Transcript Document
Network Security
Port Scanning and Enumeration
(NMAP)
Port Scanning
Definition: Probing the ports on a remote
machine to gain information
Port – a virtual identifier on a system for a particular
application/protocol
Examples:
ftp: port 21
ssh: port 22
telnet: port 23
http: port 80
Oracle: port 1521
Usefulness
Attacker: which ports are open?
Defender: which ports are potential vulnerabilities?
Specific Uses
Find out if system is up
Ping scanning
Find open/vulnerable ports – what services are
available?
Port scanning
Operating System identification
TCP/IP fingerprinting
Based on packet TTL, packet size, flags set on
SYN/SYN|ACK packets in TCP handshaking
How to use this information
Identify exposed ports/services
Shut down any unneeded services
Famous last words - “I didn’t know X was
running on my system”
Ensure that services that are running do
not have security vulnerabilities
Issues
Possible problems with usage
Options can flood target machine with packets,
potentially affecting it
Ethics
Is it ethical to probe an arbitrary system?
Most say “no”
Identification of probing system
http://www.insecure.org/nmap/idlescan.html
Port Scanning Tools
Unix/Linux
nmap
HPING2
udp_scan
netcat (nc)
Windows
SuperScan4
WinScan
ipEye
nmap
One of many software implementations of
a port scanner
Open source
Available on Windows and Unix
Supports many hardware options,
including some PDAs
Now with GUI front ends
Linux: nmapfe
Windows: nmapwin
http://www.insecure.org
nmap features
Identifies open ports
Options for regular or stealth scanning
Regular scanning – attempt full connection with
port; scanned system knows scan is occurring and
can identify scanner
Stealth scanning – attempt partial connection with
port; scanned system may not know scan is
occurring and may not be able to identify scanner
Attempts to identify operating system
Usually correct, but can be fooled
nmap Output Example
Starting nmap V. 2.54 (www.insecure.org)
Interesting ports on (www.xxx.yyy.zzz)
(The xxxx ports scanned but not shown here are in state:
closed)
Port
State Service
22/tcp
open ssh
47017/tcp open unknown
TCP Sequence Prediction: Class-random positive increments
Difficulty=3980866 (Good luck!)
Remote operating system guess: Linux 2.1.122 – 2.2.16
Nmap run completed - - 1 IP address (1 host up) scanned in
5 seconds
SuperScan4
Nice Windows GUI
Many extra options
Information on ports/services in HTML
report format