Scanning, or more specifically network scanning, is the act of scanning network addresses, or Internet Protocol (IP) addresses to identify hosts on the network and the services those hosts provide.
Scanning is often thought of as hacking--either hacking to stop the “bad” government (or other entity) from carrying out something bad that legitimizes the use of harmful hacking, or simply illegitimate hacking to carry out harmful activities.
However, the intent of the scanning and how aggressive the scan is determines how a scan is categorized. This book covers the legitimate uses of scanning, and specifically scanning with Nmap.
Legitimate uses of scanning include system administration, auditing, and education.
System Administration and Auditing
System administration and auditing are the major topics covered in this book. Although educational uses will not be covered the system administration and auditing lessons can prove useful to the computer science, information systems, and self taught learners. The examples covered will be those carried out in enterprise networks.
Many companies have large networks that are either poorly documented or are very dynamic and require the use of network scans to determine what services are running on which systems. Also security audits are often needed, and network scans can be the first step in the execution of a security audit.
Nmap, or Network Mapper, is a freely available, open source scanner. It was originally written by the security expert Gordon Lyon. Gordon is often better recognized by his pseudonym Fyodor Vaskovich. The project’s home page is at http://www.nmap.org/.
There are numerous types of activities that nmap can perform to help in system administration and auditing. Here are some real examples that I have carried out or helped others carry out. (The examples, are real; however, the nmap output is based upon running scripts in a lab environment to simulate what I have performed for various customer over several years.)
Example 1 - PCI DSS Audit
Organizations that accept credit and debit cards must pass assessments carried out by auditors approved by the Payment Card Industry--an organization created by the card brands to regulate the industry by the same standards. The Payment Card Industry Data Security Standard (PCI DSS) must be met by such organizations. As part of the PCI DSS insecure protocols are not permitted. One such protocol that gives many organizations issue on the PCI DSS assessment is version 2 of the secure socket layer (SSL) protocol. The question is do we use the protocol? If so, on which systems? Nmap can help quickly find all systems running version 2 of the protocol as this abridged output from such a scan shows.
# nmap -sV -p 443 --script sslv2 192.168.1.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-03-26 14:15 CDT
NSE: Script Scanning completed.
Nmap scan report for wx001.internal.net (192.168.1.7)
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
443/tcp closed https
Nmap scan report for wx002.internal.net (192.168.1.17)
Host is up (0.063s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http IBM HTTP Server (Based on Apache)
|_sslv2: server still supports SSLv2
Nmap scan report for wx768.internal.net (192.168.1.77)
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
443/tcp filtered https
Example 2 - No More FTP
One of the issues with the file transfer protocol is that all the traffic is sent in “plain view”, meaning that the user ID, password, and data can easily be intercepted. This issue was brought to light for one company that had its numbers leaked to message boards before earnings calls. This meant that speculators could greatly influence the market before the official word came to the public.
The issue was the ftp server that was used to publish to board members. The issue was quickly fixed; however, the chief information officer (CIO) wanted all ftp servers disabled and http with SSL used instead. The environment was huge, and interviewing various IT departments was moving too slow to identify the servers. An Nmap scan of the environment was able to identify the ftp servers in a matter of minutes. Here is what such a scan would look like:
# nmap -sV -p 21 192.168.3.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2011-03-26 15:03 CDT
…
Nmap scan report for pr01.example.net (192.168.3.5)
Host is up (0.079s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
Service Info: OS: Unix
Nmap scan report for 66-11-230-254.iinet.pdx.dotster.net (66.11.230.254)
Host is up (0.075s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (247 hosts up) scanned in 70.32 seconds
Example 3 - Rogue Web Servers
In a university environment, the IT staff was given the job to shut down all legacy web services that were set up several years earlier whenever departments were allowed to have their own web servers. Most of the servers were well known by some students that were using them to share music and videos, but staff didn’t have an accurate grip on which networks they were located. To further compound the problem, students found out that that the university was clamping down on allowing rogue services being run on university equipment and started configuring web services to run on other ports.
nmap -sV 192.168.17.0/24
…
Nmap scan report for lab01.university.edu (192.168.17.34)
Host is up (0.075s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp ProFTPD 1.3.1
80/tcp open http Apache httpd
81/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
587/tcp closed submission
993/tcp closed imaps
1433/tcp closed ms-sql-s
3306/tcp closed mysql
Service Info: OS: Unix
…
Here you can see that nmap has identified not only the standard web server port 80, but it has also identified the Apache web server running on ports 81, and 443.
Those three examples, give a good basis for understanding how well Nmap can be used for administration and auditing. Most of the rest of the book covers using Nmap for these types of purposes. The next two sections covers Nmaps’ other uses: hacking and educational.
Educational
Nmap is used quote often for learning--both learning about how networks function, and learning about the impact of a particular vulnerability. For example, ping scans can be used to learn when they are effective and why they don’t always work. A vulnerability scan across large networks can tell a security report how widespread a new vulnerability has got.
Hacking
Using Nmap for hacking, even if well intended to “right a wrong” can lead to both civil and criminal issues. Generally speaking, Nmap cannot be used to actually exploit networks and systems so it’s actual use is not what leads to civil or criminal issues, but rather what is done with the results of the nmap scan or if nmap is run so aggressively that network or host outages are caused. I try not to distinguish between good hackers and bad hackers when discussing nmap, because often time even “good” hacking can give rise to civil law suits. Anytime the activity goes from knowing a system is vulnerable to taking advantage of the vulnerability moves the activity into hacking activity.
Off to Scanning
Ron’s upcoming book on scanning with nmap will be released this summer. Please check back here for additional information.