A more accurate definition of nmap is "TCP stack analyzer." nmap builds different types of TCP packets, sends them to the target, then analyzes the responses. It is quite amazing what the author of nmap, Fyodor, has accomplished by studying and analyzing TCP packets, and what different operating systems do to them.
Ethical Issues
Because nmap is so good at what it does, it
is the tool of choice for evil crackers, which raises some ethical
questions: is it OK to portscan other people's networks? It is not an
intrusion device. It's more akin to 'casing the joint,' just looking
around to see what there is. Not touching, just being nosy.
It's not just a technical issue. Be aware that emotions run high on this subject. If someone objects to being portscanned, there could be consequences- such as losing your ISP account. The script kiddies employ automated tools that follow up a scan with intrusion attempts, so some admins run automated scan-detection/send-angry-email-to-ISP utilities, or even retaliatory attacks. Someday there will be no human intervention at all, just warring scripts.
However, there is a limit to what you can learn by using nmap on a single system. In my little gang, we play it safe and scan each other's systems, with explicit permission. We gain additional experience without running the risk of getting in trouble.
Banners Bad
nmap comes with most Linux distributions,
and it's supported or runs on almost every other UNIX variant,
including Solaris and OS X; and there's a port in the works for Win32. It runs in the console, no need to fire up
X just for nmap. Nmapfe is a nice GUI for nmap, and also comes on most
Linux distributions. Nmapfe is a nice introduction to nmap's basic
scans, however, it has only a small set of nmap's features. As always,
true power lies at the command line.
nmap does three things: ping to find live hosts, portscan to find active, listening services, and attempt to identify the target's operating system. Why should you care if your OS or other apps are known? Because a successful attack depends on knowing the target, to exploit known weaknesses.
The easy way to identify a system is to connect on an open port, and simply read the login banner. It doesn't even require a successful login, just a successful initial connection. Email, Web, and FTP servers identify themselves, and the operating system as well. Cautious admins edit these banners to foil intruders. No point in making it easy. Email headers are the biggest tattletales of all: they give away everything.
OS Fingerprinting
nmap contains a database of nearly
260+ operating system signatures. These include all manner of devices:
computers, routers, printers &emdash anything that can be networked. See
/nmap-os-fingerprints for the complete list, and their rulesets. nmap
sends 7, count 'em, 7 different TCP packets to the target machine,
then analyzes the responses. It needs 1 open and 1 closed port to be
accurate.
Snort knows the structures of these packets, and is able to identify an nmap scan. Another characteristic is each packet uses the same TCP sequence number. If you're writing your own rulesets to identify and block portscans, Ethereal is marvelous for plucking this sort of thing out of packet headers.
Basic Scans
Ping (ICMP Echo Request) is losing its
usefulness as more firewalls block ICMP echoes. Ping is such a nice
little thing, all it does is ask "Are you alive?" When ping is
blocked, it is difficult to know if the host even exists. However,
nmap has other ways of making them talk.
nmap command syntax:
# nmap [Scan Type] [Options] A simple, useful scan on your local machine:
#nmap -sS -O 127.0.0.1 Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime
3.949 days (since Wed Jul 4 21:21:39 2002) Nmap run completed -- 1 IP
address (1 host up) scanned in 2 seconds
TCP connect() scan, option -sT, opens a connection to every
interesting port on the target machine. Any open ports will
connect. It's fast and noisy- this sort of scan will fill up a logfile
quick as a wink. Any user can run it.
TCP SYN scanning, option -sS, is sneakier. nmap sends a SYN
packet, pretending to want to open a connection. When a SYN|ACK
response is received, nmap hangs up on them. (Sends a RST for you
techie types.) Fewer sites log these, though that's changing
fast. This, like most of nmap's functions, must run as root.
-O means identify target OS.
TCP FIN is even sneakier, option -sF. Closed ports tend to reply
to a FIN packet with RST. Open ports ignore it. At least on systems
that follow TCP standards; Microsoft systems do not respond this way,
they send RSTs from open and closed ports. Which is another way to
identify the OS.
TCP Xmas Tree Scan, option -sX, sends FIN, PSH, and URG
flags. Again, a closed port will send RST, an open port
nothing. Except on Microsoft systems.
There are a number of other interesting and useful options:
Paranoid, Sneaky, Polite, Normal, Aggressive, and Insane. These
determine nmap's timing. A system can be overloaded by a portscan,
this lets you make adjustments. Use -T [Option], or numbering: -T
[0-5]. nmap by default uses parallel scanning, which is very
fast. Paranoid runs serially, at longer intervals.
Targets can be identified by hostname, IP number, port numbers,
and ranges of both. Both standard and CIDR IP notations work.
nmap of course will log its results in various formats:
Testing If you've been wanting a reason to dig into the guts of TCP/IP,
here it is. See nmap's home page for extensive documentation, and
excellent links to useful resources. Especially the exploit page, for
a reminder on why there is constant nagging to keep your systems
patched and updated - old exploits don't go away.
Resources
Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
Interesting ports on windbag (127.0.0.1):
(The 1597 ports scanned but not shown below are in state: closed)
Port State
Service
22/tcp open ssh
111/tcp open sunrpc
515/tcp open printer
6000/tcp open X11
-oN [logfilename] normal text file
-oX [logfilename] XML
-oS [logfilename] sKripT kiDd|3 f0rM
It pays to scan your network from both sides of
your firewall. This is a good reason to keep a dialup account, for
cheap and easy external testing. Combine with Ethereal, system, and
firewall logs for a comprehensive picture.
»
See All Articles by Columnist Carla Shroder