Hack 42 Keep an Inventory of Your Network

Previous page
Table of content
Next page

figs/moderate.gif figs/hack42.gif

Use Nmap to keep track of the devices and services on your network.

As we saw in [Hack #40] , Nmap (http://www.insecure.org/nmap/) is free a tool that can be used to conduct various sorts of scans on networks. Normally when people think of using Nmap, they assume it's used to conduct some sort of nefarious network reconnaissance in preparation for an attack. But as with all powerful tools, Nmap can be used for far more than breaking into networks.

For example, simple TCP connect scans can be conducted without needing root privileges:

$ nmap rigel Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-15 17:42 MST Interesting ports on rigel (192.168.0.61): (The 1595 ports scanned but not shown below are in state: filtered) PORT      STATE  SERVICE 7/tcp     open   echo 9/tcp     open   discard 13/tcp    open   daytime 19/tcp    open   chargen 21/tcp    open   ftp 22/tcp    open   ssh 23/tcp    open   telnet 25/tcp    open   smtp 37/tcp    open   time 79/tcp    open   finger 111/tcp   open   rpcbind 512/tcp   open   exec 513/tcp   open   login 514/tcp   open   shell 587/tcp   open   submission 4045/tcp  open   lockd 7100/tcp  open   font-service 32771/tcp open   sometimes-rpc5 32772/tcp open   sometimes-rpc7 32773/tcp open   sometimes-rpc9 32774/tcp open   sometimes-rpc11 32775/tcp open   sometimes-rpc13 32776/tcp open   sometimes-rpc15 32777/tcp open   sometimes-rpc17 Nmap run completed -- 1 IP address (1 host up) scanned in 75.992 seconds

This is tremendously useful for checking on the state of your own machines. You could probably guess that this scan was performed on a Solaris machine, and one that needs to have some services disabled at that.

Nmap can also scan ranges of IP addresses by specifying the range or using CIDR notation:

nmap 192.168.0.1-254 nmap 192.168.0.0/24

Nmap can provide much more information if it is run as root. When run as root, it can use special packets to determine the operating system of the remote machine by using the -O flag. Additionally, you can do half-open TCP scanning by using the -sS flag. When doing a half-open scan, Nmap will send a SYN packet to the remote host and wait to receive the ACK from it; if it receives an ACK, it knows that the port is open. This is different from a normal three-way TCP handshake, where the client will send a SYN packet and then send an ACK back to the server once it has received the initial server ACK. Attackers typically use this option to avoid having their scans logged on the remote machine.

Try it out for yourself:

# nmap -sS -O rigel Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on rigel.nnc (192.168.0.61): (The 1578 ports scanned but not shown below are in state: filtered) Port       State       Service 7/tcp      open        echo                     9/tcp      open        discard                  13/tcp     open        daytime                  19/tcp     open        chargen                  21/tcp     open        ftp                      22/tcp     open        ssh                      23/tcp     open        telnet                   25/tcp     open        smtp                     37/tcp     open        time                     79/tcp     open        finger                   111/tcp    open        sunrpc                   512/tcp    open        exec                     513/tcp    open        login                    514/tcp    open        shell                    587/tcp    open        submission               7100/tcp   open        font-service             32771/tcp  open        sometimes-rpc5           32772/tcp  open        sometimes-rpc7           32773/tcp  open        sometimes-rpc9           32774/tcp  open        sometimes-rpc11          32775/tcp  open        sometimes-rpc13          32776/tcp  open        sometimes-rpc15          32777/tcp  open        sometimes-rpc17          Remote operating system guess: Solaris 9 Beta through Release on SPARC Uptime 44.051 days (since Sat Nov  1 16:41:50 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 166 seconds

With OS detection enabled, Nmap has confirmed that the operating system is Solaris, but now you also know that it's probably Version 9 running on a SPARC processor.

One powerful feature that can be used to help keep track of your network is Nmap's XML output capabilities. This is activated by using the -oX command-line switch:

# nmap -sS -O -oX scandata.xml rigel

This is especially useful when scanning a range of IP addresses or your whole network, because you can put all the information gathered from the scan into a single XML file that can be parsed and inserted into a database. Here's what an XML entry for an open port looks like:

<port protocol="tcp" port> <state state="open" /> <service name="ssh" method="table" conf="3"  /> </port>

Nmap is a powerful tool. By using its XML output capabilities, a little bit of scripting, and a database, you can create an even more powerful tool that can monitor your network for unauthorized services and machines.


Previous page
Table of content
Next page
Network Security Hacks
Network Security Hacks: Tips & Tools for Protecting Your Privacy
ISBN: 0596527632
EAN: 2147483647
Year: 2006
Pages: 158
Authors: Andrew Lockhart
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
Beginning Cryptography with Java
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Oracle Developer Forms Techniques
C++ How to Program (5th Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy