informa
Commentary

Nmap Does Much More Than Network Discovery

Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.
Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.Released on Sept. 1, 1997, Nmap has seen major updates and enhancements during the past decade that has turned it into more than just a network scanning tool. Nmap has become, essentially, a security suite that includes vulnerability detection, packet crafting, password cracking, and netcat functionality. The latest release as of about two weeks ago, 5.30BETA1, includes a slew of new NSE and library updates, an increased password list based on leaked password databases, a new DNS discovery script that leverages DNS-SD (a.k.a. Bonjour, Rendezvous, and Zeroconf), and Nping for packet crafting.

Wondering what some of those things are? The NSE scripts are scripts that enable Nmap to do more than just determine whether a host is up and which ports are listening. The Nmap Scripting Engine extends Nmap's scanning capabilities to include vulnerability detection (even exploitation like the new afp-path-vuln script), detailed service querying to learn as much about a host as possible, password attacks, and even remote process execution similar to the psexec tool my Microsoft Sysinternals.

While NSE is an enhancement to Nmap itself, there have been additional tools released during the years as part of the Nmap package. The latest is Nping; according to its documentation, it "is an open source tool for network packet generation, response analysis and response time measurement." Just like the well-known Hping tool, Nping allows you to arbitrarily craft packets in order to perform things like host discovery and IDS/IPS/firewall evasion.

Other additions to the Nmap package have included Ncat and Ncrack. Ncat is a "much-improved reimplementation of the venerable Netcat," which is most often referred to as the TCP/IP Swiss Army knife. Using Ncat, you can redirect TCP and UDP ports, proxy connections via SOCKS4 and HTTP, copy files, and interact with network services. It is an amazingly flexible tool that even comes in handy during forensics and incident response for copy files and imaging entire hard drives over the network.

The Nmap-related tool I want to mention is Ncrack. It is a brute-force password-guessing tool like Medusa that I wrote about recently. It isn't as full-featured as Medusa and is considered alpha quality code, but it definitely shows promise already considering it's part of the Nmap project and supports services like FTP, SSH, Telnet, SMTP, HTTP, and HTTPS (although the depth of support for each protocol isn't great as Medusa).

If you always thought Nmap was just a network scanner for finding which hosts are on a network and which services are listening on those hosts, then think again. Each new release brings a host of great, new features. It might be time to rethink some of your tools and how Nmap can fit better into your security processes.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading: