In this tip we are going to learn about nmap, an open source network scanner that is ideal for network troubleshooting, scanning, and auditing. The tool can be used to identify devices on the network as well as the services running on the particular devices. Additionally, advanced information such as operating systems in use, particular services (name and version), and network filters and firewalls can be identified.
The identification of services with nmap is achieved through its fingerprint database that currently contains 5,000+ fingerprints. This database is supported by the community by allowing submission of known fingerprints.
nmap as an inventory tool
One of the common applications of nmap is to generate basic inventory reports. This is useful for network maps, renewal of maintenance agreements on network devices and nodes, and to identify rogue, unauthorized, or forgotten devices.
The basic scan for an inventory makes use of a ping scan. For example, the following scan shows the host available on the 192.168.1.0/24 network. The -sP tells nmap to do a ping scan, and the -n says to not do name resolution.
nmap -sP -n 192.168.1.0/24
Starting Nmap 4.76 (http://nmap.org) at 2009-05-14 10:18 CDT Host 192.168.1.1 appears to be up. MAC Address: 00:18:3A:A4:43:BA (Westell Technologies) Host 192.168.1.2 appears to be up. Host 192.168.1.3 appears to be up. MAC Address: 00:17:EE:01:95:19 (Motorola CHS) Host 192.168.1.4 appears to be up. MAC Address: 00:16:CB:A3:27:E4 (Apple Computer) Host 192.168.1.5 appears to be up. MAC Address: 00:1E:52:7D:84:7E (Apple) Nmap done: 256 IP addresses (5 hosts up) scanned in 2.17 seconds
This ping scan is quite useful for building inventories quickly. It can also be the building blocks of more sophisticated scripts and programs to validate adds and changes to the network. For example, the following command reports the new host (192.168.1.5) on the network from two daily scans output to text files:
diff monday.scan tuesday.scan | grep "> Host" > Host 192.168.1.5 appears to be up.
To look at a particular host to determine services running, you can use nmap. For example, let's take a closer look at the 192.168.1.5 that appears to have been turned up sometime after the Monday scan but before the Tuesday scan:
nmap -n 192.168.1.5
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-14 12:44 CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports PORT STATE SERVICE 22/tcp open ssh 88/tcp open kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 548/tcp open afp 631/tcp open ipp 1021/tcp open unknown 1022/tcp open unknown 1023/tcp open netvenuechat 2049/tcp open nfs 3300/tcp open unknown 5900/tcp open vnc 20221/tcp open unknown 20222/tcp open unknown MAC Address: 00:16:CB:A3:27:E4 (Apple Computer)
Nmap done: 1 IP address (1 host up) scanned in 10.46 seconds
It appears to be a Unix based system based upon ssh, but the identification of the MAC address makes the system most likely an Apple Mac computer. But, a closer look using nmap's service and version detection, more information can be gleaned. The -sV parameter is used for this:
mb3:~ root# nmap -n -sV 192.168.1.5
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-14 12:47 CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.1 (protocol 1.99) 88/tcp open kerberos-sec Mac OS X kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 515/tcp open printer 548/tcp open afp? 631/tcp open ipp CUPS 1.3 1021/tcp open rpcbind 1022/tcp open rpcbind 1023/tcp open rpcbind 2049/tcp open rpcbind 3300/tcp open unknown? 5900/tcp open vnc VNC (protocol 3.8) 20221/tcp open unknown? 20222/tcp open unknown? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port548-TCP:V=4.76%I=7%D=5/14%Time=4A0C5929%P=i386-apple-darwin9.4.0%r( SF:SSLSessionReq,172,"\x01\x03\0\0Q\xec\xff\xff\0\0\x01b\0\0\0\0\0\x18\0\" AD9 SF:6FA5112ED039C\0\x04mini"); MAC Address: 00:16:CB:A3:27:E4 (Apple Computer) Service Info: OS: Mac OS X
Host script results: | Discover OS Version over NetBIOS and SMB: Unix |_ Discover system time over SMB: 2009-05-14 12:49:02 UTC-5
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 119.68 seconds
Now the administrator knows that it is Mac OS X, and that it is being used for Windows file sharing using Samba, that it is most likely sharing printers via CUPS, and that the system is configured for remote management with virtual network computing (VNC).
Using nmap for security
While nmap is quite useful for administrators as shown above, it is also quite powerful for security audits. For example, many companies do not allow Web servers to be run on user networks (i.e. networks where user computers and laptops are connected). nmap can easily be used to identify all the systems with Web services running on the well known ports of 80 and 443 with:
nmap -n -p 80,443 192.168.1.0/24 | egrep "ports|open" Interesting ports on 192.168.1.1: 80/tcp open http 443/tcp open https Interesting ports on 192.168.1.2: Interesting ports on 192.168.1.3: Interesting ports on 192.168.1.4: Interesting ports on 192.168.1.5:
Another useful feature is identifying particular versions to determine if systems are vulnerable to an announced vulnerability. For example, let's assume the Samba team has announced a security issue with a particular version of Samba, and you need to identify all your Samba versions. The following reports the Samba versions:
nmap -n -sV -p 139 192.168.1.0/24 | egrep "ports|139" Interesting ports on 192.168.1.1: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.2: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.3: 139/tcp filtered netbios-ssn Interesting ports on 192.168.1.4: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: HQ) Interesting ports on 192.168.1.5: 139/tcp open netbios-ssn Samba smbd 2.1 (workgroup: REMOTE) Interesting ports on 192.168.1.15: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: WORKGROUP)
This tip has shown how nmap can be used for network inventory scans (-sP), more thorough inventory and auditing, and security scans to identify unauthorized services as well as assist in security vulnerability assessments. nmap is a good tool to have readily available...combine it with grep or egrep and it becomes a powerful reporting tool.
ABOUT THE AUTHOR: Ronald McCarty is a freelance writer and consultant specializing in systems, network, and information security. He received his bachelor's degree in Computer and Information Systems at the University of Maryland's international campus at Schwaebisch Gmuend, Germany and his master's degree in Management with a specialization in information technology at Capella University. Ron's company, Your Net Guard offers IT consulting and integration services in the Dallas/Forth Worth area. He can be reached at email@example.com.