In the UNIX version, Nmap also color codes the ports found according to what they are see Table 4.8 As you can see from Figure 4.3, this output lets you scan a report and quickly deter-m
Trang 1Get Identd Info
(–I)
The Identd service runs on some machines and provides addi-tional information on that host when queried It can provide data beyond what the port scan provides, such as operating sys-tem type However, it usually only runs on UNIX syssys-tems Nmap will also automatically do an OS identification using TCP fingerprints as well, so this feature is less useful than it used to be If you don’t have UNIX systems on your network, it
is not worth running with this option
Resolve All
(–R)
This option tries to resolve every address in the range, even when they are not answering This can be useful, for example,
in an ISP network, where a whole range of host entries may be assigned to potential IP addresses for a dial-up pool, but only a certain number may be used at a given time
OS Identification
(–O)
This option is set by default As mentioned earlier, every TCP stack is slightly different By comparing the exact “fingerprint”
of the replies to a database of known TCP fingerprints, Nmap can usually identify the OS it is talking to with a fair amount of accuracy It can even narrow it down to version ranges
Occasionally, something will come up that it doesn’t know, and then it prints out the TCP response at the bottom of the report
If you find one of these unidentified signatures, you can help build the OS fingerprint database when you get an unidentified TCP signature If you know what it is for sure, cut and paste it into an e-mail to the Nmap development group They will add it
to the database so when someone else scans that type of machine, it will be properly identified You can find all the TCP fingerprints Nmap knows in the file nmap-os-fingerprints in the Data directory of the Nmap installation
Send on Device
(–e interface_name)
This forces the scan packets to go out a specific interface This
is really needed only on a machine with multiple network cards
or if Nmap doesn’t recognize your network interface auto-matically
Table 4.7 Miscellaneous Nmap Options
Trang 2110 Chapter 4 • Port Scanners
Services Tool To do this, from the Control Panel menu select Administrative Tools, and then Services You will see Nmap listed as a service; you can click on it and configure its properties
This option is useful if you want to have Nmap run scans on a regular basis You can set Nmap to scan your network once a week or once a month and report the results to you
Or you might just have it scan your servers to see if anything substantive has changed If you are not going to be using this feature, I suggest you disable the service in Windows to conserve resources and for better security You can do this by clicking on the Nmap ser-vice in the serser-vice viewer and changing the Start-up Type to Manual rather than Auto-matic This change will take place the next time you reboot the machine You can also manually stop the service by clicking on the Stop button
Flamey the Tech Tip:
Friendly Nmap Scanning
As mentioned earlier, Nmap can cause problems on networks if used incorrectly or indiscriminately Here are a few tips to keep your Nmap scanning safe
• Select where you scan from carefully Scanning from inside a network will generate a lot more information than scanning outside the firewall Doing both and comparing the results is often useful, but it is less vital if a server shows an open port inside your network than if it shows one open from out-side the firewall
• You may want to run your scans early in the morning or late at night That way, you minimize the chances of slowing down vital servers or user machines
• If you are worried about overwhelming your network, put an older 10Mbps network card in your scanning machine or connect it via a 10Mps hub That way the maximum traffic it can put on the wire is 10Mbps, which is unlikely
to overwhelm a 100Mbps network
Output from Nmap
Nmap produces a report that shows each IP address found, the ports that were discovered listening on that IP, and the well-known name of the service (if it has one) It also shows whether that port was open, filtered, or closed However, just because Nmap gets an answer back on port 80 and prints “ http,” this does not mean that a Web server is running
on that box, although it’s a good bet You can always verify any suspicious open ports by telneting to that IP address on the port number specified and seeing what response you get
If there is a Web server running there, you can usually get it to respond by entering the command GET / HTTP This should return the default index home page as raw HTML
Trang 3(not as a pretty Web page), but you will be able to verify that a server is running there You can do similar things with other services such as FTP or SMTP In the UNIX version, Nmap also color codes the ports found according to what they are (see Table 4.8)
As you can see from Figure 4.3, this output lets you scan a report and quickly deter-mine whether there are any services or ports you should be concerned with This doesn’t mean you should ignore any unusual numbers that aren’t highlighted or bolded (in UNIX versions) Trojan horses and chat software often show up as unknown services, but you can look up a mystery port in the list of common ports in Appendix C or cross-reference it against a list of known bad ports to quickly determine if the open port is anything to be concerned about If you can’t find it anywhere, you have to wonder what strange service is running on that machine that doesn’t use a well-known port number
Table 4.8 Nmap Output Color Coding
Red This port number is assigned to a service that offers some form of direct
logon to the machine, such as Telnet or FTP These services are often the most attractive to hackers
Blue This port number represents mail service such as SMTP or POP These
services are also often the subject of hackers’ attacks
Bold black These are services that can provide some information about the machine
or operating system such as finger, echo, and so on
Plain black Any other services or ports identified
Figure 4.3 Nmap Output
Trang 4112 Chapter 4 • Port Scanners
You can save Nmap logs as a number of formats, including plain text or machine-readable, and import them into another program However, if these options aren’t enough for you, Nlog, the next tool discussed, can help you make sense of your Nmap output Running it on very large networks may be a lifesaver, because poring over hundreds of pages of Nmap output looking for bad guys can quickly drive you blind, crazy, or both
The Nlog program helps you organize and analyze your Nmap output It presents them in a customizable Web interface using CGI scripts Nlog makes it easy to sort your Nmap data in a single searchable database On larger networks, this kind of capa-bility is vital to making Nmap useful Austinite H D Moore put together these pro-grams and made them available, along with other interesting projects, at his Web site www.secureaustin.com
Nlog is also extensible; you can add other scripts to provide more information and run additional tests on the open ports it finds The author provides several of these add-ons and instructions on how to create your own Nlog requires Perl and works on log files gener-ated by Nmap 2.0 and higher
Installing Nlog
Follow these steps to install and prepare Nlog
1.Get the files from the CD-ROM that accompanies this book or download the files from the Nlog Web site
2.Unpack the Nlog files using the tar -zxvf command It will unzip and neatly orga-nize all the files for Nlog in a directory called nlog-1.6.0 (or other numbers, depending on the version number)
3.You can use the installer script provided to automatically install and prepare the program Note that you need to edit the program before you run it Go to the Nlog directory and, using a text editor program such as vi or EMACS, open the file installer.sh and enter the variables where indicated for your system
N l o g : A T o o l f o r S o r t i n g a n d O r g a n i z i n g N m a p O u t p u t
Nlog
Author/primary contact: H.D Moore
Trang 5Flamey the Tech Tip:
Newbie Lesson on Using UNIX Text Editors
Throughout this book you will need to edit text files to set program variables, install configurations, and for other reasons There are many good text editors for UNIX including vi, EMACS, and Pico Each of these has their strengths and weakness, but in this book I will assume the use of EMACS because it’s the most X-Windows friendly, easy to use, and is available on most systems On Mandrake Linux, you can find EMACS located in X-Windows on your Start menu under the Programming menu You can also start EMACS from a com-mand line by typing emacs or emacsfilename to edit a specific file
Be careful when using text editors on executable or binary files Any changes made to these files could break the program they support You can tell if it is a binary file because it will generally contain a bunch of gibberish rather than plain text Generally, you use text editors to only modify text files
EMACS gives you a familiar menu at the top to select actions for the file such
as save and close You can use the mouse to move around the screen and select menus or text You can also use a number of shortcut keystrokes A few of the most useful ones are listed below Note: CTRL means pressing the control key while pressing the other key, and where two key combinations are listed, do one after the other
CTRL+x, CTRL+c Closes EMACS It prompts you to save your current file if you
haven’t already
CTRL-g Escape If you are in a key sequence you can’t get out of,
this will return you to the main buffer
CTRL+x, k Closes the current file
CTRL+x, s Saves the current file
CTRL+x, d Opens a directory listing that you can click on to open files
and perform other functions
CTRL+a Moves the cursor to the beginning of the line
CTRL+e Moves the cursor to the end of the line
Trang 6114 Chapter 4 • Port Scanners
There are lots of other key combinations and macros for advanced users For more information on EMACS, visit the following sites:
Edit the following parameters with the correct values for your installation CGIDIR=/var/www/cgi/
HTMLDIR=/var/www/
Put the path to your CGI directory The above represents the correct values on a default Mandrake installation Make sure you enter the correct ones for your system For other Linux systems, find the path to this directory by using the locate command This useful command will find any files with the text you insert after it
4 Save the file, then run it by typing:
./install.sh The installation script automatically copies the CGI files to your CGI directory and the main HTML file to your HTML directory It also changes the permissions on those files so they can be executed by your Web browser
5 For the final step, go into the /html directory and edit the nlog.html file In the
POST statement, change the reference to the cgi files to your cgi files, which should be the same one used above (/var/www/cgi/) Save the file and you are ready to go
Using Nlog
This section describes how to use Nlog
1 The first thing you must do is create a Nlog database file to view You do this by
converting an existing Nmap log file Make sure you save your Nmap logs with the machine-readable option (-m on the command line) to be able to use them in Nlog You can then use a script provided with Nlog to convert the Nmap log into the database format that Nlog uses To convert a Nmap machine readable log, run the log2db.pl script using this command:
Ip2db.pl logfile Replace logfile with your log file name and location
2 To combine multiple log files into a single database, use the following commands.
cat * > /PATH/temp.db cat * > /PATH/temp.db | sort –u > /PATH/final.db
3 Replace /PATH with the path to your Nmap files and final.db with the name you want to use for the combined Nmap database This sorts the files into alpha-betical order and eliminates any duplicates
Trang 74.Start your Web browser and go to the Web directory (/var/www/ from the previous section)
5.Select the Nmap database file you want to view and click Search (see Figure 4.4)
6.You can now open your Nmap database and sort it based on the following criteria
• Hosts by IP address
• Ports by number
• Protocols by name
• State (open, closed, filtered)
• OS match You can also use any combination of these criteria For example you could search for any Web servers (http protocol) on Windows systems with a state of open
Nlog Add-ons
As mentioned earlier, Nlog is easily extensible and you can write add-ons to do other tests
or functions on any protocols or ports found In fact, there are several included with the program If there is an add-on available, there will be a hypertext line next to the port and you can click on it to run the subprogram Table 4.9 lists the built-in extensions
Figure 4.4 Nlog Screen Shot
Trang 8116 Chapter 4 • Port Scanners
Creating Your Own Nlog Extensions
If you examine these add-on scripts, you will see that they are just basic Perl programs If you are experienced with Perl, you can write your own extensions to execute just about any function against your scanned hosts For example, you can retrieve and display the HTTP header for any Web servers found so you can more easily identify it You don’t need
to go overboard with this, because programs like Nessus (discussed in Chapter 5) can do much more comprehensive testing, but if you just need a banner or some small bit of infor-mation, then using Nlog is a good solution
Nlog comes with a sample custom add-on called nlog-bind.pl This script is designed
to poll a DNS server and tell you what version of BIND (the Berkley Internet Naming Daemon DNS service) it is running However, this script is not finished; it is provided as
an exercise to create your own add-ons The sample script is in /nlog*/extras/bind/ The following procedure guides you through finishing the script You can use that format to create any custom script of your own
1.Compile the script using the Gcc compiler with the following command from that directory:
gcc –o bindinfo binfo-udp.c This creates a binary file called bindinfo in that directory
2.Copy this binary file to the directory where you are keeping your nlog scripts
3.Change the permissions on it to make it executable (Remember that you have to
be root to issue this command.)
Table 4.9 Nlog Built-in Extensions
Nlog-rpc.pl This add-on takes any RPC services that are found and attempts to find
out if there are any current RPC attachments and exports for that service
Nlog-smb.pl For any nodes running NetBIOS (which most Windows machines will
be), this script tries to retrieve shares, user lists, and any other domain information it can get It uses the user name and login specified in the nlog-config.ph file
Nlog-dns.pl This script runs a standard nslookup command on the IP address (See
Chapter 2 for more information on nslookup.) Nlog-finger.pl This runs a query against any finger service found running to see what
information is sent
Trang 94.Open your nlog-config.ph file in a text editor.
5.Add this line:
$bindinfo = “/path/to/bindinfo”;
Replace path/to/bindinfo with the location where you put the binary file
6.Save this file
7.Now edit nlog-search.pl This is the Perl script that creates your search results page
8.Find the section that looks like this:
1: # here we place each cgi-handler into a temp var for readability
2:
3: $cgiSunRPC = "sunrpc+$cgidir/nlog-rpc.pl+SunRPC";
4: $cgiSMB = "netbios-ssn+$cgidir/nlog-smb.pl+NetBIOS"; 5: $cgiFinger = "finger+$cgidir/nlog-finger.pl+Finger"; 6:
7: $qcgilinks ="$cgiSunRPC $cgiSMB $cgiFinger";
9.Between lines 5 and 6, add a line that looks like:
$cgiBIND = "domain+$cgidir/nlog-bing.pl+BIND";
10.Edit line 7 to look like this:
$qcgilinks = "$cgiSunRPC $cgiSMB $cgiFinger $cgiBIND"; Line 7 is also where you would add, in a similar fashion, links to any other scripts you had created
11.Copy the nlog-bind.pl file from this directory into your cgi-bin directory (/var/ www/cgi on Mandrake Linux), and change the permissions (chmod) so the appli-cation can read it
Now when your Nmap scans find port 53 open (which is generally a DNS server), you can click on the link that Nlog creates and find out what version of BIND it is running You can write additional scripts to extend Nlog by following the logic in this example
Interesting Uses for Nlog and Nmap
So now you can port scan with Nmap and sort and analyze the results with Nlog So what
do you do with these new toys? Well, there are some interesting applications for port scan-ners Here are some real examples for you to try on your network (or someone else’s, with their permission, of course!) You may be surprised at what you find
Scan for the Least Common Services If you have a service or port number that is only showing up on one or two machines, chances are that it is not something that is stan-dard for your network It could be a Trojan horse or a banned service (for example, Kazaa, ICQ, or MSN) It could also be a misconfigured machine running an FTP server or other
Trang 10118 Chapter 4 • Port Scanners
type of public server You can set Nlog to show the number of occurrences of each and sort them by the least often occurring This will generate a list for you to check out You prob-ably won’t want to include your companies’ servers in this scan as they will have lots of one of kind services running However, it wouldn’t hurt to scan these servers separately either to fine-tune or eliminate extraneous services
Hunt for Illicit/Unknown Web Servers Chances are that if you run one or more Web servers for your company, you will see the HTTP service showing up a few times on your network However, it is also likely that you will see it on machines where you don’t expect it Some manufacturers of desktop computers are now loading small Web servers
by default on their systems for use by their technical support personnel Unfortunately, these Web servers are often barebones programs with security holes in them You will also find Web servers running on printers, routers, firewalls, and even switches and other dedi-cated hardware You may need these servers to configure the hardware, but if you aren’t using these servers, you should shut them off These mini-servers are often configured with no password protection by default and can offer a hacker a foothold onto that machine They can also offer access to the files on the machines if an intruder knows how
to manipulate them Scan for these hidden Web servers, and either turn them off or prop-erly protect them You should also search for ports other than 80 that are commonly used for HTTP Table 4.10 has a short list of port numbers for Web service
Scan for Servers Running on Desktops Going a step further with the last exer-cise, restrict the IP range to only those that are nonserver machines and set a port range from 1 to 1,024 This will find desktop machines running services that are normally done
Table 4.10 Common Alternate Web Server Ports
Common Port