
Unless you want to compile Nmap from the source code using Microsoft Visual C++ 2008, I recommend using the Nmap binary self-installer (41.5Mb). This installs on Windows 2K, XP and Vista and handles registry settings, all the required files and includes the Zenmap graphical user interface (GUI). User interfaces for open source software are renowned for being clunky and less than intuitive, but the Zenmap GUI is a great improvement from earlier Nmap user interfaces. Additionally, the Command Instructor Wizard, though not as fancy as vendorware equivalents, makes creating scans and profiles pretty straightforward.
The install file isn't digitally signed, but SHA-1 hashes for each release are available to verify the authenticity of the downloaded file. During setup, you are asked to choose which components to install. Unless you already have WinPcap 4.02, a packet capture library, on your PC, install the components listed and opt to have the WinPcap service NPF (NetGroup Packet Filter driver) run at startup. The installer can also add a shortcut to the Start Menu folder and Desktop. The default install directory is C:\Program Files\Nmap\, but because the installer adds Nmap to the computer's PATH environment variable, you can execute Nmap as a command-line application from any directory. Using Nmap as a command-line application allows the utility to run from a script. Therefore, precise scans can be executed without having to set lots of different options.
Once you've installed Nmap, you can test it by opening a Command Prompt window and typing nmap –A –T4 scanme.insecure.org, which will scan the host scanme.insecure.org, a service that allows testing of the tool and ensures that Nmap installation has occurred successfully. The A and T4 options enable OS and version detection and increase Nmap's speed to "aggressive." There are more than a hundred command-line options, some of which we'll be looking at in the next few articles. Note that the command options are case-sensitive.
Nmap on Windows is not quite as efficient as on UNIX. Because of limitations with the Windows networking API, the connect scan (-sT) in particular is often much slower than on UNIX. The registry changes made during installation help improve scan performance by increasing the number of ephemeral ports reserved for applications such as Nmap, and decrease the amount of time before a closed connection can be reused. If you run into problems running Nmap on Windows, you should check for error messages in the Windows event log and then see if the problem is covered in the Nmap-dev list archives.
Nmap as a best-of-breed product is a great security tool for helping to keep control of your network, and being free is very attractive regardless of what kind of budget you may have. However, when appraising potential security products against your evaluation criteria, the cost of training staff to use them is an important consideration as well. Your staff will need time to learn how to get the most out of Nmap's many powerful features. Although there is no Nmap help desk, there is plenty of help and guidance. The primary documentation for using Nmap is the Nmap Reference Guide, but there is also an interactive video training course consisting of eleven modules called Nmap Secrets, as well as an official guide book called Nmap Network Scanning written by Fyodor himself. There is also plenty of supporting documentation for Nmap, and it is worthwhile subscribing to the Nmap-hackers mailing list too.
In our next Nmap article, we'll be looking at different techniques for scanning for ports and services using some of Nmap's many options.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in March 2009