Knowing what services are running on your systems, and being able to identify if and when any of those services change, is the first step in securing your network. Many tools can accomplish this, but any network admin with an interest in security should get to know Nmap intimately.
Nmap first appeared on the scene 14 years ago as a simple network scanner. Since, it has evolved into a behemoth of a network scanning and enumeration tool, incorporating many features beyond simple port scanning. This
Identifying devices on the network
Creating an inventory of the devices on your network is the perfect way to start to secure it. Without detailed knowledge of which devices are accessible, you cannot determine whether someone (maliciously or not) has connected an unauthorized device to the network, compromising the organisation’s security controls.
For the sake of simplicity, I will use a standard class C network of 192.168.1.0/24 for the following Nmap scan examples.
Nmap can be used as a simple discovery tool, using various techniques (e.g. ARP pings, ICMP requests, TCP and/or UDP pings) to identify live devices on a network. All of these techniques are used when specifying the –sP switch in an Nmap command, for example:
Nmap –sP 192.168.1.0/24
This simple command will send various packets (ARP, ICMP, etc.) to every address within the 192.168.1.0/24 range, and will report any devices that respond. The results will look similar to those in the example below:
What’s it running?
Once it's identified the live devices, Nmap can be used to determine which TCP and UDP ports are open, closed or firewalled. Knowing which services are running, and which of those are essential to the running of the business, can help determine a network security baseline. This baseline can serve as a starting point from which to identify any anomalies, allowing for swift investigation. Malware will often open ports on infected devices in order to send and/or receive data; malicious attackers will look for badly configured services (i.e., anonymously accessed FTP servers, unauthenticated administrative Web interfaces, etc.) and exploitable software. Nmap can help to identify any of these problems.
When scanning devices to determine which ports are open, there are various basic scanning options:
-sS –Performs a “stealth” TCP scan (that does not fully complete the “TCP three-way handshake,” and closes the connection once the service responds).
-sT –Performs a full TCP scan (a full connection is established with open TCP ports).
-sU –Performs a UDP scan (as UDP is a connectionless protocol, these scans can take significantly longer than TCP scans).
-p – Tells Nmap which ports to scan (e.g., –p1-65535 will specify every port).
These basic options can be used to give a quick overview of the open ports on any given device, for example:
Nmap includes an advanced option, “--top-ports”, which can be used to test only the most commonly seen ports. This can be used in conjunction with various advanced timing options to reduce the time needed to scan a large number of devices.
Knowing which ports are open is only half the battle, but Nmap does have another weapon at its disposal: a huge database of service fingerprints. Nmap can connect to the open ports it discovers and attempt to identify the services running behind them. For the attacker, version information is critical to knowing whether a service is exploitable. By default, Nmap identifies services based on their entry in the Nmap services file (which was initially based on the IANA assigned ports list). As this isn’t always correct (What’s to stop an attacker from writing a virus that sends out data on the registered SMTP port?), the “-sV” switch can be used to tell Nmap to interrogate discovered open ports to determine software and version information.
Along with identifying the services running on open ports, the "–O" switch can be used to tell Nmap to detect which operating system a device is running, including vendor, OS version and the purpose of the device.
The scan above has identified the device as Microsoft Windows Server 2008, Windows Vista or Windows 7.
Whilst Nmap isn’t a full-blown vulnerability scanner, it can be used to help identify vulnerabilities on the network. One of Nmap's most powerful features is its scripting engine, which can help automate a myriad of tasks, from recording service banner information to vulnerability identification.
Using the “--script=” option allows specific scripts to be loaded into Nmap and executed after the port scan has completed. Combining the “banner.nse” and “http-headers.nse” scripts can allow quick and simple enumeration of banner information across the network. The example below shows a Thomson router in its default configuration.
Using Nmap, we have discovered the device is running FTP, telnet, http, https and pptp servers. Combining the information received from 1) the banners, 2) the http headers and 3) operating system guess, we can deduce the device is a Thomson router.
Much more can be gathered through scripts, as well: from anonymous FTP logins, SNMP information and SSH versions, to Microsoft Windows username enumeration, brute-force logon attacks and email spoofing. The list of available scripts increases on an almost daily basis, and scripts can be created easily by users to fit their needs.
Using the "-oX" switch, the scan can be output to XML and imported into a spreadsheet for further analysis.
Nmap is an extremely useful, free tool that can allow organisations to keep tabs on the state of their networks. Running these types of scans on a regular basis can help maintain a reasonable level of assurance that:
1. You know what devices are on the network, and can easily discover if and when something new has been added.
2. You know what services are running on every device, and can easily discover if a service has been created (whether malicious or not).
3. You can use the information discovered to help mitigate some vulnerabilities on the network.
This was first published in July 2011