Network Surveys with NMAP | Maximum Mac OS X Security

Although sniffing is often an effective means of gathering information about (and from) machines on a network, it is easily detectable when using ARP poisoning ; with passive eavesdropping, it is easy to defeat it by using a switched network. Sniffing is also limited to machines located along the path of the communication: A machine in California, for example, cannot sniff a machine in Ohio unless the Ohio traffic is being routed through the California network.

For remote information gathering, most attackers rely on portscanning. A portscan is simply a report of the open ports on a remote machine. For example, this is a portscan of a remote mail server:

 #  /usr/local/bin/nmap -sS -O mailserver.ag.ohio-state.edu  Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on mailserver.ag.ohio-state.edu (10.0.1.99): (The 1583 ports scanned but not shown below are in state: closed) Port       State       Service 22/tcp     open        ssh 25/tcp     open        smtp 80/tcp     open        http 106/tcp    open        pop3pw 110/tcp    open        pop-3 143/tcp    open        imap2 497/tcp    open        dantz 548/tcp    open        afpovertcp 9100/tcp   open        jetdirect Remote operating system guess: Mac OS X 10.1 - 10.1.4 Uptime 26.951 days (since Mon Nov 18 11:30:09 2002)

Not only are the open services displayed, but information about the operating system version and system status. There are a number of ways to determine what ports are open on a machine, the most obvious being to create and then tear down a connection to a remote machine (a "TCP Connect" scan). This is the approach that is taken by Apple's portscan tool within the Network Utility application (also accessible from the command line as /Applications/Utilities/Network Utility.app/Contents/Resources/stroke <address> <start port> <end port> ).

The trouble with this approach is that the connection, because it is complete, is easily logged and tracked by the operating system. For a remote attacker that wants to catalog the computing inventory of an entire university, attempting a TCP connect scan will very quickly lead to its discovery.

Rather than taking this direct (and detectable) route, attackers employ a variety of "stealth" scans that do not carry out the process of setting up a complete connection. Instead they typically send a packet to begin setting up a connection, wait to see the response, then drop the connection attempt. For example, the SYN stealth scan " knows " that a SYN packet sent to a given port is required by RFC 793 (http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc0793.html) to respond with a SYN, ACK, or RST packet. If an RST is received, the port is closed, whereas SYN or ACK indicate an open port. This sequence takes place low enough in the TCP/IP stack that it is not logged on many machines, and is not made available to intrusion detection software that simply watches for connections.

The "cream" of the portscanning crop is NMAP ”a program designed to be the ultimate remote reconnaissance tool. NMAP supports more than 10 unique scans, including an "idle" scan that does not require any packets to be sent between the scanner and the scannee. A nice introduction to NMAP scanning can be found at http://www.insecure.org/nmap/lamont-nmap-guide.txt.

In addition to simply scanning a remote host, NMAP also makes it possible to scan entire subnets, hide behind decoys, and fingerprint remote operating systems. After a scan is completed, an attacker can simply take the NMAP output (including operating systems and versions) and cross-reference it with available exploits, creating his or her own personal guide to chaos. For the administrator, however, NMAP can provide a list of machines that need attention ”either to be locked down or upgraded to a later version of the operating system.

NOTE

Before you say, "But shouldn't the administrator already know what's on the network?" consider that many universities and companies have employees that bring their own personal computers to work, or carry laptops back and forth from home. Unless networkwide authentication is in place, it is virtually impossible to fully control the computing environment of a large institution.

HOW CAN I DETECT A PORTSCAN?

So, should NMAP be taken as a risk? Consider the comments of John Green, U.S. Naval Surface Warfare Center, http://www.sans.org/resources/idfaq/what_is_nmap.php:

"The intelligence that can be garnered by using NMAP is extensive . It provides all the information that is needed for a well-informed, full-fledged, precisely targeted assault on a network. Such an attack would have a high probability of success, and would likely go unnoticed by organizations that lack intrusion detection capabilities."

Thankfully, most stealth portscans can be detected and blocked by intrusion detection software (see Chapter 18) or simply defeated by a firewall (see Chapter 17).

Remember that a portscan is an information- gathering device, not an exploit in and of itself. If your operating system and software is secured, an attacker will still not be able to gain access to the system.

Installing NMAP

To install NMAP, download the latest release from http://download.insecure.org/nmap/dist/, then unarchive , and enter the NMAP distribution directory:

 %  curl -O http://download.insecure.org/nmap/dist/nmap-3.00.tgz  %  tar zxf nmap-3.00.tgz   % cd nmap-3.00

Next , configure the source with configure --mandir=/usr/share/man :

 %  ./configure --mandir=/usr/share/man  checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking build system type... powerpc-apple-darwin6.2 checking host system type... powerpc-apple-darwin6.2 ...

Finally, compile and install the software with make followed by make install :

 %  make  Compiling libnbase cd nbase; make gcc -g -O2 -Wall  -g   -DHAVE_CONFIG_H -DNCRACK_VERSION=\"\" -DHAVE_CONFIG_H=1    -c -o snprintf.o snprintf.c gcc -g -O2 -Wall  -g   -DHAVE_CONFIG_H -DNCRACK_VERSION=\"\" -DHAVE_CONFIG_H=1    -c -o getopt.o getopt.c Compiling libnbase rm -f libnbase.a ar cr libnbase.a snprintf.o getopt.o getopt1.o nbase_str.o nbase_misc.o ranlib libnbase.a ... #  make install  Compiling libnbase cd nbase; make make[1]: Nothing to be done for `all'. ./shtool mkdir -f -p -m 755 /usr/local/bin /usr/share/man/man1 /usr/local/share/nmap /usr/local/share/gnome/apps/Utilities ./shtool install  -c -m 755 nmap /usr/local/bin/nmap If the next command fails -- you cannot use the X front end test -f nmapfe/nmapfe && ./shtool install  -c -m 755 nmapfe/nmapfe /usr/local/bin/nmapfe && ./shtool mkln -f -s /usr/local/bin/nmapfe /usr/local/bin/xnmap && ./shtool install  -c -m 644 nmapfe.desktop make: [install] Error 1 (ignored) ./shtool install  -c -m 644 docs/nmap.1 /usr/share/man/man1/nmap.1 ./shtool install  -c -m 644 nmap-services  /usr/local/share/nmap/nmap-services ./shtool install  -c -m 644 nmap-protocols  /usr/local/share/nmap/nmap-protocols ./shtool install  -c -m 644 nmap-rpc  /usr/local/share/nmap/nmap-rpc

TIP

If you'd rather not compile NMAP by hand, it is available as part of the Fink project for easy installation. See http://fink. sourceforge .net/index.php for details.

Using NMAP

The NMAP syntax is nmap [scan type] [options] [ hosts or networks ] . Table 7.6 contains the most common and useful of the NMAP scan types and options. For a lengthy insight into the different scan types, read the NMAP man page.

Table 7.6. Basic NMAP Options

Option	Purpose
`-sS`	TCP SYN stealth port scan (default if root).
`-sT`	TCP connect scan (default if unprivileged , that is, not root).
`-sU`	UDP port scan
`-sP`	Ping scan.
`-sF`	Stealth FIN scan.
`-sX`	Stealth Xmas scan.
`-sN`	Stealth Null scan.
`-sR`	RPC scan.
`-sA`	ACK scan.
`-sW`	Window scan.
`-sL`	List scan.
`-I`	Identd scan (identify the user owning the remote process).
`-Q`	Use TCP/IP fingerprinting to identify operating system.
`-p` `<port list>`	A port or range of ports specified in the format - `<start>-<end>,<port>,<port>,...` .
`-F`	Only scan ports listed in NMAP's `nmap-services` file.
`-v`	Increase verbosity of output. Can be used twice for maximum output.
`-P0`	Don't ping hosts.
`-D` `<decoy host>,<decoy host>,...`	Use spoofed decoys to make the scan appear to come from multiple different machines.
`-T` `<ParanoidSneakyPoliteNormalAggressiveInsane>`	Set the timing policy. Paranoid scans are slow and difficult for intrusion detection systems to detect, whereas the opposite end of the spectrum ”Insane scans ”happen as quickly as possible and may even lose data.
`-n`	Never perform DNS resolution.
`-R`	Always perform DNS resolution.
`-oN` `<filename->`	Output normal logfile or use `-` to output to standard out.
`-oX` `<filename->`	Output XML logfile or use `-` to output to standard out.
`-oG` `<filename->`	Output greppable (searchable) logfile or use `-` to output to standard out.
`-oS` `<filename->`	Output the results in "Script Kiddie" format. Amusing!
`-iL` `<filename->`	Read target list from the named file, or use `-` to read the target list from standard in.
`-e`	Specify network interface.
`--interactive`	Enter interactive mode.

For example, to perform a simple stealth scan with fingerprinting on the host www.atestdomain.com, one could use /usr/local/bin/nmap -sS -O www.atestdomain.com:

 #  /usr/local/bin/nmap -sS -O www.atestdomain.com  Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on www.atestdomain.com (20.0.1.99): (The 1594 ports scanned but not shown below are in state: closed) Port       State       Service 21/tcp     open        ftp 22/tcp     open        ssh 80/tcp     open        http 427/tcp    open        svrloc 497/tcp    open        dantz 548/tcp    open        afpovertcp 3306/tcp   open        mysql Remote operating system guess: Mac OS X 10.1 - 10.1.4 Uptime 32.086 days (since Wed Nov 13 09:49:51 2002)

More useful is the ability to map an entire network. This can be done by specifying ranges in IP addresses (10.0.1.1-100, 10.0.1-10.* or IP address/network mask). The notations 10.0.1.* , 10.0.1.1-255 , and 10.0.1.0/24 , for example, are three identical ways of describing a class C subnet 10.0.1.x . Coupling a network scan with a handful of spoofed decoys can be an effective means of mapping a network and confusing intrusion detection systems along the way.

For example,

 #  /usr/local/bin/nmap -sS -D 192.168.0.5,192.168.0.6,10.0.1.99, -O 10.0.1.0/24

would create a map of all device services on the subnet 10.0.1.0/24 , including an OS fingerprint, and would spoof scans coming from the machines 192.168.0.5 , 192.168.0.6 , and 10.0.1.99 to help cover one's tracks.

CAUTION

The spoofed decoys are used in addition to the machine originating the scan. Because packets need to return to the scanner for it to analyze the data, the decoys serve only to muddy the water for remote intrusion detection systems and logs. They do not fully cover your scan.

NMAP offers two interfaces to its operation: the command-line interface you've seen, and an interactive mode that is accessible when you start nmap with the --interactive flag. If you'd prefer a more "GUI" approach to your scanning, check out NMAP v.X (http://nmap-v-x.sourceforge.net/) and NmapFE (http://faktory.org/m/software/nmap/). Both utilities wrap the Aqua GUI around the NMAP command-line software.

Top