Hack #66. Keep an Inventory of Your Network

Use Nmap to keep track of the devices and services on your network.

As introduced in “Fool Remote Operating System Detection Software” [Hack #65], Nmap (http://www.insecure.org/nmap/) is a free tool that can be used to conduct various sorts of scans on networks. Normally, when people think of Nmap, they assume it’s used to conduct some sort of nefarious network reconnaissance in preparation for an attack. But as with all powerful tools, Nmap can be used for far more than breaking into networks.

For example, it allows you to conduct simple TCP connect scans without needing root privileges:

$ nmap rigel

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-15 17:42 MST
Interesting ports on rigel (192.168.0.61):
(The 1595 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE
7/tcp     open   echo
9/tcp     open   discard
13/tcp    open   daytime
19/tcp    open   chargen
21/tcp    open   ftp
22/tcp    open   ssh
23/tcp    open   telnet
25/tcp    open   smtp
37/tcp    open   time
79/tcp    open   finger
111/tcp   open   rpcbind
512/tcp   open   exec
513/tcp   open   login
514/tcp   open   shell
587/tcp   open   submission
4045/tcp  open   lockd
7100/tcp  open   font-service
32771/tcp open   sometimes-rpc5
32772/tcp open   sometimes-rpc7
32773/tcp open   sometimes-rpc9
32774/tcp open   sometimes-rpc11
32775/tcp open   sometimes-rpc13
32776/tcp open   sometimes-rpc15
32777/tcp open   sometimes-rpc17

Nmap run completed -- 1 IP address (1 host up) scanned in 75.992 seconds

This is tremendously useful for checking on the state of your own machines. You could probably guess that this scan was performed on a Solaris machine, and one that needs to have some services disabled at that.

Nmap can also scan ranges of IP addresses, indicated by either specifying the range or using CIDR notation, as follows:

$ nmap 192.168.0.1-254
$ nmap 192.168.0.0/24
         

Nmap can provide much more information if you run it as root. When run as root, it can use special packets to determine the operating system of the remote machine by using the -O flag. Additionally, you can do half-open TCP scanning by using the -sS flag. When doing a half-open scan, Nmap sends a SYN packet to the remote host and waits to receive the ACK from it; if it receives an ACK, it knows that the port is open. This is different from a normal three-way TCP handshake, where the client sends a SYN packet and then sends an ACK back to the server once it has received the initial server ACK. Attackers typically use this option to avoid having their scans logged on the remote machine.

Try it out for yourself:

# nmap -sS -O rigel

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on rigel.nnc (192.168.0.61):
(The 1578 ports scanned but not shown below are in state: filtered)
Port       State       Service
7/tcp      open        echo                    
9/tcp      open        discard                 
13/tcp     open        daytime                 
19/tcp     open        chargen                 
21/tcp     open        ftp                     
22/tcp     open        ssh                     
23/tcp     open        telnet                  
25/tcp     open        smtp                    
37/tcp     open        time                    
79/tcp     open        finger                  
111/tcp    open        sunrpc                  
512/tcp    open        exec                    
513/tcp    open        login                   
514/tcp    open        shell                   
587/tcp    open        submission              
7100/tcp   open        font-service            
32771/tcp  open        sometimes-rpc5          
32772/tcp  open        sometimes-rpc7          
32773/tcp  open        sometimes-rpc9          
32774/tcp  open        sometimes-rpc11         
32775/tcp  open        sometimes-rpc13         
32776/tcp  open        sometimes-rpc15         
32777/tcp  open        sometimes-rpc17         
Remote operating system guess: Solaris 9 Beta through Release on SPARC
Uptime 44.051 days (since Sat Nov  1 16:41:50 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 166 seconds

With OS detection enabled, Nmap has confirmed that the operating system is Solaris, but now you also know that it’s probably Version 9 running on a SPARC processor.

One powerful feature you can use to help keep track of your network is Nmap’s XML output capabilities, activated with the -oX command-line switch:

# nmap -sS -O -oX scandata.xml rigel
         

This is especially useful when scanning a range of IP addresses or your whole network, because you can put all the information gathered from the scan into a single XML file that can be parsed and inserted into a database. Here’s what an XML entry for an open port looks like:

<port protocol="tcp" portid="22">
<state state="open" />
<service name="ssh" method="table" conf="3"  />
</port>

This is especially powerful when combined with the Nmap::Parser Perl module (http://npx.sourceforge.net), which allows you to read Nmap’s XML output. When paired with Perl’s DBI for database access, you have the makings of a tool that can easily generate a database of network devices. Parsing an Nmap XML file is as easy as this:

use Nmap::Parser;
my $np = new Nmap::Parser;
my $file_xml = "an_nmap_xml_file.xml"
$np->parsefile($file_xml);

Then, all you need to do is call the parser object’s accessor methods to get at the data.

Nmap is a powerful tool. By using its XML output capabilities, a little bit of scripting, and a database, you can create an even more powerful tool that can monitor your network for unauthorized services and machines.