Nmap (Network Mapper) is one of the most widely used security tools, and a firm understanding of this utility is generally considered to be a basic requirement for security professionals. At its core, Nmap is a port scanner that has the capability to perform a number of different scan types. The scanner is freely available for several operating systems, including Windows, Linux, MacOS, and others. By design, the software runs as a command-line application, but to make usage easier, a graphical user interface (GUI) is available through which the scan can be configured. The strength of Nmap is that it has numerous command-line switches to tailor the scan to return the desired information. Some of the most useful Nmap options are listed in TABLE 6-3.

To perform an Nmap scan, at the Windows command prompt, type Nmap <IP address>, followed by the options that are needed to perform the scan desired. For example, to scan the host with the IP address 192.168.123.254 using a full TCP connecting scan type, enter the following at the command line:

The response will be similar to this:

These results are providing information about the victim system, specifically the ports that are open and ready to accept connections. Additionally, because the scan was performed against a system on the local network, it also displays the Media Access Control (MAC) address of the system being scanned. The port information can be used later to obtain more information about the target environment.

Nmap’s results can display the status of the port in one of three states:

• Open—The target device is accepting connections on the port.

• Closed—A closed port is not listening or accepting connections.

• Filtered—A firewall, filter, or other network device is monitoring the port and preventing full probing to determining its status.

SuperScan is a Windows-based port scanner developed by Foundstone. This port scanner is designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use Traceroute. SuperScan is a GUI-based tool that has a preconfigured list of ports to scan or can be customized to scan a specific range. It’s shown in FIGURE 6-1.

Scanrand is a scanning tool that is designed to scan a single host up to large-scale networks quickly and then return results about the network. Scanrand is unique among network scanners because although most scanning tools scan one port at a time, Scanrand scans ports in parallel using what is known as stateless scanning. By using stateless scanning, Scanrand can perform scans much faster than other network scanners.

Stateless scanning is an approach to scanning that splits scanning into two distinct processes. The two processes work together to complete the scanning process, with one process transmitted and the other listening for results. Specifically, the first process transmits connection requests at a high rate, and the second process is responsible for sorting out the results. The power of this program is a process known as inverse SYN cookies. Scanrand builds a hashed sequence number that is placed in the outgoing packet that can be identified upon return. This value contains information that identifies source IP, source port, destination IP, and destination port. Scanrand is useful to a security professional when a large number of IP addresses need to be scanned quickly.

THC-Amap (The Hacker’s Choice–Another Mapper) is a scanner that offers a different approach to scanning. When using traditional scanning programs, problems arise when services that use encryption are scanned because these services might not return a banner because certain services, such as the Secure Sockets Layer (SSL), expect a handshake. Amap handles this by storing a collection of normal responses that can be provided to ports to elicit a response. The tool also excels at allowing the security professional to find services that have been redirected from standard ports.