Housekeeping with NMAP

It’s Monday morning and you’ve just arrived at work and started up your workstation when in walks your boss with a disturbed look on his face:

If you’re like most administrators out there you’ve probably, at one time or another, had the sinking feeling that goes along with discovering services running on your network that shouldn’t be there. You may have been alerted to this fact while looking at system or IDS logs (better), or maybe even by a less-than-friendly third party (bad).

The fact is, whether you work at the system or network level, knowing what daemons are running in your environment is absolutely crucial. Few things are more embarassing than someone else finding out about new, unauthorized servers on your network before you do — especially when you end up being notified due to an incident involving one of them.

This article will attempt to provide you with a few nifty Nmap commands that can help you stay ahead of the rogue servers on your network.

Nmap

To start with, Nmap is a free, OSS network discovery tool developed by Fyodor. It’s the single most popular portscanner in the world and an invaluable tool for any system or network administrator.

Nmap allows you to find both new machines as well as new services on known machines through the use of its plethora of options. Below we’ll take a look at some of the different scans you can do and how you can get maximum use out of the results.

Discovery Sweeps Using Ping

One of the first thing that should be of concern to any network admin should be the introduction of new, unauthorized hosts onto the network. When a host comes online without the admin knowing about it, it’s often a bad thing.

This negativity can range from not knowing that a particular project has started to not knowing that a disgruntled employee is distributing illegal content at the company’s expense.

Nmap makes short work of finding new hosts on the network using a few simple options. To start with, one can simply ping every host on their network and see who answers:

nmap -n -sP -oA output_file 192.168.10.0/24

This command will print to the console the hosts that appear to be up, but more importantly it saves the output in various formats in the directory you ran the command from.

The -sP says to ping the hosts only (as opposed to scanning them afterwards), and the -oA option says to save the output in all three main Nmap output formats — human readable, grepable, and XML. The -n was to tell Nmap not to resolved DNS names so that we got the IP addresses themselves.

The one’s that we’re interested in here is the grepable format, as it allows us to parse the output using cut and grep — two Unix/Linux file utilities:

cat output_file.gnmap | cut -d" " -f2 | grep ^[0-9]

What this command does is parse the output_file.gnmap file, cut out the IP address field, and make sure it’s a valid IP address. What you end up with is a nice list of hostnames that responded to your ping scan of the network. You can save this list to a file like so:

cat output_file.gnmap | cut -d” ” -f2 | grep ^[0-9] > list_of_hosts

Discovery Scanning With SYNs

In addition to traditional ping scanning, you can also elect to look for hosts on your network based on open TCP (or UDP) ports. This is done by giving the -PS option:

nmap -sP -PS21,22,23,80,443 -oA output_file 192.168.10.0/24

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

This says to Nmap, “Ping my network for machines that are up — but use ports 21,22,23,80, and 443 as the verification ports.” In other words, if any host on the network responds on any one of those ports, it’ll be listed in the Nmap output as up. This is helpful for finding machines that think they’re sneaky by not responding to ICMP while still running traditional services.

Scanning The Machines You Find

Ok, so now that you have some decent ways to find hosts on your network, let’s take a look at how to scan them once you find them. My favorite way to do this is to combine the discovery technique we just saw with a port scan:

nmap -PS21,22,23,80,443 -p1-15000 -oA output_file 192.168.10.0/24

The command above asks Nmap to find hosts using the first set of ports, and scan anything it finds on TCP ports 1 to 15,000. This gives a somewhat decent view of at least the TCP services likely to pop up on a network over time due to rogue hosts. You can, of course, tweak the scan to include UDP and/or a larger range of ports.

Conclusion

The goal here is to get administrators in the habit of seeing what’s alive on their networks. Only once we know what our situation is can we actually begin to address it.

Feel free to contact me if you have any questions or comments.

** Also, stay tuned for a new tool a friend and I are writing designed to help administrators keep track of what hosts are on their networks, and what services those hosts are running. The concept is simple — perform regular scans (using Nmap) and compare the results to each other over time. The name of the tool is Netdiff (witty, I know), and it’s written in Python. We should have some semi-releasable code available soon.

[July 2006]

References

The Nmap Manpagehttp://www.insecure.org/nmap/data/nmap_manpage.html

Related posts:

1. 5 Things You Didn’t Know You Could do with Nmap

2. A @TomNomNom Recon Tools Primer

3. How to Run the Latest Version of Nmap on Ubuntu