Scan for rogue applications masquerading on common ports
Numerous security professionals consider Nmap, an open-source network port scanner, to be an essential part of their toolkit. A cross-platform tool, Nmap provides 11 scan techniques and many scan customization features to help you discover and identify the applications installed on your network as well as test firewall and intrusion detection system (IDS) configurations. The recent release of Nmap 4.0 represents more than two years of upgrades, module overhauls, and feature tweaks, making this version of the venerable tool faster and more reliable than earlier versions, especially when run on Windows.
If you've installed an earlier version of Nmap, you need to use the Control Panel Add or Remove Programs applet to uninstall old versions of the packet capture driver (WinPCap) before you download Nmap 4.0. You can download the Nmap installation program (and optionally, the source code) for Windows directly from the insecure.org Web site (http://download.insecure.org/nmap/dist/nmap-4.01-setup.exe). Run the installation program, and you're in business. The new Windows installation program installs both Nmap 4.01 and Win-PCap 3.1, updates your shell path, and extracts files to Program Files\Nmap. Then, all you need to do is launch a command prompt and begin scanning.
Reliable and Fast
Windows administrators will appreciate Nmap 4.0's dramatic improvements in reliability and speed. I've had problems with earlier versions of Nmap running reliably on Windows systems, so in the past I've favored Linux for running port scans. Those days are over, however—Nmap 4.0 runs more reliably on Windows than did previous versions. I installed it without a problem on Windows Server 2003 Service Pack 1 (SP1) and Windows XP SP2 systems and began to run scans immediately. Although I'll likely continue to use Linux for repeated, systematic scans because I've incorporated several shell scripts into my Linux scanner, I now use Nmap on my Windows desktop for ad hoc scans, and it runs great.
Nmap 4.0 offers numerous performance enhancements. It can perform many tasks in parallel, such as scanning multiple hosts and ports concurrently and performing multiple reverse DNS lookups simultaneously. Nmap 4.0 also runs noticeably faster: It took about 150 seconds to scan 25 hosts spread across a class C network, whereas Nmap 3.5 took longer than 450 seconds. Nmap 4.0 also completed service detection scans much more quickly than Nmap 3.5, requiring only 440 seconds versus the 1400 seconds Nmap 3.5 needed. Benchmarks vary widely, but it's safe to say you'll experience dramatically faster scanning with the latest version of Nmap.
The ease of running a simple Nmap scan belies the breadth of features under the hood. You can view the revised Nmap command summary by running
This command lists the parameters for the new features and options. Also be sure to visit http://www.insecure.org/nmap/man to get the recently overhauled documentation that shows all the Nmap commands and detailed usage scenarios. This documentation is among the best I've seen—it not only describes how to effectively use Nmap but also provides substantial detail about network scanning and how to use Nmap's more powerful (and obscure) features, such as IDS evasion and spoofing capabilities.
Application Version Detection
Nmap 4.0 offers more accurate application version detection than did older versions and includes a database of over 3000 application signatures that grows with each new release. You can instruct Nmap to use its service-probe feature to try to identify the name and version of the application listening on an open port and to identify the version of the target OS. Although the service-probe feature dramatically slows down the scan, it will tell you whether the application listening on port 80 is a Web server, such as Microsoft IIS, or whether it's really something else. Run the command
nmap -A HostToScan
where HostToScan is the name or IP address of the host you want to scan. To check only for the application version, use the -sV parameter.
Figure 1 shows the results of two scans. In the first scan, I use the -sS parameter to run a basic TCP SYN stealth scan, which is the default scan on Nmap. You can see that Nmap reports TCP port 80 as open and simply lists the service associated with that port—in this case, HTTP. This port-number-to-name lookup feature is robust and helpful in quickly identifying odd ports. However, don't let it mislead you—sometimes rogue applications hijack popular ports such as port 80 to escape detection or to pass through firewalls.
The second scan in Figure 1 uses the -A parameter to launch Nmap's service-probe feature, which enables OS detection and version scanning. This scan reveals Kazaa as the actual application listening on port 80. In fact, we can see that this peer-to-peer file transfer program is actually listening on multiple ports, including port 80. Although this feature imposes a significant performance penalty—90 seconds for the version detection scan compared with just over 2 seconds for a simple port scan—it's a small price to pay for accurate information.
XML Output Support
Previous versions of Nmap supported XML, but Nmap 4.0 takes that support to a new level. For example, Nmap now includes a style sheet in XML (Nmap.xsl) that immediately transforms the Nmap XML output into HTML. To output your Nmap scan results to an XML file that's named myNmapOutputFile.xml and is linked to a customizable style sheet, run the command
nmap -oX myNmapOutputFile.xml -stylesheet "c:\program files\Nmap\Nmap.xsl" HostToScan
substituting the name of your own XML output file, the path to that file, and the host to scan. To view the XML file, open it in Microsoft Internet Explorer (IE) or another Web browser that supports XML transformations. Figure 2 shows a sample scan that was output as XML and transformed through Nmap's included Extensible Style Language Transformations (XSLT).
An Upgrade Worthy of Your Toolbox
Nmap 4.0's runtime interaction lets you interact with the program without having to abort or restart it. This means you can change some options on the fly, such as increasing/ decreasing output verbosity (v/V), and debugging (d/D). You can also get status updates during a scan by pressing any key to see the percentage of the scan that's been completed and the estimated time of completion.
Nmap 4.0 represents a milestone update in terms of reliability, performance, and features. It's definitely worth the upgrade.