Nmap in the Enterprise: Your Guide to Network Scanning
By Angela Orebaugh and Becky Pinkard
()
About this ebook
- Understand Network Scanning: Master networking and protocol fundamentals, network scanning techniques, common network scanning tools, along with network scanning and policies.
- Get Inside Nmap: Use Nmap in the enterprise, secure Nmap, optimize Nmap, and master advanced Nmap scanning techniques.
- Install, Configure, and Optimize Nmap: Deploy Nmap on Windows, Linux, Mac OS X, and install from source.
- Take Control of Nmap with the Zenmap GUI: Run Zenmap, manage Zenmap scans, build commands with the Zenmap command wizard, manage Zenmap profiles, and manage Zenmap results.
- Run Nmap in the Enterprise: Start Nmap scanning, discover hosts, port scan, detecting operating systems, and detect service and application versions
- Raise those Fingerprints: Understand the mechanics of Nmap OS fingerprinting, Nmap OS fingerprint scan as an administrative tool, and detect and evade the OS fingerprint scan.
- “Tool around with Nmap: Learn about Nmap add-on and helper tools: NDiff--Nmap diff, RNmap--Remote Nmap, Bilbo, Nmap-parser.
- Analyze Real-World Nmap Scans: Follow along with the authors to analyze real-world Nmap scans.
- Master Advanced Nmap Scanning Techniques: Torque Nmap for TCP scan flags customization, packet fragmentation, IP and MAC address spoofing, adding decoy scan source IP addresses, add random data to sent packets, manipulate time-to-live fields, and send packets with bogus TCP or UDP checksums.
Angela Orebaugh
Angela Orebaugh (, GCIA, GCFW, GCIH, GSEC, CCNA) is a Senior Scientist in the Advanced Technology Research Center of Sytex, Inc. where she works with a specialized team to advance the state of the art in information systems security. She has over 10 years experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. She has a Masters in Computer Science, and is currently pursuing her Ph.D. with a concentration in Information Security at George Mason University.
Read more from Angela Orebaugh
Wireshark & Ethereal Network Protocol Analyzer Toolkit Rating: 0 out of 5 stars0 ratingsIntrusion Prevention and Active Response: Deploying Network and Host IPS Rating: 3 out of 5 stars3/5
Related to Nmap in the Enterprise
Related ebooks
Kali Linux Wireless Penetration Testing Essentials Rating: 5 out of 5 stars5/5Wireshark Network Security Rating: 3 out of 5 stars3/5Nmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsStealing The Network: How to Own the Box Rating: 4 out of 5 stars4/5Practical Windows Forensics Rating: 0 out of 5 stars0 ratingsBurp Suite Essentials Rating: 4 out of 5 stars4/5Building Virtual Pentesting Labs for Advanced Penetration Testing Rating: 0 out of 5 stars0 ratingsPenetration Testing Bootcamp Rating: 5 out of 5 stars5/5Mastering Kali Linux for Web Penetration Testing Rating: 4 out of 5 stars4/5Penetration Testing with Raspberry Pi Rating: 5 out of 5 stars5/5Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research Rating: 0 out of 5 stars0 ratingsPenetration Testing with BackBox Rating: 0 out of 5 stars0 ratingsCoding for Penetration Testers: Building Better Tools Rating: 0 out of 5 stars0 ratingsReverse Engineering Code with IDA Pro Rating: 5 out of 5 stars5/5Mastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsPenetration Testing with Kali Linux: Learn Hands-on Penetration Testing Using a Process-Driven Framework (English Edition) Rating: 0 out of 5 stars0 ratingsXSS Attacks: Cross Site Scripting Exploits and Defense Rating: 3 out of 5 stars3/5Developer's Guide to Web Application Security Rating: 3 out of 5 stars3/5Applied Network Security Rating: 0 out of 5 stars0 ratingsProfessional Penetration Testing: Volume 1: Creating and Learning in a Hacking Lab Rating: 4 out of 5 stars4/5Cuckoo Malware Analysis Rating: 0 out of 5 stars0 ratingsPenetration Testing with the Bash shell Rating: 0 out of 5 stars0 ratingsWeb Penetration Testing with Kali Linux Rating: 5 out of 5 stars5/5Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks Rating: 0 out of 5 stars0 ratingsBotnets: The Killer Web Applications Rating: 5 out of 5 stars5/5Kali Linux Intrusion and Exploitation Cookbook Rating: 5 out of 5 stars5/5Snort Intrusion Detection 2.0 Rating: 4 out of 5 stars4/5Snort Intrusion Detection and Prevention Toolkit Rating: 5 out of 5 stars5/5OS X Exploits and Defense: Own it...Just Like Windows or Linux! Rating: 0 out of 5 stars0 ratingsHack the Airwaves: Advanced BLE Exploitation Techniques Rating: 0 out of 5 stars0 ratings
Networking For You
Networking All-in-One For Dummies Rating: 5 out of 5 stars5/5Networking For Dummies Rating: 5 out of 5 stars5/5A Beginner's Guide to Ham Radio Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Linux Bible Rating: 0 out of 5 stars0 ratingsCisco Packet Tracer for Beginners Rating: 5 out of 5 stars5/5The Compete Ccna 200-301 Study Guide: Network Engineering Edition Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsNetwork+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5Programming Arduino: Getting Started with Sketches Rating: 4 out of 5 stars4/5AWS Certified Cloud Practitioner Study Guide: CLF-C01 Exam Rating: 5 out of 5 stars5/5CCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsQuantum Computing For Dummies Rating: 0 out of 5 stars0 ratingsHome Networking Do-It-Yourself For Dummies Rating: 4 out of 5 stars4/5The Windows Command Line Beginner's Guide: Second Edition Rating: 4 out of 5 stars4/5Comptia Network+ Primer Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Study Guide: Exam N10-004: Exam N10-004 2E Rating: 4 out of 5 stars4/5TCP/IP Clearly Explained Rating: 4 out of 5 stars4/5Cisco Networking All-in-One For Dummies Rating: 4 out of 5 stars4/5SharePoint For Dummies Rating: 0 out of 5 stars0 ratingsAWS Certified Machine Learning Study Guide: Specialty (MLS-C01) Exam Rating: 0 out of 5 stars0 ratingsConcise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5Hacking Android Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Network+ Certification Passport, Sixth Edition (Exam N10-007) Rating: 1 out of 5 stars1/5
Reviews for Nmap in the Enterprise
0 ratings0 reviews
Book preview
Nmap in the Enterprise - Angela Orebaugh
CISSP.
Chapter 1
Introducing Network Scanning
Solutions in this chapter:
■ What is Network Scanning?
■ Networking and Protocol Fundamentals
■ Network Scanning Techniques
■ Common Network Scanning Tools
■ Who Uses Network Scanning?
■ Detecting and Protecting
■ Network Scanning and Policy
☑ Summary
☑ Solutions Fast Track
☑ Frequently Asked Questions
Introduction
About ten years ago I was working as a Network Administrator managing a medium size network. One of my first tasks in this position was to create a network asset database for all network devices. We already had a high-priced, although functionally deficient, network management tool that just wasn’t making the cut. Using the output from the management tool as a starting point I began painstakingly connecting to each network device, and documenting them to inventory the network. This also involved a lot of hours physically traversing buildings, basements, and wiring closets. Finally, it seemed that I had visited every nook and cranny and identified every router, bridge, switch, hub, and archaic telecommunications device retrofitted to the network. For security, I wrote a UNIX script to connect to the known devices and disable physical ports that weren’t being used and enable security features on the devices. This is when things started to get complicated. Suddenly the help desk phones started ringing and people were complaining of lost network connectivity. Alas, there were even more devices out there that we didn’t know about! Luckily the UNIX script was easily reversible. After hearing my woes that evening a hacker
friend of mine pointed out a new tool for scanning networks that he read about in Phrack magazine. It was a bit controversial, but it was free and it looked like it could do the job. The next day became my first experience with Nmap, a network scanner, and since that day it has been making my life a whole lot easier.
What is Network Scanning?
Network scanning is the process of discovering active hosts on the network and information about the hosts, such as operating system, active ports, services, and applications. Network scanning is comprised of the following four basic techniques:
■ Network Mapping Sending messages to a host that will generate a response if the host is active
■ Port Scanning Sending messages to a specified port to determine if it is active
■ Service and Version Detection Sending specially crafted messages to active ports to generate responses that will indicate the type and version of service running
■ OS Detection Sending specially crafted messages to an active host to generate certain responses that will indicate the type of operating system running on the host
In addition to these basic techniques, advanced network scanners can perform other techniques such as masking the origin of the scanning, enabling timing features for stealthy scans, evading perimeter defenses such as firewalls, and providing reporting options.
The following is an example of the type of output you would expect from a network scan:
■ Host 192.168.100.1 is responding
■ Open ports include:
■ 135/tcp open msrpc
■ 139/tcp open netbios-ssn
■ 445/tcp open microsoft-ds
■ 3389/tcp open ms-term-serv
■ 8081/tcp open blackice-icecap
■ The operating system is Windows XP SP2
Note
Throughout this book the terms device, host, and system may be used interchangeably.
Networking and Protocol Fundamentals
This section provides background information on how networks and protocols work. However, there are many other excellent resources available, including the most popular and undoubtedly one of the best written, Richard Stevens’ TCP/IP Illustrated, Vol. 1–3.
Explaining Ethernet
Ethernet is the most popular protocol standard used to enable computers to communicate. A protocol is like speaking a particular language. Ethernet was built around the principle of a shared medium where all computers on the local network segment share the same cable. It is known as a broadcast protocol because it sends that data to all other computers on the same network segment. This information is divided up into manageable chunks called packets, and each packet has a header containing the addresses of both the destination and source computers. Even though this information is sent out to all computers on a segment, only the computer with the matching destination address responds. All of the other computers on the network still see the packet, but if they are not the intended receiver they disregard it.
Ethernet addresses are also known as Media Access Control (MAC) addresses and hardware addresses. Because many computers may share a single Ethernet segment, each one must have an individual identifier hard-coded onto the network interface card (NIC). A MAC address is a 48-bit number, which is also stated as a 12-digit hexadecimal number. This number is broken down into two halves; the first 24 bits identify the vendor of the Ethernet card, and the second 24 bits comprise a serial number assigned by the vendor.
The following steps allow you to view your NIC’s MAC address:
■ Windows 9x/ME Access Start | Run and type winipcfg.exe. The MAC address will be listed as the Adapter Address.
■ Windows NT, 2000, XP, and 2003 Access the command line and type ipconfig /all. The MAC address will be listed as the Physical Address.
■ Linux and Solaris Type ifconfig –a at the command line. The MAC address will be listed as the HWaddr
on Linux and as ether
on Solaris.
■ Macintosh OS X Type ifconfig –a at the Terminal application. The MAC address will be listed as the Ether
label.
You can also view the MAC addresses of other computers that you have recently communicated with, by typing the command arp –a. The Address Resolution Protocol (ARP) is responsible for mapping IP addresses to MAC addresses.
MAC addresses are unique, and no two computers should have the same one. However, occasionally a manufacturing error may occur that causes more than one NIC to have the same MAC address. Thus, people may choose to change their MAC addresses intentionally, which can be done with a program (e.g., ifconfig) that allows you to fake your MAC address. Faking your MAC address (and other types of addresses) is also known as spoofing. Also, some adapters allow you to use a program to reconfigure the runtime MAC address. And lastly, with the right tools and skill you can physically re-burn the address into the NIC.
Note
Spoofing is the process of altering network packet information (e.g., the IP source address, the MAC address, or the e-mail address). This is often done to masquerade as another device in order to exploit a trust relationship or to make tracing the source of attacks difficult. Address spoofing is also used in DoS attacks (e.g., Smurf), where the return addresses of network requests are spoofed to be the IP address of the victim.
Understanding the Open Systems Interconnection Model
The International Standards Organization (ISO) developed the Open Systems Interconnection (OSI) model in the early 1980s to describe how network protocols and components work together. It divides network functions into seven layers, each layer representing a group of related specifications, functions, and activities (see Figure 1.1). Although complicated at first, the terminology is used extensively in networking, systems, and development communities. Understanding what these layers represent and how they work together will facilitate your comprehension of network scanning.
Figure 1.1 Seven Boxes Corresponding to the OSI Model
Note
The OSI model is not necessarily reflective of the way that applications and OSes are actually written. In fact, some security tools use the differences in protocol implementations to extract information from computers (including their OSes) and specific patches and services packs that may have been installed.
"We still talk about the seven layers model, because it’s a convenient model for discussion, but that has absolutely zero to do with any real-life software engineering. In other words, it’s a way to talk about things, not to implement them. And that’s important. Specs are a basis for talking about things. But they are not a basis for implementing software."
– Linus Torvalds, project coordinator for the Linux kernel, in an e-mail dated September 29, 2005 (http://lkml.org/lkml/2005/9/29/233).
The following sections define the seven layers of the OSI model.
Layer 1: Physical
The first layer of the OSI model is the Physical layer, which specifies the electrical and mechanical requirements for transmitting data bits across the transmission medium (cable or airwaves). It involves sending and receiving the data stream on the carrier, whether that carrier uses electrical (cable), light (fiber optic), radio, infrared, or laser (wireless) signals. The Physical layer specifications include:
■ Voltage changes
■ The timing of voltage changes
■ Data rates
■ Maximum transmission distances
■ The physical connectors to the transmission medium (plug)
■ The topology or physical layout of the network
Many complex issues are addressed at the Physical layer, including digital vs. analog signaling, baseband vs. broadband signaling, whether data is transmitted synchronously or asynchronously, and how signals are divided into channels (multiplexing).
Devices that operate at the Physical layer deal with signaling (e.g., transceivers on the NIC), repeaters, basic hubs, and simple connectors that join segments of cable). The data handled by the Physical layer is in bits of 1 s (ones) and 0 s (zeros), which are represented by pulses of light or voltage changes of electricity, and by the state of those pulses (on generally representing 1 and off generally representing 0).
How these bits are arranged and managed is a function of the Data Link layer (layer 2) of the OSI model.
Layer 2: Data Link
Layer 2 is the Data Link layer, which is responsible for maintaining the data link between two computers, typically called hosts or nodes. It also defines and manages the ordering of bits to and from packets. Frames contain data arranged in an organized manner, which provides an orderly and consistent method of sending data bits across the medium. Without such control, the data would be sent in random sizes or configurations and the data on one end could not be decoded at the other end. The Data Link layer manages the physical addressing and synchronization of the data packets. It is also responsible for flow control and error notification on the Physical layer. Flow control is the process of managing the timing of sending and receiving data so that it doesn’t exceed the capacity of the physical connection or host. Since the Physical layer is only responsible for physically moving the data onto and off of the network medium, the Data Link layer also receives and manages error messaging related to the physical delivery of