7.15 Using Nmap 229
Chapter 7
problems. Further, as network resources increase in size and as more users
consume network resources and abuse the network in various ways, virus
infiltration and spread, worms, and other network contaminants that
would negatively affect the performance of the network and the systems on
it become an all-too-real probability.
Some computing sites, due to the nature of their business, require con-
tinual network monitoring. Other sites require network security monitor-
ing due to information access reporting laws, audit requirements,
guarantees of access (ensuring that only the proper entity is accessing the
proper items), protection of competitive information, laws requiring the
guarantee of restricted access to personal information, general electronic
security (e.g., e-mail access, document transfer), electronic funds exchange,
monitoring of exchange or transaction data volume between systems, and
many other items related to the security issue. Regardless of the purpose for
such monitoring needs, it all begins at the perimeter (i.e., routers and fire-
walls). Now, let’s take a look at what is necessary in an audit of a router. For
our purposes, we will be discussing the use of Cisco™ routers.
7.15 Using Nmap
Nmap (“Network Mapper”) is an open source utility for network explora-
tion or security auditing. It was designed to rapidly scan large networks,
although it works fine against single hosts. Nmap uses raw IP packets in
novel ways to determine what hosts are available on the network, what ser-
vices (ports) they are offering, what operating system (and OS version)
they are running, what type of packet filters/firewalls are in use, and doz-
ens of other characteristics. Nmap runs on most types of computers, and
both console and graphical versions are available. Nmap is free software,
available with full source code under the terms of the GNU General Public
License (GPL).
7.15.1 What Is NLog?
NLog is a set of scripts written in the PERL scripting language for manag-
ing and analyzing Nmap log files (Nmap Version 2.0 and above). NLog
allows one to keep all of their scan logs in a searchable database. The CGI
interface for viewing your scan logs is completely customizable and easy to
modify and improve. The core CGI script allows you to add your own
extension scripts for different services, so all hosts with a certain service run-
ning will have a hyperlink to the extension script.
230 7.15 Using Nmap
Basically this is a multipurpose Web-based Nmap log browser. The
extension scripts allow you to get detailed information about specific ser-
vices like NETBIOS, RPC services, finger services, and BIND version data
from a DNS server. It is extremely easy to create extensions for things like
an snmpwalk wrapper, a popper vulnerability check, and so on. NLog pro-
vides a standard database format to build your own scripts for any purpose.
Included with the NLog distribution are example CGI scripts, the Nmap-
log-to-database conversion tool, a sample template for building PERL
scripts, and couple of scripts used for dumping IPs from a domain and per-
forming similar reporting operations. Another use of NLog is for network
administrators who desire a scan of their local network on a regular basis.
This is desirable in order to make sure none of the machines are listening
on weird ports and that they are running only authorized services. A cron
script can be used to scan the internal network, convert log files to the
NLog database format, and store them on a Web server, sorted by time or
date. The administrator could then load the NLog search form page and
run comparisons between databases collected on different dates or at differ-
ent times from anywhere. If the Web server is on a gateway machine, the
administrator could run RPC or finger requests on the internal hosts
through the CGI interface, thus removing any need to be on the (possibly)
firewalled or masked network to check a host’s status.
7.15.2 Downloading Nmap
Use http://www.insecure.org/nmap/nmap_download.html as the official
site for obtaining a copy of the Nmap tool. It is freely available for down-
load from this URL. The Nmap product is officially maintained and man-
aged from the above location. The following data, obtained from the
official Nmap Web site, explains some of the major features of Nmap.
7.15.3 Nmap Features
Nmap is a tool used for security auditing. The newest version improves per-
formance and stability and adds more features. At the time of this writing,
the latest version of Nmap is 3.0 for all platforms (Windows, Linux tarball,
Linux RPM). Some of the new features of Nmap are:
1. Fast parallel pinging of all hosts on a network to determine which
ones are active. Use the ICMP echo request (ping), TCP ACK
packet, or TCP SYN packet to probe for responses. By default,
Nmap uses both ACKs and ICMP pings to maximize the chance
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
