Protect your network and identify new computers and services with this well-known tool
Port scanning offers security professionals and systems administrators a fast and effective way to identify which services or applications their servers have open to the Internet or another network. Complex OSs, such as Windows 2000, support applications that can use hundreds of ports to communicate with other clients or servers. Long gone are the days of classifying a Web server as simply port 80. In a standard installation, running Microsoft Internet Information Services (IIS) 5.0 on Win2K leaves many ports open.
You can find many port scanners for Win2K, and several scanners offer a GUI that makes conducting a rudimentary network scan easy. My favorite Win2K port scanner is Insecure .Org's Nmap (which Fyodor wrote and eEye Digital Security ported to Win32) —because of its flexible command-line-driven scanning options and robust output formats. Nmap's port-scanning and fingerprinting capabilities make it a favorite in many UNIX systems administrators' toolkits. The current version of Nmap for Windows, Nmap 2.54, is still in beta but available for use. (For a basic review of port scanning, see the sidebar "A Port-Scanning Primer," page 11.)
Port scanning is a powerful technique; unfortunately, many administrators think of port scanning only as a tool that helps intruders invade remote networks. However, Nmap can help you secure your installation several ways. Let's look at how scanning ports with a scanner such as Nmap can play an important role in your Internet security plan and how to install and use Nmap.
Why Scan Ports?
Port scanning supports at least four basic security missions: First, port scanning helps you identify which ports are open. Although you could run the Netstat command on each server to identify open ports, port scanning provides more information. Second, port scanning helps you not only categorize the servers and services that you know about but also identify new servers and services that you don't know about (but might be responsible for). I regularly scan my entire network and compare the results with a previous scan in which I've already identified the servers and services. Third, port scanning helps you determine the information that your Internet-facing network connections show to the world. In Nmap's case, you can use its OS fingerprinting features to discover what outsiders can learn about your network. To learn about Nmap's OS fingerprinting features, see the Web-exclusive sidebar "Nmap's OS Fingerprinting." (To read this sidebar, go to http://www.secad ministrator.com and enter InstantDoc ID 23692.) Knowing each port's overall state is important: If you can access a port, chances are that an intruder can, too. Fourth, port scanning helps you protect your network from Internet servicebased worms (e.g., CodeRed, Nimda) by identifying the servers and workstations that are running IIS or another targeted service.
Nmap for Windows
In June 2000, eEye Digital Security ported the original Win32 version of Nmap, called nmapNT, from UNIX Nmap 2.53. Although nmapNT is more than a year old, the Service Pack 1 (SP1) version is still available at http://www .eeye.com/html/research/tools/nmap nt.html. Since the release of SP1, developers have merged the nmapNT code with the original Nmap code to create Nmap 2.54, which is available at http://www.insecure.org. Swinging the Win32 code under the one Nmap source tree is great because Win32 users get many updated UNIX Nmap features.
Nmap developers feel that the Win32 Nmap code (i.e., Nmap 2.54B30) isn't up to the standards of its UNIX counterpart yet. Therefore, the developers don't widely distribute the binaries, and they recommend instead that you use C++ to compile the source code, which you can download from http://www.insecure.org. However, the already compiled source code for Nmap 2.54 beta, which you can find at http://download.insecure.org/nmap/dist/nmap-2.54BETA30-win32.zip, works quite well on Windows XP and Win2K, and the feature set is very close to the UNIX version.
Nmap is licensed under the GNU's Not UNIX (GNU) license. As with many GNU-licensed software, bug reports are encouraged, but you won't find commercial support for the software (i.e., no tech support to call). However, the Insecure.Org Web site sponsors two mailing lists, Nmap-dev and Nmap-hackers, to discuss this tool. In addition, the Nmap user community is savvy and enthusiastic, and you can join several Usenet and mailing lists through which you can seek help with any problems. You'll find that scouting on the Web will lead you to solutions for most problems you might encounter.
Installing Nmap
Nmap 2.54 uses the Windows packet-capture library (WinPcap) packet-filter driver (available at http://netgroup-serv.polito.it/winpcap). The WinPcap application is a common driver that other Win32 ports of UNIX networking tools (e.g., Ngrep, Snort) use. WinPcap enables the calling application (in this case, Nmap) to capture raw data in promiscuous mode from the NIC. WinPcap supports XP, Win2K, Windows NT, Windows Me, and Windows 9x. Download the most recent version of WinPcap and review the BSD-style license. (Redistribution is permitted under certain circumstances.) You'll find that WinPcap installs cleanly; be sure to reboot after you install it.
To install the Nmap executables and support files, simply extract them to a directory. The current set of files includes the main binary nmap.exe, an optional Nmap GUI front end, nmapfe.exe, and the following reference text files:
- nmap-os-fingerprints—list of TCP/IP stack identification information for more than 500 network devices and OSs
- nmap-protocols—list of protocols that Nmap uses for protocol scanning
- nmap-rpc—list of the remote procedure call (RPC) services that Nmap uses to determine which application is listening on a specific port
- nmap-services—list of the TCP/UDP services that Nmap uses to match the service name to the port number and as an optional list of ports to scan (instead of the entire IP address range)
Prev. page
[1]
2
3
next page 
