Port scanning offers security professionals and systems administrators a fast and effective way to identify which services or applications their servers have open to the Internet or another network. Complex OSs, such as Windows 2000, support applications that can use hundreds of ports to communicate with other clients or servers. Long gone are the days of classifying a Web server as simply port 80. In a standard installation, running Microsoft Internet Information Services (IIS) 5.0 on Win2K leaves many ports open.
You can find many port scanners for Win2K, and several scanners offer a GUI that makes conducting a rudimentary network scan easy. My favorite Win2K port scanner is Insecure .Org's Nmap (which Fyodor wrote and eEye Digital Security ported to Win32) —because of its flexible command-line-driven scanning options and robust output formats. Nmap's port-scanning and fingerprinting capabilities make it a favorite in many UNIX systems administrators' toolkits. The current version of Nmap for Windows, Nmap 2.54, is still in beta but available for use. (For a basic review of port scanning, see the sidebar "A Port-Scanning Primer," page 11.)
Port scanning is a powerful technique; unfortunately, many administrators think of port scanning only as a tool that helps intruders invade remote networks. However, Nmap can help you secure your installation several ways. Let's look at how scanning ports with a scanner such as Nmap can play an important role in your Internet security plan and how to install and use Nmap.
Why Scan Ports?
Port scanning supports at least four basic security missions: First, port scanning helps you identify which ports are open. Although you could run the Netstat command on each server to identify open ports, port scanning provides more information. Second, port scanning helps you not only categorize the servers and services that you know about but also identify new servers and services that you don't know about (but might be responsible for). I regularly scan my entire network and compare the results with a previous scan in which I've already identified the servers and services. Third, port scanning helps you determine the information that your Internet-facing network connections show to the world. In Nmap's case, you can use its OS fingerprinting features to discover what outsiders can learn about your network. To learn about Nmap's OS fingerprinting features, see the Web-exclusive sidebar "Nmap's OS Fingerprinting." (To read this sidebar, go to http://www.secad ministrator.com and enter InstantDoc ID 23692.) Knowing each port's overall state is important: If you can access a port, chances are that an intruder can, too. Fourth, port scanning helps you protect your network from Internet servicebased worms (e.g., CodeRed, Nimda) by identifying the servers and workstations that are running IIS or another targeted service.
Nmap for Windows
In June 2000, eEye Digital Security ported the original Win32 version of Nmap, called nmapNT, from UNIX Nmap 2.53. Although nmapNT is more than a year old, the Service Pack 1 (SP1) version is still available at http://www .eeye.com/html/research/tools/nmap nt.html. Since the release of SP1, developers have merged the nmapNT code with the original Nmap code to create Nmap 2.54, which is available at http://www.insecure.org. Swinging the Win32 code under the one Nmap source tree is great because Win32 users get many updated UNIX Nmap features.
Nmap developers feel that the Win32 Nmap code (i.e., Nmap 2.54B30) isn't up to the standards of its UNIX counterpart yet. Therefore, the developers don't widely distribute the binaries, and they recommend instead that you use C++ to compile the source code, which you can download from http://www.insecure.org. However, the already compiled source code for Nmap 2.54 beta, which you can find at http://download.insecure.org/nmap/dist/nmap-2.54BETA30-win32.zip, works quite well on Windows XP and Win2K, and the feature set is very close to the UNIX version.
Nmap is licensed under the GNU's Not UNIX (GNU) license. As with many GNU-licensed software, bug reports are encouraged, but you won't find commercial support for the software (i.e., no tech support to call). However, the Insecure.Org Web site sponsors two mailing lists, Nmap-dev and Nmap-hackers, to discuss this tool. In addition, the Nmap user community is savvy and enthusiastic, and you can join several Usenet and mailing lists through which you can seek help with any problems. You'll find that scouting on the Web will lead you to solutions for most problems you might encounter.
Nmap 2.54 uses the Windows packet-capture library (WinPcap) packet-filter driver (available at http://netgroup-serv.polito.it/winpcap). The WinPcap application is a common driver that other Win32 ports of UNIX networking tools (e.g., Ngrep, Snort) use. WinPcap enables the calling application (in this case, Nmap) to capture raw data in promiscuous mode from the NIC. WinPcap supports XP, Win2K, Windows NT, Windows Me, and Windows 9x. Download the most recent version of WinPcap and review the BSD-style license. (Redistribution is permitted under certain circumstances.) You'll find that WinPcap installs cleanly; be sure to reboot after you install it.
To install the Nmap executables and support files, simply extract them to a directory. The current set of files includes the main binary nmap.exe, an optional Nmap GUI front end, nmapfe.exe, and the following reference text files:
- nmap-os-fingerprints—list of TCP/IP stack identification information for more than 500 network devices and OSs
- nmap-protocols—list of protocols that Nmap uses for protocol scanning
- nmap-rpc—list of the remote procedure call (RPC) services that Nmap uses to determine which application is listening on a specific port
- nmap-services—list of the TCP/UDP services that Nmap uses to match the service name to the port number and as an optional list of ports to scan (instead of the entire IP address range)
Nmap is command-line driven, which facilitates scripting and post-run analysis. The application output shows the host, the state of the port (open, closed, or filtered), and the service running on that port.
How Nmap Works
You can run Nmap interactively or from the command line by using a set of switches to govern its operation. After you install Nmap, go to a command prompt and change to your Nmap directory. (If you use Nmap frequently, consider adding it to a path variable.) Run Nmap alone for its command syntax. Figure 1 shows the syntax for the basic command-line switches. The following four basic Nmap scan types should get you started on mapping your network. (More advanced scans that Nmap supports are described in the Nmap Help file and on the Insecure.Org Web site.)
- TCP connect() port scan (-sT switch)
- TCP synchronization (SYN) stealth port scan (-sS switch)
- UDP port scan (-sU switch)
- Ping scan (-sP switch)
To map a network from the Win32 version of Nmap, I've found the Ping scan and the TCP SYN scan to be the most practical. The Ping scan sends an Internet Control Message Protocol (ICMP) echo request packet and TCP acknowledge (ACK) packet to determine whether a host is up, which is useful in determining the number of hosts on a given subnet. The best way to understand the TCP SYN scan is to compare it with the TCP connect() scan. In a TCP connect() scan, the scanner uses the OS's native system call to open a full TCP connection. In other words, the scanner opens a three-way handshake—SYN, SYN-ACK, and ACK—between two hosts. A fully executed handshake indicates that the remote host port is open. The TCP SYN scan creates a half-open connection. This scan differs from the TCP connect() scan in that the TCP SYN scan sends a reset (RST) flag instead of the final ACK flag (i.e., SYN, SYN-ACK, or RST). If the remote host is listening and the port is open, the remote host responds with a SYN-ACK and Nmap sends an RST. If the port is closed, the remote host sends an RST and Nmap moves to the next port. I found the TCP SYN scan to work significantly faster than the TCP connect() scan. As Figure 2 shows, with the default timing options, scanning one host on a LAN took Nmap less than 1 second for the Ping scan (at callout A in Figure 2), about 1 second for the TCP SYN scan (at callout B), and slightly longer than 6 minutes for the TCP connect() scan (at callout C).
Next, choose the IP address range and ports that you want to scan. The interface supports flexible syntax. For example, to scan the 192.168.0 network, you can enter either 192.168.0.x/24 or 192.168.0.0-255. Optionally, you can use the -p switch to specify the ports you want to scan. If you don't specify which ports to scan, Nmap defaults to scanning ports 1 through 1024, in addition to the ports listed in nmap-services.
To see what Nmap is doing while it's running, you can use the verbose mode (the -v switch or the -vv switch for even more detail). For example, the Nmap command
C:\>nmap -sS 192.168.0.1-255 -p 20,21,53-110, 30000- -v
performs a TCP SYN scan, in verbose mode, on the 192.168.0 subnet to determine whether any services are listening on ports 20, 21, 53 through 110, and 30000 and higher.
Similarly, the command
C:\>nmap -sS 192.168.0.1/24 -p 80
scans the 192.168.0 subnet for any servers (e.g., Web servers) listening on port 80.
Nmap's -host_timeout <milliseconds> switch is useful for an initial reconnaissance of a network. You can use this switch with other command-line switches, as this example shows:
nmap sS host_timeout 10000 192.168.0.1
Different network devices, such as routers, might block or filter ports and prevent access to or across that device. A filtered port on a network device (e.g., a network printer, a network router with port filtering enabled) sometimes takes much longer to map, and setting this parameter might reduce your network scan times considerably. Nmap notes which network devices time out, so you can pay individual attention to those devices without slowing down your broad scan. Depending on the number of filtered ports on your networked systems, this approach could save you a lot of time.
Figure 3, page 10, shows sample output from a scan configured with a 5-second timeout. Of the 12 hosts scanned, I would investigate or rescan the three hosts that timed out. The same scan with a 10-second timeout took 45 seconds to complete and resulted in only one skipped host. The same scan without the -host_timeout switch took close to 5 minutes to complete.
You'll find a complete description of the command-line switches in the manual (man) page for Nmap. (Nmap's UNIX man page covers the Win32 version adequately.) In addition, the Phrack Magazine article "The Art of Port Scanning," by Fyodor, September 1, 1997, offers an excellent description of the port-scanning techniques and features that Nmap uses. For these references and additional detailed information about how to use Nmap effectively, go to http://www.insecure.org/nmap/nmap_documentation.html. For a description of a sample port-scanning process, see the Web-exclusive sidebar "Basic Port Scanning in Action." (To read this sidebar, go to http://www.secadministrator.com and enter InstantDoc ID 23688.)
Getting Started with Nmap
Even if you've used port scanners before, I recommend using Nmap on a system you know to get a feel for the tool. Then, broaden the types of systems you scan as you become more comfortable with the tool's output. First, scan a few machines on your internal network to gauge how the tool reports your environment. Second, from an external IP address, scan your external network. Note how your firewall, Intrusion Detection System (IDS), and other network tools respond to your port scanning. For example, the TCP connect() scan tells Nmap to use the TCP connect() function for the scan. Most IDSs will log that function, but they won't necessarily log the half-connect TCP SYN scan function in a TCP SYN scan. Catalog the information that Nmap provides about your network for future reference.
Notify those concerned. In your testing, remember that many companies regard port scanning as a hostile act, so be considerate and limit port scanning to your own network. Also, let your colleagues know that you're port scanning because the process might trigger IDS alerts and possibly cause other networking problems.
Shut down unnecessary services. Use the information Nmap provides (taking into account your network's sensitivity) to shut down unneeded services or revise your router ACLs to block ports in front of your network. For example, suppose that you run IIS for an external Web server. Figure 4 shows output from an Nmap scan of a default installation of Win2K server running IIS. Depending on your build process and security modifications to the default build, your scan should show less. Use Nmap to see what's exposed on your servers and make modifications to limit your exposure.
In this example, even if you can't disable all the listening services (perhaps because of other application requirements), you might be able to enable an ACL on the router bordering the Internet to limit traffic to ports 80 and 443. After you make changes, rescan your network and note differences.
Also consider upgrading or revising your IDS software to alert you about scans that you initiate. These alerts will assure you that your IDS software will notify you about similar scans that might target your network in the future.
Create a baseline. After you use Nmap to help lock down your network and identify sources of information that intruders might be able to access, create a baseline from these known systems and services. Communicate this baseline to others in your IT group. Then, when someone brings a new server or service online, everyone knows the importance of documenting (or registering) the server or service and updating the baseline.
Schedule Nmap. Consider scheduling Nmap to run against the network to look for anomalies. Don't limit running Nmap to your external network only; your internal network might be vulnerable to attack as well. For example, one way that CodeRed and Nimda propagate is through IIS. You can use Nmap to detect all internal IIS installations by scanning for port 80 and compiling the IP addresses of machines that might be vulnerable and need to be upgraded or patched. You can get special worm scanners that look for vulnerable machines, but the release time for specialized scanners can be longer than it takes you to scan for a service's listening port and patch the host server conventionally.
Using Nmap's Output
I sometimes prefer command-line tools to their GUI counterparts because I can include command-line tools in scripts and direct the output to a variety of devices or programs. Nmap is no exception; in fact, Nmap provides not only standard output to the console but also delimited and XML output to a file. These output options help you scan multiple subnets and aggregate data in a central reporting system or tool. Web Figure 5 shows standard Nmap output in a user-friendly format.
However, for importing to spreadsheets or parsing scripts, Nmap supports a grepable format, which Web Figure 6 shows. (Grep is a UNIX file-parsing utility similar to but more powerful than Windows' Find command.)
Best of all, Nmap's XML output provides the most flexible means of transporting the data into other applications. You can import this well-defined XML output into a database such as Microsoft Access, display it on a Web page, or open it with another XML-capable program. The XML format lends itself to baselining activities because the format facilitates comparing repeated scans. Web Figure 7 shows a Microsoft Internet Explorer (IE) display of Nmap XML output. Note the well-formed, hierarchical XML formatting that permits reliable, repeatable data collection.
Nmap: Security Scout
As with any product in the development stages, Nmap's Win32 port has known bugs and limitations. The Windows version lags behind the UNIX version in stability and features, so always refer to the latest README documents when you use a new version or run into a problem. Nevertheless, port scanning and OS fingerprinting can be important to your security program. Although patches and firewalls serve as the fortresses and defensive weaponry, consider Nmap a valuable scout to assist and recon your security position. I think that after you use Nmap, you'll keep it in your security toolkit for a long time.