When you absolutely need to know everything you can about a network or host, nmap can help.
The network monitoring tools discussed so
far all achieve their goals by passively listening to traffic on the
network. You can often get better results by actually asking machines
directly for information rather than waiting for them to divulge it
on their own. To find out more information about a particular machine
(or an entire network of machines), you need a good active scanning
utility. One of the most advanced and widely used network scanners is
nmap
. It is available at http://www.insecure.org/nmap/, and is best
summarized by the description on the web site:
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
The most common use for nmap is to scan the TCP ports on a machine to determine which services are available. If run as root, it can also use advanced TCP fingerprinting techniques to make an educated guess about the OS of the target machine.
caligula:~# nmap -O 10.15.6.1
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on florian.rob.swn (10.15.6.1):
(The 1590 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
53/tcp open domain
80/tcp open http
179/tcp open bgp
443/tcp open https
2601/tcp filtered zebra
2605/tcp filtered bgpd
3128/tcp filtered squid-http
3306/tcp filtered mysql
10000/tcp open snet-sensor-mgmt
10005/tcp open stel
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 65.988 days (since Thu Apr 17 18:33:00 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds
This scan was run on a server on my home network. The operating system guess and system uptime are both correct (it is a Linux 2.4.19 system that has been up for 65 days, 23 hours, and 43 minutes). Notice how nmap can also detect filtered TCP ports in addition to ports that accept connections. There is no guarantee that these services are actually in use, but since there is a firewall running, it’s probably a good guess that at least some of them are active. Ports 10000 and 10005 are actually part of a home-grown monitoring system I’m using, as described in [Hack #34]. If you are curious about a particular user on your wireless network, nmap can tell you a good deal about the system they are running.
Aside from scanning the ports of a single host, nmap can also scan entire networks. To fingerprint all of the machines on the local network, try something like this:
caligula:~# nmap -sS -O 10.15.6.0/24
The /24
is Classless Inter-Domain
Routing
(CIDR) notation for the network mask,
specifying that all IPs from 10.15.6.0 to 10.15.6.255 should be
scanned. If the machine being scanned is running a good
intrusion detection system (such as
Snort; see http://www.snort.org/), it might determine
that a scan is in progress and take countermeasures. To try to work
around this possibility, nmap provides a number of alternative
scanning methods that can be very difficult to detect. The
-sS
switch tells nmap to use a stealth SYN scan
rather than use a standard TCP connect. The scanning tool versus
intrusion detection tool arms race has been going on ever since there
have been such tools, and will likely continue for quite some time.
You can use nmap to help track down miscreants abusing your network, or simply to take a poll of what your wireless users are running. It is frequently used to probe your own machines to determine whether unexpected services suddenly crop up, or whether your firewall is properly configured. However you use it, nmap will provide valuable insight into the machines present on your wireless network.
3.21.248.119