232 7.17 Analyzing Nmap Scan Results
registered to use these ports for communication purposes. Because ports are
the points of access for a system, they are also the points that are most often
scanned by an attacker and tracked by the system administrator. Over the
years, port scanners have continually evolved from primitive to highly
stealthy software. Because time is on the side of the attacker, stealth scan-
ning can be achieved by a combination of spoofing and the type of packet
sent. Information is retrieved and collected to form the basis for how an
attack will be planned.
Typically, the process for a hacker is to first scan to determine which
operating system, ports, and protocols are run on a target. For each of the
above, a matrix can be established and used later for specific penetration
activities. For example, if port 20 is detected as an open port and FTP traf-
fic is detected, the hacker can tailor an attack for penetration of an FTP
server. They may use a technique known as “hammering” to find a pass-
word that allows the FTP server to grant them privileged access. Once the
hacker penetrates the FTP server, he or she has access to everything the FTP
server can see in a network segment. As you can see, it does not take a lot of
information to aid an attacker in his or her work.
7.17 Analyzing Nmap Scan Results
The result of running Nmap is usually a list of interesting ports on the
machine(s) being scanned (if any). Nmap always gives the ports “well-
known” service name (if any), number, state, and protocol. The state is
either open, filtered, or unfiltered. Open means the target machine will
accept connections on that port. Filtered means that a firewall, filter, or
other network obstacle is covering the port and preventing Nmap from
determining whether the port is open. Unfiltered means the port is known
by Nmap to be closed and no firewall/filter seems to be interfering with
Nmap’s attempts to determine information. Unfiltered ports are the most
common case, and are only shown when most of the scanned ports are
found to be in the filtered state. Depending on which options are used,
Nmap may also report the following characteristics of the remote host: OS
in use, TCP sequenceability, usernames running the programs that have
been bound to each port, the DNS name, whether the host is a Smurf
address, and so on. Nmap comes with myriad configurations that allow a
scanner to fine-tune the scanning process to obtain necessary data. It is
important to check logs from perimeter devices to check for such repeated
scanning and take steps to prevent hacks.
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
