Hack 50. Interrogate the Network

When you absolutely need to know everything you can about a network or host, nmap can help.

The network monitoring tools discussed so far all achieve their goals by passively listening to traffic on the network. You can often get better results by actually asking machines directly for information rather than waiting for them to divulge it on their own. To find out more information about a particular machine (or an entire network of machines), you need a good active scanning utility. One of the most advanced and widely used network scanners is nmap. It is available at http://www.insecure.org/nmap, and is best summarized by the description on the web site:

nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

The most common use for nmap is to scan the TCP ports on a machine to determine which services are available. If run as root, it can also use advanced TCP fingerprinting techniques to make an educated guess about the OS of the target machine:

# nmap -O 10.15.6.1 Starting nmap V. 3.75 ( www.insecure.org/nmap/ ) Interesting ports on florian.rob.swn (10.15.6.1): (The 1590 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 80/tcp open http 179/tcp open bgp 443/tcp open https 2601/tcp filtered zebra 2605/tcp filtered bgpd 3128/tcp filtered squid-http 3306/tcp filtered mysql 10000/tcp open snet-sensor-mgmt 10005/tcp open stel Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 65.988 days (since Thu Apr 17 18:33:00 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds

This scan was run on a server on my home network. The operating system guess and system uptime are both correct (it is a Linux 2.4.19 system that has been up for 65 days, 23 hours, and 43 minutes). Notice how nmap can also detect filtered TCP ports in addition to ports that accept connections. There is no guarantee that these services are actually in use, but since there is a firewall running, it's probably a good guess that at least some of them are active. Ports 10000 and 10005 are actually part of a home-grown monitoring system I'm using, as described in "Graph Your Wireless Performance" [Hack #38].

If you are curious about a particular user on your wireless network, nmap can tell you a good deal about the system they are running. Aside from scanning the ports of a single host, nmap can also scan entire networks. To fingerprint all of the machines on the local network, try something like this:

# nmap -sS -O 10.15.6.0/24

The /24 is Classless Inter-Domain Routing (CIDR) notation for the network mask, specifying that all IPs from 10.15.6.0 to 10.15.6.255 should be scanned. If the machine being scanned is running a good intrusion detection system (such as Snort; see http://www.snort.org), it might determine that a scan is in progress and take countermeasures. To try to work around this possibility, nmap provides a number of alternative scanning methods that can be very difficult to detect. The -sS switch tells nmap to use a stealth SYN scan rather than use a standard TCP connect. The scanning tool versus intrusion detection tool arms race has been going on ever since there have been such tools, and will likely continue for quite some time.

You can use nmap to help track down miscreants abusing your network or simply to take a poll of what your wireless users are running. It should be frequently used to probe your own machines to determine whether unexpected services suddenly crop up, or whether your firewall is properly configured. However you use it, nmap will provide valuable insight into the machines present on your wireless network.

Категории