Back in the old days of nobody much cared
(or often even knew!) what services were running on machines on the Internet.
In fact, supporting a lot of services was almost required given that mainframes
and large minicomputers were expensive and needed to pay for themselves every
second they were running, so runing lots of services
and squeezing every possible use out of a machine was imperitive.

In fact, back in the day when I was a systems
programmer at New York University’s Courant Institute, it was common to be able
to see all sorts of services open and available for public use on far-flung
machines all of over the Internet (well, truth be told, it was called the ARPAnet
back then — the same network protocols, different scale 🙂
.

In fact, it was common to actually look around for available services (such as
remote printers) by just poking around someone else’s network until you found
what you were looking for. Clearly, we’re living in a very different time.

The Internet as we know it today is a far cry from the almost
folksy-seeming ARPAnet of 20 years ago. Beyond the ubiquitiy of the Internet itself
is the incredible power of even the cheapest computer and the incredible number
of services that come with every O/S — and for the purposes of this discussion
— the incredible number of services that are turned on by default on those
computers.

These days, security is the name of the game: everywhere, in
every context and at all possible levels of hardware, operating system and
application. It’s estimated that for Windows XP machines that are put onto the
Internet unpatched, it can take less than 20 minutes
for the system to be attacked, compromised, and under control of some
not-very-nice people.. Ensuring your systems and your
applications are not exposed is a requirement for staying in business.

With all these “evil-doers” on the loose,
under every rock, one can’t be too careful!

The Tool

Today I’d like to introduce NMAP. NMap is
an application that is designed to probe systems at the network layer to
determine what services they’re exposing to the networks to which they’re
connected, and if possible to tell the user anything that is known about
vulnerabilities of those services or about the system itself.

NMap was origally
written for Unix type machines but can be compiled for
almost any currently available OS. It has principally a command line
application, but it ships with a GUI front end that will compile on most
platforms (screen shots are available in the NMap Image gallery).

It may not be obvious is you’re not a networking expert, but
every computer that has a TCP/IP protocol stack and even implementation of the
protocols that ride on top of it, such as FTP or SSH, can be identified by some
of the design choices that the programmers made when they wrote the software.
The ability to identify systems and services by their specific characterisistcs is called “fingerprinting” and
like its namesake in the physical world it allows experts to determine which
system is which in a networked environment.

Fingerprinting a TCP/IP stack for example may look at the
way sequence numbers are generated for TCP packets, or look at specific
features that are implemented in a the IP protocol, and in almost all cases the
results of this fingerprinting can identify what OS is being used on the system
without ever having to log in to it.

Higher level protocols occasionally have bugs that can be
exploited remotely through number of techniques, or they may have non-critical characteristcs that can be used to identify them. Some
protocols even, as part of their very desgn, give out
a lot of useful identifying information when you connect to them that will help
someone looking to break in. Sendmail mail servers
for example usually announce the OS it’s running on, the OS version along with
its own when a connection is make to port 25 on a machine running the server.

NMap’s mail goal is to sniff out
what services are running on a system, identify them and tell you if it knows
of any potential vulnerabilites in what it finds.

Putting NMap to the Test

First, a word to the wise:

NMap is a not a tool for
“hacking into networks,” it is an analysis tool.

However, in the age we live in, running an analysis
tool that can poke at machines on a network and get them to reveal their
potential vulnerabilities is not something to ever, ever do on a network that
your are not the owner of. In fact, in most juristictions
in the US such probing (or “doorknob-twisting” as its
referred to in security circles) is tantemount under
the law to attempted breaking and entering. In some countries tools like NMap are actually illegal (there’s a geat discussion to be had on the studpidy
of such laws, but that’s a topic for another venue). Suffice it to say, any time NMap is run it must
be done with the explicit consent of the network/system owners.

Okay, now that I’ve scared you… what can we do with NMap?

NMap has several modes of operation

  • TCP/UDP Probe Mode – most
    useful for finding running services and open ports
  • Host Sweep Mode – most
    useful for finding out what’s on a subnet and identifying O/S versions
  • SYN/FIN Probe Mode – most
    useful for finding well-known flaws in IP stacks

The most common use for NMap is
the first one — the TCP/UDP probe — using NMap in
this mode you can find any and all open ports on a general. This is useful
because it first and formost tells you what you
should be turning off to help secure your system(s). Secondly it can also so
you what ports are actaully enabled (i.e., have a
live network socket) but don’t seem to be running a known protocol. This can be
use to find out is someone is running some kind of stealth services on your
network. I once used this to catch a rougue employee
who had set up an illegal file sharing network (doh!!)
at a large bank I consulted for. Got me a nice pat on the back; got the
employee a trip to the unemployment line.

NMap’s second most common mode is
the ping sweep mode. This is a really useful too because it can allow you to
audit a network very quickly and find every device on the network. Hosts,
serves, routers, printers, you name it. Most network tools, like network
analyzers are passive — they wait for devices to talk, then
they can identify and enumerate them. NMap in this
mode pings an entire network and then figures out, using its fingerprinting
system — all the vital stats on the devices it finds. There are a few examples
of this in the screenshot gallery.

The last major mode allows you to probe devices to determine
if they’re vulnerable to fundamental flaws in their IP protocol implementations
having to do with the ability to compromise half-open network connections. A very esoteric way to break into system that’s beyond the scope of
this article.

Whether you’re using NMap from the
command line or through it’s GUI, there are a large
number of fine tunable options that allow you to modify the operations of the
scans. You can throw data at a port to see how a service responds, you can try
to overload a service to see if the underlying server can hadle
various loads, you can even narrow down the ports you’re testing to just a
select port of interest, or have NMap continuously
test all possible ports.

The Right Tool for the Right Job

NMap is a very powerful tool for
exploring networks and helping to secure systems and the services the deliver.
It can quickly identify not only every machine and devices on the network, but
what O/S it’s running, what services it is making available, and even what
ports are running but are not what they appear to be (for example, if someone
were runing a file-sharing system over the port
usually reserved for another service).

NMap it quite useful by itself,
but like many tools it has a whole ecosystem surrounding it that can enhance it’s utility. In the resouces section at the end of this article are a number of
add-ons and supporting tools that make NMap an even
more potent security analysis tool.

MNap is clearly the right tool for
ensuring that only the services you want on your network are actually there,
however, as indicated above, it’s also a tool whose use can be misconstrued because of the infomation
it can collect, so it needs to be used only in ways that 1) are with the
permission of the system owner(s) and 2) in ways that will not inflict any kind
of damage or denial of service to the system and networks it’s aimed at.

Resources

  • NMap Audit
    is a set of Perl scripts that will automate scans and generatniceley formatted reports detailing the results
  • Remote NMap
    is a client/server program that allows scans to be run from a centralized
    server
  • PHP
    NMap
    is a Web-based front end for the NMap scanner
  • Qpenmapfe
    is a version of NMap that can be run on Linux
    based hand-helds like the HP (Compaq) Ipaq or the Sharp Zaurus;
    this could be useful for running NMap against
    hosts on wireless networks to see what services are being presented
    “over the air” via their wireless interfaces.