Tools hakin9 2/2007

Nmap

System: Linux/Unix/Windows/Mac OS X

License: GPL license, version 4.11

Purpose: Open-Source security scanner

Homepage: http://www.insecure.org/nmap/osdetect

Nmap (Network Mapper) is a free open source utility for network exploration or security auditing. The focus of its design is on rapid, large scale scans. Nmap brings together several advanced analyzing techniques to determine what hosts are available on the network, what services they provide, what operating systems they are running, what type of packet filters are in use and many other characteristics.

Quick start. Nmap provides a flexible way to choose a scanning strategy, from shy synchronisation request packets to custom exploitation scripts, its repertoir is only limited by your imagination.This philosophy of a flexible strategy is demonstrated by Nmap's version detection framework. If a stealth scan is performed, Nmap guesses the protocol running on a port solely based on the port number. If however you prefer not to be deceived by the port number, you can activate Nmap's version detection system. While the version detection scan is more intrusive, it provides more accurate information. Some protocol versions cannot be determined by Nmap's fast but simple pattern based engine. In these trickier cases the version detection framework can be extended with the help of Nmap's new scripting engine.

Nmap's version detection is applied to discover what service an open port is providing. The idea of the mechanism is pretty simple. Nmap connects to an open TCP port and listens for 5 seconds. Many services give out information without being asked for it. If we receive any data, several patterns are matched against the received data. If a pattern matches the service, the scan for this port completes. Another possible scenario is that pattern soft matches on the data. If this is the case, Nmap responds with strings which are likely to elicit information from this class of services. The third case is that the service is not recognized. In this case the user is provided with a finger print of the service and is asked to contribute information about the service to the Nmap project.

If Nmap detects that SSL is running on the port, then it reconnects using an SSL layer and restarts the version scan to determine what service is running behind the SSL encryption.

Other useful features. Nmap provides a method to determine the Operating System of a scanned target. While Nmap's OS detection is reliable and has a large database of OS fingerprints, it has aged in the eight years since it was first released. Several new probes have been added which are designed after ambiguities in protocol specifications. Since these ambiguities have to be resolved by the Operating System's implementation of the TCP/IP stack they form an accurate OS fingerprint. By deliberately probing for these loopholes in the standards and matching the results of the probes against a large database a very fine grained specification of the OS running on the target can be deduced. Currently the Nmap project is collecting fingerprints for its second generation OS detection system.

The script scanning framework is currently not known to a wide audience as it hasn't yet been merged into the core sources of Nmap. The Nmap Scripting Engine (NSE) allows users to write scripts which automate a wide variety of network scanning tasks. The scripts are executed by Nmap. As usual a lot of attention has been paid to maintain the high performance Nmap is known for. Some of the tasks NSE can perform are querying network databases like RIPE, ARIN or APNIC, detecting vulnerabilities on a remote target and even exploiting these on the fly. NSE is deeply integrated with Nmap's other features. It can be used for example to detect the version of a provided service by connecting to it and acting as a client. Keeping Skype2 apart from an ordinary HTTP server is not possible with Nmap's ordinary version detection system but an NSE script detecting this service has already been posted to the Nmap developers mailing list.