Audit Your LAN Before the Bad Guys Do with nmap

by Carla Schroder

nmap gives you the chance to 'audit your network before the bad guys do.' Carla Schroder examines the best network exploration tool and security scanner you'll ever use.

nmap is the most powerful, most flexible network exploration tool and security scanner. It's the tool of choice for auditing your network for vulnerabilities. Search for the same weaknesses intruders are looking for. nmap's slogan is "audit your network before the bad guys do."

A more accurate definition of nmap is "TCP stack analyzer." nmap builds different types of TCP packets, sends them to the target, then analyzes the responses. It is quite amazing what the author of nmap, Fyodor, has accomplished by studying and analyzing TCP packets, and what different operating systems do to them.

Ethical Issues
Because nmap is so good at what it does, it is the tool of choice for evil crackers, which raises some ethical questions: is it OK to portscan other people's networks? It is not an intrusion device. It's more akin to 'casing the joint,' just looking around to see what there is. Not touching, just being nosy.

It's not just a technical issue. Be aware that emotions run high on this subject. If someone objects to being portscanned, there could be consequences- such as losing your ISP account. The script kiddies employ automated tools that follow up a scan with intrusion attempts, so some admins run automated scan-detection/send-angry-email-to-ISP utilities, or even retaliatory attacks. Someday there will be no human intervention at all, just warring scripts.

However, there is a limit to what you can learn by using nmap on a single system. In my little gang, we play it safe and scan each other's systems, with explicit permission. We gain additional experience without running the risk of getting in trouble.

Banners Bad
nmap comes with most Linux distributions, and it's supported or runs on almost every other UNIX variant, including Solaris and OS X; and there's a port in the works for Win32. It runs in the console, no need to fire up X just for nmap. Nmapfe is a nice GUI for nmap, and also comes on most Linux distributions. Nmapfe is a nice introduction to nmap's basic scans, however, it has only a small set of nmap's features. As always, true power lies at the command line.

nmap does three things: ping to find live hosts, portscan to find active, listening services, and attempt to identify the target's operating system. Why should you care if your OS or other apps are known? Because a successful attack depends on knowing the target, to exploit known weaknesses.

The easy way to identify a system is to connect on an open port, and simply read the login banner. It doesn't even require a successful login, just a successful initial connection. Email, Web, and FTP servers identify themselves, and the operating system as well. Cautious admins edit these banners to foil intruders. No point in making it easy. Email headers are the biggest tattletales of all: they give away everything.

OS Fingerprinting
nmap contains a database of nearly 260+ operating system signatures. These include all manner of devices: computers, routers, printers &emdash anything that can be networked. See /nmap-os-fingerprints for the complete list, and their rulesets. nmap sends 7, count 'em, 7 different TCP packets to the target machine, then analyzes the responses. It needs 1 open and 1 closed port to be accurate.

Snort knows the structures of these packets, and is able to identify an nmap scan. Another characteristic is each packet uses the same TCP sequence number. If you're writing your own rulesets to identify and block portscans, Ethereal is marvelous for plucking this sort of thing out of packet headers.

Basic Scans
Ping (ICMP Echo Request) is losing its usefulness as more firewalls block ICMP echoes. Ping is such a nice little thing, all it does is ask "Are you alive?" When ping is blocked, it is difficult to know if the host even exists. However, nmap has other ways of making them talk.

nmap command syntax:

# nmap [Scan Type] [Options]

A simple, useful scan on your local machine:

#nmap -sS -O
Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
Interesting ports on windbag (
(The 1597 ports scanned but not shown below are in state: closed)
Port       State         Service
22/tcp       open     ssh
111/tcp      open     sunrpc
515/tcp      open     printer
6000/tcp     open     X11

Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 3.949 days (since Wed Jul 4 21:21:39 2002) Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

TCP connect() scan, option -sT, opens a connection to every interesting port on the target machine. Any open ports will connect. It's fast and noisy- this sort of scan will fill up a logfile quick as a wink. Any user can run it.

TCP SYN scanning, option -sS, is sneakier. nmap sends a SYN packet, pretending to want to open a connection. When a SYN|ACK response is received, nmap hangs up on them. (Sends a RST for you techie types.) Fewer sites log these, though that's changing fast. This, like most of nmap's functions, must run as root.

-O means identify target OS.

TCP FIN is even sneakier, option -sF. Closed ports tend to reply to a FIN packet with RST. Open ports ignore it. At least on systems that follow TCP standards; Microsoft systems do not respond this way, they send RSTs from open and closed ports. Which is another way to identify the OS.

TCP Xmas Tree Scan, option -sX, sends FIN, PSH, and URG flags. Again, a closed port will send RST, an open port nothing. Except on Microsoft systems.

There are a number of other interesting and useful options: Paranoid, Sneaky, Polite, Normal, Aggressive, and Insane. These determine nmap's timing. A system can be overloaded by a portscan, this lets you make adjustments. Use -T [Option], or numbering: -T [0-5]. nmap by default uses parallel scanning, which is very fast. Paranoid runs serially, at longer intervals.

Targets can be identified by hostname, IP number, port numbers, and ranges of both. Both standard and CIDR IP notations work.

nmap of course will log its results in various formats:
-oN [logfilename] normal text file
-oX [logfilename] XML
-oS [logfilename] sKripT kiDd|3 f0rM

It pays to scan your network from both sides of your firewall. This is a good reason to keep a dialup account, for cheap and easy external testing. Combine with Ethereal, system, and firewall logs for a comprehensive picture.

If you've been wanting a reason to dig into the guts of TCP/IP, here it is. See nmap's home page for extensive documentation, and excellent links to useful resources. Especially the exploit page, for a reminder on why there is constant nagging to keep your systems patched and updated - old exploits don't go away.


» See All Articles by Columnist Carla Shroder

This article was originally published on Thursday Jul 18th 2002