A number of weeks ago, I provided and described a script that uses nmap to quickly scan a system or subnet for activity on a particular port. Useful for detecting, say, web servers or Oracle installations, the script runs very quickly and provides a useful table of host names, IP addresses and the name of the service being sought.
In this week's column, we look a little more deeply into nmap, what it can do for you and some of the scans that it can perform.
To begin, nmap is a tool that works from the outside. That is, it requires no usernames, passwords or authority to probe systems in order to uncover details about the system types, operating systems, how long the systems have been up and what services are running. You do need, however, to be logged in as root to the system from which you are launching your probe.
Nmap is capable of full port scans in which every conceivable port (from 1 to 65535) is probed for signs of a responsive process to highly targeted probes in which you only want to know whether a particular port is open on a particular system. In addition, nmap can do "discovery" in which it detects which IP addresses on a particular network are in use or it can assume that all addresses are in use and proceed with its scans as if that were the case.
Becoming adept at nmap port scanning is likely to take some time, simply because the tool has a wealth of options, some of which are intended to make your scans stealthy (unlikely to come to the attention of systems administrators and intrusion detection software). Clearly a tool designed to probe networks the same way that hackers do, nmap has been elevated to a tool that security conscious good guys use on a routine basis and which a number of commercial products, such as Nessus and eEye Retina scanner, either incorporate or provide as a plugin.
Nmap is available for Solaris, Linux and even Windows (now a well supported option). It also boasts of a graphical X Window front end called NmapFE (i.e., FE="front end") that is bundled with most Linux distributions. Many nmap users, however, still use the command line exclusively. Nmap is distributed under the terms of the GNU General Public License (GPL).
Nmap can take seconds or hours to run depending on the kind of scan you are performing and the options you have selected. For example, you can slow down the rate at which nmap probes to make your scan less detectable or less disruptive, depending on your point of view.
Nmap's default scan and one of its more popular scanning options is the SYN scan, also referred to as "half-open scanning". A SYN packet (packet with the SYN flag set) is the packet that is initially sent to establish a TCP connection. In the normal sequence of TCP, this SYN is followed by a SYN/ACK (i.e., a packet with both flags set) and finally an ACK to acknowledge the establishment of the session. When nmap uses SYN packets to test ports, on the other hand, it doesn't complete the connection. Instead, it looks at the reply -- SYN/ACK if the port is listening and RST (reset) if no service is running on the port -- and doesn't need to take the connection request any further. If no response is received or an ICMP unreachable error occurs, the port is said to be "filtered". In other words, some device is disallowing access.
How well any particular scan will work for you will depend to a great extent on the security devices on your network. Firewalls and routers are in a development race with all variety of hacking tools (as well they should be!) and may slow down or defeat even some of your best intentioned probes. The "nmap -p $port -P0 -sT $subnet" scans work well for me on the networks I have scanned in pursuit of simplified software inventorying.
However, nmap also supports TCP FIN scans, a clandestine type of scan that might bypass firewalls and intrusion detection systems. Hackers use TCP FIN scans to identify listening TCP port numbers based on how the target device reacts to a transaction close request (even though no connection actually exists when the request is made). If the target's port is closed, it sends a TCP RST packet in reply. If it's open, the target device discards the FIN and sends no reply. That's all nmap needs to work -- some way to tell the difference between open and closed ports.
Most scans involve detecting open ports and then, based on the ports found open, assuming the service. For example, if port 80 is found open, the assumption would be that HTTP is running. If port 25 is open, on the other hand, SMTP would be assumed. As you are probably aware, however, the standard assignment of services to ports is not entirely reliable. Users and systems administrators alike may run services on unusual ports to make them less likely to be hacked or to get around firewall restrictions that might otherwise block access. Nmap is able to conduct a more thorough scan with version detection by employing a database with more than a thousand service signatures that allows it to identify many services regardless of what port they are using. In fact, one scan that I recently conducted provided me with a transcript of the response from the system and requested, should I knew what service was running on the particular port, to submit the signature presented for inclusion in the database.
The primary use of nmap by system and network administrators is to detect vulnerabilities in their systems before the real hackers do. It's a very serious, very sophisticated tool that can teach you a lot about the vulnerabilities on your network and about the tricks that hackers use to gain access to other peoples' systems.
A detailed online reference guide along with downloadable source is available at http://insecure.org/nmap/. Solaris packages are available from sunfreeware sites.
