Nmap is one of the most reliable and practical network security scanners and exploration tools. It is definitely the best tool for those that need to audit a network for holes and vulnerabilities.

This way, you can look for the same vulnerabilities that hackers are on the lookout for, so that you can essentially beat the bad guys to it.

So, a more technical definition of this technology is that it is a TCP stack analyzer.

This means that it builds different TCP packets, and then directs them to the target, and then looks through the responses that it gets.

Ethical Issues

Due to the fact that the nmap is the kind of software that is at the top of its game, it is of course the best tool for hackers as well, which means that there is the issue of ethics.

For example, is it okay to portscan networks that belong to other people?

The thing is, it’s not an intrusive device. It’s just having a look see what’s happening – it’s not touching anything, it’s just being a busybody.

However, emotions can still run high around a subject like this. If someone doesn’t like this, then you might have to pay for it, and maybe give up your ISP account.

Coders use automatic features to track a scan, which means that there could be a retaliation.

The thing is, you can’t learn everything from one tool.

Nmap comes with the majority of Linux affiliations, and it runs with almost every UNIX distribution as well.

It operates in the console too, which is convenient. It has three main features: it will notify to locate live hosts, portscan to locate listening applications, and try to get to the bottom of the operating system of the target.

So, why do you need to be worried if your apps are identified? Because being successful with a cyberattack depends on how well you know the target, so that you can exploit their vulnerabilities.

One of the easiest ways to discover a system is to link to an open port, and view the login banner. You don’t even have to have a login that is successful, just a connection that is.

The operating system, along with web and email, will identify themselves, but some wary admins will edit these to put off intruders. You don’t want to make it too easy, right? Email headers are the largest giveaways of all.

Fingerprinting

Nmap has more than 260 operating signatures. These comprise all types of devices, from routers and printers to computers – anything that you can network.

Snort understands the foundations of these, and can work out when there is an nmap scan. If you are developing your own rules to block or just identify portscans, then Ethereal is great for this.

Basic Scans

Ping is losing its practical side are more firewalls are blocking ICMP echoes. However, nmap has ways of getting around this.

nmap command syntax:

# nmap [Scan Type] [Options]

A simple, useful scan on your local machine:

#nmap -sS -O 127.0.0.1
Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
Interesting ports on windbag (127.0.0.1):
(The 1597 ports scanned but not shown below are in state: closed)
Port       State         Service
22/tcp       open     ssh
111/tcp      open     sunrpc
515/tcp      open     printer
6000/tcp     open     X11

Remote operating system guess: Linux Kernel 2.4.0 – 2.5.20 Uptime 3.949 days (since Wed Jul 4 21:21:39 2002) Nmap run completed — 1 IP address (1 host up) scanned in 2 seconds

TCP connect has a link to every port that is of interest on the machine you are targeting. Any ports that are open will then subsequently connect. It is quick, and the best part is that anyone can operate it.

TCP SYN scanning is a little more subtle. Nmap will send a SYN packet, which pretends that it wants to make a bridge.

When it gets a response, nmap will hang up. There aren’t as many sites that log these ‘failed’ connections, although this is changing quickly.

-O indicates identify target OS.

TCP FIN is a bit sneakier, -sF. Ports that are closed are tempted to reply to FIN with RST. Ports that are open will just ignore it.

Microsoft doesn’t respond in this way, instead they send RSTs out to both kinds of ports. This is another method to identify OS.

There are a few other options, including Sneaky, Polite, Paranoid, Insane, and Normal. These all determine the nmap’s timing.

The thing is, an operating system can be overrun by a portscan, which will then let you change things.

Targets are broken down into IP number, hostname, port numbers, or all of the above.

nmap has its three different outlays:
-oN [logfilename] normal text file
-oX [logfilename] XML
-oS [logfilename] sKripT kiDd|3 f0rM

Testing

We think it’s important to look through your network on both sides of the firewall. We think this is why it’s worth sticking with your dialup profile, for easy testing on both sides that’s also affordable.

We recommend that you also check out nmap’s page for a lot of additional information, as well as some great links to practical resources.

Featured Posts