Section 15.3 The nmap Network Mapper

15.3 The nmap Network Mapper

The nmap program is a network mapper that scans (or maps) your network, finding which IP addresses have machines and which ports on those machines have services. Besides running nmap from inside your network to find any vulnerabilities to inside attacks, it should be run from an unrelated network on the Internet to see how well your firewall is working; this is discussed in "Penetration Testing" on page 589. Nmap also offers "OS fingerprinting," which attempts to identify the machine, type of operating system, and version of the operating system on each machine. It does this by sending a sequence of unusual IP packets and noting the responses. Often, there are subtle differences in how these behave, and nmap has a large database of these signatures.

Fingerprinting is enabled with the -O option. This is very valuable, both for finding systems running obsolete and insecure versions of operating systems and for convincing management (and yourself) that the firewall is not configured correctly. Note that having your firewall block outgoing ICMP packets (except, possibly, pings) is an effective block to nmap's -O and many other cracker tools that try to determine operating systems.

Additionally, nmap offers nmapfe, a nice very easy-to-use GUI front end. Some of nmap's functionality also is found in Nessus and SARA. Its stealth scanning capability may be of less interest to SysAdmins than to crackers. The nmap program also is useful to Tiger teams and for Fire drills, discussed in "Break into Your Own System with Tiger Teams" on page 588 and in "Fire Drills" on page 582. The site is at

www.insecure.org/nmap/

RPM-capable sites may download and install in one easy step via the following commands. Version 2.99RC2 is on the CD-ROM, in the net directory, including a source tarball and source and binary RPMs. This version is essentially identical to the 3.00 version.

 rpm -vhU /mount/cdrom/net/nmap-2.99RC2.i386.rpm rpm -vhU /mount/cdrom/net/nmap-frontend-2.99RC2.i386.rpm 

The source may be extracted via

 tar -zxvf /mount/cdrom/net/nmap-2.99RC2.tgz 

It may be built and installed from the source tarball with the following commands.

 cd nmap-*/. ./configure make su root make install 

It works on Linux and most UNIX versions and is installed in /usr/local/bin by default. While root privilege is not required, most of its most powerful features require root to construct raw packets. Thus, running as root is recommended. The nmap program has lots of flags to control its many features. It can probe in many different ways. Many of these are stealthy probes and some are designed to get past firewalls. These are of interest to SysAdmins for the obvious use of testing the quality of firewall techniques. This is highly recommended; the crackers will be doing this to your network.

The -sx flag directs nmap to use scan technique x. Use -sT for a standard TCP connect; it will be detected easily by any service that logs connections. The -sS does a SYN or half-open scan, which can be detected only by some firewall software but not by ordinary services. The Courtney and PortSentry Intrusion Detection Systems will detect these. Any of -sF, -sX, or -sN will do very stealthy scans, However, they will not work for the Windows, BSDI, HP/UX, MVS, IRIX, and Cisco platforms. It is not clear whether this is due to bugs in them or deliberate decisions in these platforms to ignore the TCP specification to block detection.

 nmap -sP -T Aggressive www.pentacorp.com/24 nmap -sS -F -P0 -O -T Aggressive www.pentacorp.com/24 nmap -sU -F -P0 -O -T Aggressive www.pentacorp.com/24 

The -sP option simply will ping listed systems to see what IP addresses have systems on them. Normally, this ping test is done first to see what IP addresses have systems on them, so this flag is useful if you want to do only this ping scan:

 nmap -sP -T Aggressive network/mask 

To suppress this initial test for pingability before doing other tests, include -P0.

The -sU flag will scan all UDP ports for services. Because UDP addresses can be spoofed easily and many well-known UDP services have security problems, this can be useful for finding vulnerabilities in your network. Note that recent Linux kernels and some UNIX platforms implement the suggestion in section 4.3.2.8 of RFC 1812^[1] to limit the rate of ICMP error messages in order to slow this detection down to scanning two ports per second. (This deliberate slowdown by the Linux kernel is to limit scanning by crackers and DoS attacks as well. Windows does not implement this slowdown.)

^[1] RFC 1812 is available at www.faqs.org/rfcs/rfc1812.html

The -b ftp_relay_host scan will test FTP servers for a serious vulnerability. This vulnerability is the FTP server's willingness to relay FTP requests to another system. It allows evilhackerguild.org to request that ftp.pentacorp.com request data to be sent to or received from any system that it can get to, either on the Internet or behind the corporate firewall.

Crackers use this vulnerability as a means for two attacks. One is to send e-mail, make postings, and send other data anonymously (because it will originate from the FTP server's system). No 7.x or later distribution of Linux should be vulnerable to this, but some recent Windows systems may be, thus endangering the entire network. The other attack is to communicate with other systems behind a firewall that the FTP server is allowed to access. This type of attack is one of the many problems that are solved by having your anonymous FTP server isolated on the DMZ (see "Firewalls with IP Chains and DMZ" on page 514).

The -I flag will determine which user each TCP service is running as. This helps detect those services running as root that should not be (e.g., http) and will show if multiple services are running as the same user. This latter association is one way a cracker can break an insecure service and then attack the secure service. The -v flag will turn on verbose mode and may be doubled for more verbosity. The -h flag generates a help message.

The -p port_range flag is used to specify what ranges of ports to scan. In this scan, a dash specifies a range, a comma specifies a list. To scan privileged ports, NFS, X, and ports starting at 60000, use

 -p  0-1023,2049,6000-6100,60000- 

Commonly, you may want to attack just a few ports having common servers of a certain type. For example, you can see who is running a Web server and on what version of what operating system each is running in the 192.168.0.0 class-B network with:

 nmap -P0 -sS -O -p 80,443,999 -T Aggressive 192.168.0.0/16 

Use -F to scan only ports listed in nmap's services file that lists popular ports. Unless you are looking for Trojans, vulnerable IP Masquerading ports, or client-side ports, hitting these 1000 or so ports instead of all 65535 makes sense.

The following command will scan all reserved ports of pentacorp.com with verbosity. This host is running Red Hat 6.0 with a standard install and is not tuned for security.

 nmap -v ancient.pentacorp.com 

Its initial message tells what it is doing and offers advice, given in response to the -v flag.

 Starting nmap V. 3.00 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming vanilla tcpconnect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Machine 192.168.57.8 MIGHT actually be listening on probe port 80 Host pentacorp.com (192.168.57.8) appears to be up ... good. Initiating TCP connect() scan against pentacorp.com (192.168.57.8) 

Next, it reveals the open ports. Note the speed of this scan, done by a slow system on a 10Mbaud network. The following is an example of the verbose output triggered by the -v flag.

 Adding TCP port 514  (state open). Adding TCP port 515  (state open). Adding TCP port 6000 (state open). Adding TCP port 80   (state open). Adding TCP port 21   (state open). Adding TCP port 79   (state open). Adding TCP port 23   (state open). Adding TCP port 113  (state open). Adding TCP port 513  (state open). Adding TCP port 98   (state open). Adding TCP port 25   (state open). The TCP connect scan took 1 second to scan 1520 ports. 

It then reveals the open TCP ports. How many insecure services can you spot?

 Interesting ports on pentacorp.com (192.168.57.8): (The 1509 ports scanned but not shown below are in state: closed) Port       State       Service 21/tcp     open        ftp 23/tcp     open        telnet 25/tcp     open        smtp 79/tcp     open        finger 80/tcp     open        http 98/tcp     open        linuxconf 113/tcp    open        auth 513/tcp    open        login 514/tcp    open        shell 515/tcp    open        printer 6000/tcp   open        X11 

Launch a stealthy scan of the Pentacorp class-C network for FTP, telnet, imap, pop3, and http by using the following command.

 nmap -sF -p 21,23,143,220,110,80 pentacorp.com/24 

Launch an FTP "bounce" scan on research.pentacorp.com from ftp.pentacorp.com.

 nmap -b research.pentacorp.com ftp.pentacorp.com 

This takes several minutes to run. The startup messages appear below.

[View full width]
 Starting nmap V. 3.00 by fyodor@insecure.org (www.insecure.org/nmap/ ) Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so  we don't try and ping them prior to the scan Interesting ports on research.pentacorp.com (192.168.59.5): (The 1509 ports scanned but not shown below are in state: closed) 

After a few minutes, the nmap analysis of research.pentacorp.com (behind the Pentacorp firewall) is provided.

 Port       State       Service 21/tcp     open        ftp 23/tcp     open        telnet 25/tcp     open        smtp 79/tcp     open        finger 80/tcp     open        http 98/tcp     open        linuxconf 113/tcp    open        auth 513/tcp    open        login 514/tcp    open        shell 515/tcp    open        printer 6000/tcp   open        X11 nmap run completed -- 1 IP address (1 host up) scanned in 151 seconds 

If the FTP server is configured to log commands then all that will be seen from this attack is the following. Note that three commands were issued within one second. This is a signature, but nmap can be configured to issue commands slowly to avoid detection. A better signature is the repeated issuing of the LIST and PORT commands.

 May 24 09:56:56 research.pentacorp.com ftpd[17672]: LIST May 24 09:56:57 research.pentacorp.com ftpd[17672]: PORT May 24 09:56:57 research.pentacorp.com ftpd[17672]: LIST May 24 09:56:57 research.pentacorp.com ftpd[17672]: PORT 

This logging may be done via -L on the ftpd line of /etc/inetd.conf or, if -a was specified, by adding the following line to /etc/ftpaccess. By default wu.ftpd logs these commands directly to /var/log/daemon.

 log commands anonymous,guest,real 

To see what users the services on a machine run as, issue the following command.

 nmap -I www.pentacorp.com 

The results follow.

 Port       State       Service                 Owner 21/tcp     open        ftp                     root 23/tcp     open        telnet                  root 25/tcp     open        smtp                    root 79/tcp     open        finger                  root 80/tcp     open        http                    nobody 98/tcp     open        linuxconf               root 113/tcp    open        auth                    root 513/tcp    open        login                   root 514/tcp    open        shell                   root 515/tcp    open        printer                 root 6000/tcp   open        X11                     dostoyev