Thursday, July 26, 2007

Using NMAP TOOL

Fumbling toward a hacker's-eye view of your network

Ready to see your network the way an attacker sees it?

This short series is for the network administrator who has a grasp of networking, but knows less about security. You might be the Natalie in Natalie's Graphic Design, or the all-in-one IT department / PC help desk / Webmaster. Maybe you haven't used command line tools before. But if your network has more than nine devices, you can no longer hold your network in your head. You need a way to quickly and reliably find out:

*How many computers do I have on my network, and what are their IP addresses?

*What network services (distinguished by open ports) does each computer offer?

*What operating system (OS) runs on each computer?

Answering these questions is known as enumeration, or mapping your network. Enumeration is the first thing a savvy attacker does when trying to take over your network -- so you might as well beat 'em to the punch. Enumerating your network helps you identify and close unnecessary services, improving your security. It also tells you what kinds of OS and applications you're running, so that you can keep up with the proper security patches.

Enter the port scanner, a special network-mapping tool that quickly and easily answers all three of these questions for you. Port scanners come in many flavors and prices, but in essence, a scanner sends an avalanche of packets to an IP address (or IP addresses) in order to learn which IPs are active, what ports each IP listens on, and (in some cases) what OS each IP uses. Then the scanner reports the results to you.

Nmap, short for Network Mapper, is one of the most popular and powerful port scanners on the market. Fyodor, a well-respected white hat hacker, originally created Nmap. Since its inception, many security experts have built upon Fyodor's open source tool, making it one of the most powerful and advanced port scanners around.

So how much does all this technology and power cost you? Nothing. All you need is the courage to download and install it... and a little bit of know-how, which we intend to provide in this three-part series.

Ready to get your hands dirty, and find out what's really happening on your network? Read on!

Getting and Installing Nmap

Procuring nmap is easier than saying "procuring." Just go to Fyodor's Nmap web site and look for a link labeled Download, which is near both the top and the bottom of the page. Grab the latest copy of the Nmap Windows installer. When we published this article, it was http://download.insecure.org/nmap/dist/nmap-4.20-setup.exe.

Once you've downloaded the Nmap Windows installer, you should have a file called Nmap-4.20-setup.exe in whatever directory you downloaded the file to. Double-click on this file to begin installing it. After running the installer, Nmap's End-User's License Agreement (EULA) window pops up. Read this agreement. If you choose to accept it, click I Accept. (If you don't accept the agreement, you can't use Nmap.)

After you accept its EULA, Nmap's installer presents you with a Components window. Here you can choose which parts of Nmap to install. Since you pretty much need all its components -- and the installer enables them all by default -- simply click Next to continue.

Now the installer will ask you where you want to install Nmap. We suggest you let it install into its default directory (c:\Program Files\nmap). Just click

Install.

Finally, the Nmap installer begins to install Nmap onto your computer. However, during this installation process it also has to install WinPcap, a little utility that helps Nmap do its job. When this happens, you'll see a window appear for the WinPcap Installer. Click Next. Again you'll have to read a EULA. If you choose to accept it, click I Agree. After you agree to its EULA, WinPcap installs itself. When it finishes installing, click the Finish button in the WinPcap Installer window. Finally, click Close in the Nmap Setup Window to complete your Nmap installation.

Opening the Nmap Command Line

Nmap is a command line utility. This is where you experience hackery goodness, because instead of mouse-clicking on icons like a mainstream office worker, you type commands like the few, the proud, the l33t old-sk00l coders. Here's how.

First, open the command prompt on your Windows computer. Click Start => Run. In the dialog box labeled Open, type cmd. Press Enter. Voila! Meet the command line, left over from the days when Windows was based on the antique Disk Operating System (DOS).

You should see something blinking, in front of some odd characters like these:

C:\>

The letter refers to various drives (real and virtual) on your system. If you see any letter of the alphabet other than C, type C: and press Enter.

If you followed the installation defaults, you just installed Nmap into your c:\Program Files\nmap directory. To run Nmap, you must first navigate to that directory. So, type cd\program files\nmap and press Enter. WHen you use the command line, syntax is always critical. Note the backwards slash, and the space between "program" and "files."

You are now poised to unleash Nmap's power on your network. Which we will do tomorrow, in Part 2. ##

Part 2

In Part 1 of this series, we introduced you to network scanners in general, and an excellent free one in particular, Nmap. You also learned how to obtain and install Nmap. Here in Part 2, you'll use Nmap to find out how many devices are active on your network. In Part 3, tomorrow, you'll try your first network scan, and we'll explain how to interpret the results.

This series assumes you have mastered basic concepts of networking, but do not have a lot of experience managing network security. To understand what follows, you should have a working grasp of IP addresses, subnet masks, and slash notation.

Getting Oriented on Your Own Network

If you're going to scan your whole network at once -- and you are! -- you need to know your network IP address, a single address that represents your entire network..

You can learn your network IP address easily using the command line. If you don't have your DOS prompt open, access it now (and if you don't know how to, refer to the last paragraphs of Part 1). At the blinking prompt, type ipconfig and press Enter. Your results will differ from ours in the details, but will look generally like this:

C:\Program Files\Nmap>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 3:
Connection-specific DNS Suffix . :


IP Address. . . . . . . . . . . . : 192.168.111.34
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.39.14

C:\Program Files\Nmap>

If you or your predecessor originally designed your network using the most common subnet masks such as 255.255.255.0 (in slash notation, /24), 255.255.0.0 (/16), or 255.0.0.0 (/8), it's easy to figure out your network's IP address, since it will always end in zero. For instance, based on the sample IPCONFIG above, you know our test computer has a 192.168.111.34 address and a 255.255.255.0 or /24 subnet mask. That subnet mask indicates that the first three octets of an address designate the network. We also just mentiond that the most common subnets, such as /24, always end in a zero for the network address. So the network address of our sample computer is 192.168.111.0/24.

However, when you subdivide networks into smaller pieces using less common subnet masks, it's more difficult to find your network address without knowing how subnet masking works on a binary level . The network address won't always end in zero, so then you have to calculate it. Don't worry, though; we have a trick that will tell you your network IP address without any calculation at all.

Using the command prompt, the ROUTE command actually lists every network route on your computer. It's intended to help you figure out how your computer reaches other networks, but that's not how you'll use it today. Besides having routes to other networks, your computer also has a route to your own local network. Your computer creates this route using your local network IP address. So, we'll use the ROUTE command to display the routes to your local network, and in that way, see your network IP address.

In the command prompt, type:

route print 192*

If appropriate, eplace the "192" with the first octet of your own computer's IP address (which you learned from your IPCONFIG results). Then press Enter. Your results should resemble Figure 1 (showing your own IP addresses, of course):

Much of the ROUTE command's output lists information about your network card that we don't care about right now. In our sample output, we've displayed the line of interest in orange text. The first IP address in our output shows our network IP address: 192.168.111.0 with the subnet mask 255.255.255.0 (or 192.168.111.0/24). Similarly, your network IP address should be the first IP address you see in your output.

Presto! You now have the address you need in order to scan your entire network. So let's get back to Nmap.

How nmap counts your networked devices

We're helping you get acquainted with Nmap, but you hardly need us if you're willing to experiment a little and read a lot. To access Nmap's help file, at the command prompt just type nmap and press Enter. That's one convenient way to learn about Nmap's options.

Though nmap is a port scanner, you can use it to do many things. For starters, we'll use the ping command to automate the task of counting how many computers are currently active on your network. In the command prompt, type

nmap -sP 192.168.111.0/24

(Of course, replace our sample network's IP address with your network IP address.) You should see a result similar to this:

C:\Program Files\Nmap>nmap -sP 192.168.111.0/24
Starting Nmap 4.20 (http://www.insecure.org/nmap )
at 2007-05-08 12:18 Pacific Standard Time

Host 192.168.111.1 appears to be up.
MAC Address: 00:01:02:55:73:C3 (3com)

Host 192.168.111.3 appears to be up.
MAC Address: 00:10:5A:27:5C:44 (3com)

Host 192.168.111.254 appears to be up.
MAC Address: 00:90:7F:2E:1D:FB (WatchGuard Technologies)

Host frodolinux.hogwarts.lsstest.dyndns.org
(192.168.111.16)appears to be up.
MAC Address: 00:04:76:22:C6:65 (3 Com)

Host 192.168.111.34 appears to be up.

Host 192.168.111.126 appears to be up.
MAC Address: 00:10:4B:0E:E6:E6 (3com)

Nmap finished: 256 IP addresses (6 hosts up)
scanned in 5.797 seconds

When you ran that command, Nmap pinged every IP address in the range of the network IP address you supplied. Nmap lists information for the IPs that responded to this request. So the list of IP addresses in our sample result show networked devices that currently respond to ping requests. In this example, Nmap found the following six IPs active on our test network:

192.168.111.1
192.168.111.3
192.168.111.254
192.168.111.16
192.168.111.34
192.168.111.126

As you might guess, this is not the most accurate count possible. If you divide some segments of your network using an internal firewall, the firewall might hide any devices behind it. And devices on your network that are powered off when you scan won't respond. But the results are still useful. Repeat the command over time to learn what "normal" is on your network. If a daily scan typically returns 18 to 22 authorized devices, and one day it finds 35, you know it's time to investigate. (Maybe one of the engineers added a rogue wireless access point and now the neighboring businesses are piggybacking onto your WiFi Internet access.)

If you have many active IPs on your network, your Nmap ping results quickly scroll off the command prompt window. Here are two methods to run the same command, managing the output in different ways. You can use these methods when running any command line application:


To pause output before it scrolls off screen, add more
Example: Nmap -sP 192.168.111.0/24 more
(Press your spacebar or the Enter key to continue output)

To capture output to a text file, specify a file name
Example: Nmap -sP 192.168.111.0/24 > filename.txt
(Change "filename" to any name you like)

Using Nmap to automate your pings, rather than manually pinging hundreds of addresses yourself, is cool. You now know how many devices respond on your network. But that's not even Nmap's primary purpose! You want to use it to port scan your network. So let's do it -- in Part 3, tomorrow. ##

Part 3

Recap: Part 1 introduced port scanners in general, and Nmap in particular. You learned where to get Nmap for free, and you installed it. In Part 2, you learned your network IP address and used Nmap to count the active devices on your network. Now, in the series' conclusion, you're ready to port scan your network and interpret the results.

Nmap has many powerful options. However, you probably don't have time to learn all of Nmap's features right now. So we'll jut show you a single big ol' Nmap command, with some options switched on, that should provide almost all you want to know about your local network. Think of this command as "Nmap's greatest hits."


Here it is:
Nmap -P0 -sS -sV -O 192.168.111.0/24 > output.txt

As usual, when you try this command, replace our sample network's IP address with your own network IP. You can also change "output.txt" to any filename you like. You're naming the file where Nmap will record the output from this scan.

What does each parameter in the command do? Briefly:

-P0. This switch tells Nmap not to ping a host before scanning it. As we alluded to when we described ping in Part 2, in some exceptional cases a computer that is active won't respond to ping (for example, when guarded by a firewall). Smart little Nmap can still find these stealth computers without relying on ping.

-sS. This switch tells Nmap to perform a SYN-based port scan. SYN is short for "synchronize," the first packet sent when one computer tries to connect to another using TCP. A SYN-based port scan is the most common method, among many possible methods.

-sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open. For instance, if Nmap learns port 80 is open, it tries to discern which web server runs on that port, as well as what version. Think of these as very educated guesses. Nmap is not always right.

-O. This switch tells Nmap to guess what operating system is running on any computer it scans. This, too, is a very informed estimate, not necessarily rock-solid truth.

We assume that as your company's network administrator, you have senior management's permission to perform analytical operations on your network. If not, this type of Nmap scan can be interpreted as a hostile or provocative action, so go no farther without authorization. But if you are authorized, we encourage you to try this command now.

Type the command above in your command prompt (carefully...remember, syntax matters!) and press Enter. Depending on the size of your network, and speed of your computer, this command could complete in a minute, an hour, or longer.

When the command completes, you see a new command prompt. But you won't see any obvious results. That's because you redirected the results to a text file called output.txt (or whatever you renamed it). To see Nmap's results, open output.txt in a text editor. If you followed the default install in Part 1, you'll find output.txt in c:\program files\nmap.


Interpreting the Results of Your Scan

You just scanned your whole network, so your results could be lengthy, depending on how many active hosts are on your network. Rather than describing the entire result at once, let's take it a chunk at a time.

If you click this link for Figure 2, you'll see a sample representing results from the Nmap scan you just performed. This excerpt contains Nmap's results for one host on our sample network. Once you understand how to read this one excerpt, you'll be able to read the rest of Nmap's results. So click the link and follow along with our commentary.

The first line of this excerpt tells you that the following result correlates to the IP address, 192.168.39.1.

The second line of this excerpt says that Nmap scanned 1,659 of that host's ports during the scan. Yes, you're right: 1,659 is fewer than a host's potential 65,535 ports. To save time, by default Nmap scans only the common, well-known ports. You can force Nmap to scan all 65,535 ports if you like. However, scans that large take an extremely long time. And really, scanning the well-known ports usually tells you all you need to know about that host.

The third line of this excerpt lists four column headings: PORT, STATE, SERVICE, and VERSION. Here's what each heading means:

The PORT column represents the ports (and protocols) Nmap found on the sample host, 192.168.39.1.

The STATE column tells you whether each port is open or in some other intermediary state of open (stealth). You will never see closed ports in Nmap's results. Nmap doesn't display the port if it's closed.

The SERVICE column tells you the well-known network service that usually resides on that port. It displays the service either by formal protocol name, or listed in a sort of technical short hand. You will recognize some of these services, such as HTTP, SMTP, and FTP, from your network experience. With over a thousand possible services, you won't recognize them all. But you have a few options to help you learn what a service is. First, in Nmap's c:\program files\nmap directory, you can open a file named nmap-services in any text editor to read all the services Nmap recognizes. This list contains a longer description of most of the services that appear in the service column. If you still don't recognize a service by either its short-hand or longer description, look both up using Google. You typically find a hundred sites that explain what that service does.

The VERSION column tells you what specific program the host you scanned uses to control the service in question. It also attempts to tell you that program's version.

Now that you know what each heading is, you should be able to interpret much of what follows. A new line appears under these four headings for each open port on a scanned host.

Let's practice interpreting a few random lines from our sample excerpt. First:
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713

This line tells you that the host Nmap scanned has port 25 open. Port 25 is the SMTP, or email, service port. Nmap thinks the host is probably running Microsoft's ESMTP Mail Server, version 5.0.2195.6713.

Second example:
80/tcp open http Microsoft IIS webserver 5.0

In this line, we learn that port 80, the HTTP or web service port, is open on the scanned host. According to Nmap's best guess, this port is probably running Microsoft's IIS version 5.0 Web server. This is not really rocket science, huh?

After all the lines that follow the PORT, STATE, SERVICE, VERSION columnar format, you eventually come to lines that no longer follow this format. You'll see a line that tells you the MAC address of the host that was scanned. In our example, the host uses a 3COM network card.

The next line tells you the type of device you most likely scanned. So far, we've referred to the IP we scanned as a "host" because we don't know if it's a computer, a printer, a specialized network device, or what -- until now, that is. The "Device Type" line tells you what device Nmap thinks it's found. Our example says "general purpose," which typically indicates a computer.

Finally, the remaining lines tell you what operating system Nmap thinks is running on this computer. Nmap thinks this computer runs either Windows ME, 2000, or XP.

And that is enough to get you started. You now can interpret Nmap's port scan results. Sure, if you have a large network, you may have hundreds of excerpts like this. But you interpret them all the same way. Lather, rinse, repeat.

Are you now a port scanning expert? Well, hardly. Our hope is that this small amount of interaction with Nmap has torn away any intimidating mystique that command line tools might have held for you. We hope it's whet your appetite to learn more.

Scan on a regular, recurring basis until you have a feel for what's normal on your network. Read up on results that puzzle you. Then you've dramatically increased your likelihood of spotting interlopers -- and it didn't take a penny out of your department's budget. ##

No comments: