• Presentation will discuss and demonstrate the use of Nmap to identify subtle network security vulnerabilities. Clearly a full audit cannot be covered in one hour, so the focus will be on commonly overlooked vulnerabilities and techniques.
• Since Nmap will be demonstrated frequently, here is a quick usage overview which you may want to refer back to during examples. For further details, see the man page (included in this packet):
  

  nmap V. 2.52_CSW Usage: nmap [Scan Type(s)] [Options] 
  Some Common Scan Types ('*' options require root privileges)
    -sT TCP connect() port scan (default)
  * -sS TCP SYN stealth port scan (best all-around TCP scan)
  * -sU UDP port scan
    -sP ping scan (Find any reachable machines)
  * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
    -sR/-I RPC/Identd scan (use with other scan types)
  Some Common Options (none are required, most can be combined):
  * -O Use TCP/IP fingerprinting to guess remote operating system
    -p  ports to scan.  Example range: '1-1024,1080,6666,31337'
    -F Only scans ports listed in nmap-services
    -v Verbose. Its use is recommended.  Use twice for greater effect.
    -P0 Don't ping hosts (needed to scan www.microsoft.com and others)
  * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
    -T  General timing policy
    -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
    -oN/-oM  Output normal/machine parseable scan logs to 
    -iL  Get targets from file; Use '-' for stdin
  * -S /-e  Specify source address or network interface
    --interactive Go into interactive mode (then press h for help)
  Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
  SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
      

• The version of Nmap shown above (2.52_CSW) is a special CanSecWest version which includes a few improvements over the current public version. It is available on the accompanying CanSecWest CD ROM. The latest public version is at http://nmap.org/

• Obvious answer: send an ICMP echo-request (ping) packet and wait for a reply to determine which hosts are up.
• But many hosts filter out ping requests or replies! Example:

  amy~>ping microsoft.com
  PING microsoft.com (207.46.131.137) from 63.192.132.102 : 56 data bytes
  
  --- microsoft.com ping statistics ---
  11 packets transmitted, 0 packets received, 100% packet loss
  amy~>
  

• Solution: "TCP" ping. By default, Nmap sends a TCP ACK packet to port 80 in parallel with the ICMP request. If a RST packet comes back, we know the host exists.
• Advanced technique: Send the probe to port 113 (auth/identd). Having this port firewalled off with a DENY rule can cause delays when accessing some servers (especially SMTP/IRC/SOCKS) which try to connect to the identd of each new client. Many admins open this up to prevent delays. The 2.52_CSW version of Nmap uses 113 by default. With common versions of Nmap, this can be done via the -PB113 or -PT113 options.
• The -PS option causes Nmap to send a SYN packet probe instead of an ACK. Normally we recommend the default ACK for stealthiness and firewall penetration reasons. But -PS has a strong advantage when combined with Nmap 2.52_CSW: Since SYN is a connection-establishment-request packet, this probe (which is done against many targets in parallel) can be used to determine whether the port is open as well as whether the machine is up. This allows single-port scans to be almost twice as fast as Nmap 2.52. Example of a high speed scan for web servers in the 16 million 10.* (internal) addresses:

  nmap -sS -PS80 -p80 10.0.0.0/8
       

  Note that for this speed optimization to take effect, you must have all three of the arguments (-sS, -PS, and -p) , and the port given to 'PS' and 'p' must match.
• -P0 tells Nmap to scan each machine without even checking if it is up first. This can be very slow (if scanning thousands of ports), but is the ultimate technique for paranoid (experienced) security admins.

• What ports are, why they are important
• Close all ports you don't need! Even if there aren't any known vulnerabilities:
  • attacks are often distributed underground for a long while before becoming publicly available. (eg. cmsd, sadmind).
  • attackers make databases they can refer to when a new hole is discovered and publicized.
  • Even if there are no holes in (say) your socks daemon, people scanning for port 1080 will see your machine in their logs and may come back to check if your socks server is open. This is unneeded attention.
• SYN scan. The preferred general-purpose TCP scan type. Also known as half-open scanning. Give Nmap the -sS argument to perform this kind of scan.
• Don't forget UDP scanning! (Nmap option: -sU)

• Vary the scan source port to look for common holes
  • Lazy admins sometimes unwittingly compromise security when they open holes as quick-hacks to make various services work.
  • Source port 53/udp is sometimes allowed in as a quick (INSECURE) hack to allow DNS replies (the ZoneAlarm personal "firewall" V. 2.0.26 had this problem).
  • Source port 20/tcp for FTP-DATA (active FTP) connections
  • Port 67/udp (BOOTP/DHCP) -- ZoneAlarm 2.1.10 is vulnerable.
  • Try both UDP & TCP for these ports.
  • The Nmap -g option allows for changing the source port of a scan.
• Exploit identd to determine username running services.
• Filtering out SunRPC portmapper alone does not prevent exploits of RPC services. See docs for Nmap "Direct" RPC scan.
• Exploit the ports you have found open. They may be running on the firewall or redirected to an internal machine. Pop up an xterm to your local machine.
• Bouncing through the firewall
  • Socks proxy
  • FTP Server (active or passive attacks)
  • Web proxy
  • Source routed packets
  • Fragmentation holes
• Vary source addresses using IP.ID scanning (not yet implemented in Nmap). Primitive IP.ID scanners are available on the Internet (search SecurityFocus.Com ).

• Have cron scan your network periodically and notify you of machines coming up (and perhaps down) and new ports that open up (and perhaps close). Grep + diff do a reasonably good job. People are working on better free solutions and commercial services exist.
• Be careful to check the state of ports that are found. Many panicked people write me because they see "BackOrifice" on the report, but they do not notice that the state is "filtered". Many ISPs filter "dangerous" ports.
• Logging port scans may be a good idea, but DO NOT automate responses. Doing this can have numerous drawbacks
  • Port scans can be forged, causing your machine to attack/probe an innocent party.
  • Even if you just block the IPs that scan you, attackers can DOS your network
  • If you respond to the probes by portscanning, attackers can sometimes cause an infinite portscan loop to suck up tremendous amounts of bandwidth by finding two machines that do this. Then they forge a portscan from one to the other.
  • Some detector programs (such as Portsentry) may open the ports they are "protecting". This makes the machine look very vulnerable and will attract unwanted attention to it.
• You may see scans coming from several source addresses at once. This may look like a massive coordinated attack, but it is often just Nmap decoy scanning (-D).

amy~#nmap -p- -sR -I -O www.secret.com
Starting nmap V. 2.52 by fyodor@insecure.org ( insecure.org/nmap/ )

Interesting ports on foo.bar.com (42.43.44.45):
(The 65514 ports scanned but not shown below are in state: closed)
Port       State       Service (RPC)           Owner
21/tcp     open        ftp                     root
22/tcp     open        ssh                     root
23/tcp     open        telnet                  root
25/tcp     open        smtp                    mail
80/tcp     open        http                    http
110/tcp    open        pop-3                   root
111/tcp    filtered    sunrpc                  
113/tcp    open        auth                    root
220/tcp    filtered    imap3                   
443/tcp    open        https                   http
512/tcp    filtered    exec                    
513/tcp    filtered    login                   
514/tcp    filtered    shell                   
515/tcp    filtered    printer                 
516/tcp    filtered    videotex                
517/tcp    filtered    talk                    
518/tcp    filtered    ntalk                   
635/tcp    filtered    unknown                 
939/tcp    open        (status V1)             root
2049/tcp   filtered    nfs                     
3600/tcp   open        unknown                 root

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=4797787 (Good luck!)

Sequence numbers: 702A7726 70243971 7059255D 70F3C86B 710DC518 704EBFEE
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 467 seconds

• Default-deny filtering rules
• Eliminate the insecure applications (telnet, pop3, possibly FTP)
• Better RPC filtering
• Turn off identd or fix username disclosure problem.

• Nmap (like computer security in general) is frequently updated. The most current information is always available at http://insecure.org/nmap.
• Read the manual thoroughly before using Nmap.
• Nmap does not intentionally try to crash machines, but there are many poorly written applications, TCP/IP stacks, and even operating systems out there. Some have been known to occasionally crash during an Nmap scan. Be prepared for this possibility. But also remember that people are likely to Nmap scan your servers anyway, so it might be best to try it yourself whether than wonder what is causing mysterious crashes.
• Be wary of scanning other people's networks.