This guide is designed to help value-added resellers (VARs), systems intergrators and security consultants understand how to use Nmap -- an open source port scanning security tool that works on multiple platforms -- on their customers' networks. The guide includes advice on installation, configuration, scanning best practices, organizing information and selling the value of Nmap to customers.
Installing and configuring Nmap on Windows
Nmap was originally a command-line application for Unix, but a Windows version has been available since 2000. This tip looks at installing and configuring the Windows version of the open source network scanner.
Although you can download and install Nmap from a zip file, the latest version requires the free WinPcap packet capture library to be installed as well.
Learn more techniques for using Nmap with Windows.
Installing and configuring Nmap on Linux
Linux is the most popular platform for running Nmap. In fact, most Linux distributions actually include Nmap, although it may not be installed by default. Even if your system already has a copy of Nmap, you should consider upgrading to the latest version available from http://www.insecure.org/nmap/download.html. (Note that all Nmap releases are signed with a special Nmap Project Signing Key, which can be obtained from http://www.insecure.org/nmap/data/nmap_gpgkeys.txt.)
Get installation and troubleshooting advice for using Nmap with Linux.
Nmap: Scanning ports and services
Nmap is the ideal tool for performing a simple network inventory or vulnerability assessment. By default, Nmap performs a SYN Scan, which works against any compliant TCP stack, rather than depending on idiosyncrasies of specific platforms. It can be used to quickly scan thousands of ports, and it allows clear, reliable differentiation between ports in open, closed and filtered states.
Be sure you know how to discover visible Nmap ports, identify services and create an inventory.
Nmap: More port scanning techniques
Nmap's TCP Null (option –sN), FIN (option –sF) and Xmas (option –sX) scans exploit a subtle loophole in the TCP protocol specification as described in RFC 793. When scanning systems compliant with this RFC (such as most Unix-based systems), any packet not containing set SYN, RST or ACK bits will result in a returned RST (reset) packet if the port is closed, and no response at all if the port is open. If a RST packet is received, the port is considered closed, while no response means it is open or possibly filtered. The key advantage to these scans is that they can pass through certain non-stateful firewalls and packet-filtering routers.
Be prepared for the idiosyncrasies of certain platforms and protocols by using these Nmap-provided scans.
Nmap: Firewall configuration testing
In this tip we'll look at how Nmap can also be used to test the effectiveness of your firewall configuration.
One of the best ways to understand how your firewall handles uninvited traffic is to verify that its filters and rules are working as you anticipated. For example, one mistake many administrators make when creating rules for allowing traffic through their firewall is to trust traffic based simply on its source port number, such as DNS replies from port 53 or FTP from port 20. To test whether your firewall allows all traffic through on a particular port you can use most of Nmap's TCP scans, including the SYN scan, with the spoof source port number option (--source-port or abbreviated just to –g).
Familiarize yourself with how Nmap can be used to test the effectiveness of firewall configuration.
Nmap: Techniques for improving scan times
Your objectives for running an Nmap scan will determine how you want it to run: slow and quietly, fast and furious, or somewhere in between. Therefore, Nmap includes a variety of timing options that allow you to affect almost every aspect of a scan.
By default, Nmap is set to not abort a scan due to time -- no matter how long it may take to complete. This can be overridden with the Host Timeout option (--host_timeout), which sets the amount of time a scan will wait before giving up on an IP address. This can be useful when scanning network devices over a slow connection or when the scan comes across a device that is slow in responding.
Ensure that you understand Nmap's timing options so you can improve efficiency.
Interpreting and acting on Nmap results
One of the regular tasks you'll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not.
As most new viruses and spyware programs create open ports on infected machines you can use Nmap to search for open ports after a reported outbreak using an ICMP ping (-PE) and TCP SYN and UDP scans, options -sS and -sU.
Get details on Nmap scanning best practices and tips on working with the results.
Nmap: Parsers and interfaces
For a security tool to be useful you have to be able to understand what it's telling you about the setup, security, or weak points of your system or network. With Nmap you can run very comprehensive tests. To analyze the results it is often best to have the output recorded in XML format so that it can be easily imported into a database or converted into HTML for analysis and human consumption.
Get a list of tools and techniques to help you organize and interpret scan results.
Nmap and the open source debate
When deciding which software tool to use for a particular task it is important to review what the software does, ensure that its functionality matches your requirements, understand what help and support is provided, and make an assessment of the total cost of ownership. Let's take a look at how Nmap weighs in.
As Nmap is free it obviously comes in ahead of other network mappers in terms of cost. However, many IT administrators remain wary of open source software, often citing the lack of any warranty protection as a drawback when selling a proposal involving open source tools to senior management.
Get techniques for how to sell customers on the value of Nmap.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in April 2007