7.16 Mapping the Network with Nmap 231
Chapter 7
of infiltrating packet filters. There is also a connect() version for
underprivileged users. The syntax for specifying which hosts
should be scanned is quite flexible.
2. Improved port scans can be used to determine what services are
running. Techniques available include use of the SYN (half-
open) scan, FIN, Xmas, or Null stealth scans, connect scan
(which does not require root), FTP bounce attack, and UDP
scan. Options exist for common filter-bypassing techniques such
as packet fragmentation and the ability to set the source port
number (to 20 or 53, for example). Nmap can also query a
remote identd for the usernames the server is running under. You
can select any (or all) port number(s) to scan, since you may
want to just sweep the networks you run for one or more services
recently found to be vulnerable.
3. Remote OS detection via TCP/IP fingerprinting. This feature
allows you to determine what operating system release each
scanned host is running. In many cases, Nmap can narrow the
OS information down to the kernel number or release version. A
database of approximately 100 fingerprints for common operat-
ing system versions is included with Nmap.
4. TCP ISN sequence predictability lets you know what sequence
prediction class (64K, time-dependent, “true random,” constant,
etc.) the host falls into. A difficulty index is provided to tell you
roughly how vulnerable the machine is to sequence prediction.
5. Decoy scans can be used with Nmap. The idea of using a decoy
scan is that for every packet sent by Nmap from your address, a
similar packet is sent from each decoy host you specify. This is
useful due to circumvent stealth port scanning detection software.
If such software is used, it will generally report a dozen (or how-
ever many you choose) port scans from different addresses at the
same time. It is very difficult to determine which address is actu-
ally doing the scanning, and which are simply innocent decoys.
7.16 Mapping the Network with Nmap
Ports provide capability for interactive communications and services on a
computer and they are generally assigned an address in order to make
them available to other applications and computers. There are 65,535
available ports assigned on any given system, with applications and devices
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
