Microsoft

Lock IT Down: Hacker tool helps diagnose network vulnerabilities

Learn how to use NmapNT to scan systems for security holes the way hackers do.


Long a mainstay as a tool for the hacker community, Nmap is increasingly being used in network administration to identify network vulnerabilities. Nmap was previously available only for Linux and UNIX, but a Windows version of the product is now being offered, making it a more viable option for many users. NmapNT comes with three versions:
  • Packet95 (for Windows 95/98/Me)
  • PacketNT (for Windows NT)
  • Packet2K (for Windows 2000 and Windows XP)

NmapNT is a no-frills, easy-to-use program that can provide a wealth of useful information about your network. If you want to audit your network for vulnerabilities, use NmapNT to find the holes where hackers might sneak in. What makes this tool even better is that it’s free.

Download and installation
The NT version of Nmap is available for download at eEye Digital Security’s Web site. The zipped file contains the NmapNT executable, packet drivers (which basically bypass the Windows TCP/IP stack when running NmapNT), the source code, and other files NmapNT requires to run. The download also includes a README file with some basic overview information about the Nmap port to Windows and instructions for installing the correct packet driver.

Installing the packet drivers
Before you can use NmapNT, you must install the packet drivers for your network adapter. The download includes separate drivers for WinNT and Win2K. You can install the drivers manually or download and run the WinPcap autoinstaller.

To install the drivers manually in Windows 2000, follow these steps:
  1. Click Start on the taskbar and choose Settings | Network And Dial-up Connections.
  2. Right-click on Local Area Connection and choose Properties.
  3. Click Install.
  4. Select Protocol and click Add.
  5. Click Have Disk.
  6. Click Browse and locate the Drivers folder in the NmapNT folder you downloaded.
  7. Double-click the Packet2K folder.
  8. Select the .inf file and click Open.
  9. Click OK in the Install From Disk dialog box.
  10. Click OK in the Select Network Protocol dialog box.
  11. Close the Local Area Connection Properties dialog box.
  12. Reboot your system. (You may encounter errors if you don't.)

Using switches in NmapNT
After you’ve installed the necessary packet drivers, you’re ready to do some scanning. NmapNT has no GUI at this point, although the GUIs released for versions on other operating systems indicate that one might be around the corner.

To run NmapNT, simply open a command prompt, navigate to the directory where the executable resides, and type nmapnt followed by the target IP address and whatever switches you want to use. (For a look at available switches, type nmapnt /?). NmapNT offers a wide variety of command-line options, making it an incredibly versatile tool.

For example, if you run the program without using any switches, as shown in the following example, you might receive this response:
C:\Program Files>Nmapnt 192.168.1.129
Note: Host seems down. If it is really up but blocking our ping probes, try –P0

The –P0 switch allows you to scan networks on which ping is being blocked. The results of the previous scan with the –P0 switch might look like this:
C:\Program Files>Nmapnt 192.168.1.129 –P0
Initiating TCP connect <> scan against 192.168.1.129.
Adding TCP port 135 <state open>.
Adding TCP port 12345 <state open>.
Adding TCP port 445 <state open>.
Adding TCP port 2301 <state open>.
Adding TCP port 139 <state open>.

As you can see, using this switch got around the block and revealed information about what ports were actually open on the target host.

Another switch identifies which hosts on a network are up. The –PT switch sends out TCP ACK packets throughout the network and waits for responses. Keep in mind that if you run this on a large network, it will take some time for NmapNT to complete the request.

Another useful option is the –O switch, which identifies the operating system of the target system. Incidentally, you can also scan a host using the computer name rather than the IP address, as shown in the following example:
C:\Program Files\Nmapnt>nmapnt l2ksdf01645 -O
WARNING: OS didn't match until the 2 try
Interesting ports on l2ksdf01645:
(The 1518 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
2301/tcp   open        compaqdiag
12345/tcp  open        NetBus
 
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=11271 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1 through final release

Obviously, if hackers know the operating system a host is running, they can exploit known vulnerabilities for that OS.

The –I switch queries the identd for each open port NmapNT finds on the target host. This works only if the host is running identd.

There are too many switches to list here. For detailed information about all NmapNT’s scanning options you can visit Insecure.org’s Nmap network security man page.

Using the information
What does NmapNT offer net admins? The primary application of NmapNT is to view your network from the outside looking in; in other words, it gives you an attacker’s-eye view of your network.

For example, NmapNT’s basic port scan reveals which ports are open on network hosts and which services they’re running. From a hacker’s perspective, these ports represent points of possible entry into your network. You have to ask yourself whether the service running on that port is really needed. If not, it should be shut down to eliminate a possible vulnerability.

Because NmapNT can perform widely assorted types of scans, it reveals specific network details that hackers can possibly use. If you know what a potential attacker sees on your network by using tools such as NmapNT, you’re better able to patch vulnerabilities.

The upshot
NmapNT can be an effective tool for finding windows through which attackers might enter your network. It’s easy to use, versatile, and offers many options for gathering valuable information. These features—along with the fact that it’s a free download—make NmapNT a worthwhile addition to your toolkit.



 

Editor's Picks

Free Newsletters, In your Inbox