Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/12/2010
02:32 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Nmap Does Much More Than Network Discovery

Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.

Nmap is among a network penetration tester's best friends, sitting high on a pedestal with the Metasploit Framework. I've been using the tool my entire career for network mapping and host discovery, typically on a weekly basis.Released on Sept. 1, 1997, Nmap has seen major updates and enhancements during the past decade that has turned it into more than just a network scanning tool. Nmap has become, essentially, a security suite that includes vulnerability detection, packet crafting, password cracking, and netcat functionality. The latest release as of about two weeks ago, 5.30BETA1, includes a slew of new NSE and library updates, an increased password list based on leaked password databases, a new DNS discovery script that leverages DNS-SD (a.k.a. Bonjour, Rendezvous, and Zeroconf), and Nping for packet crafting.

Wondering what some of those things are? The NSE scripts are scripts that enable Nmap to do more than just determine whether a host is up and which ports are listening. The Nmap Scripting Engine extends Nmap's scanning capabilities to include vulnerability detection (even exploitation like the new afp-path-vuln script), detailed service querying to learn as much about a host as possible, password attacks, and even remote process execution similar to the psexec tool my Microsoft Sysinternals.

While NSE is an enhancement to Nmap itself, there have been additional tools released during the years as part of the Nmap package. The latest is Nping; according to its documentation, it "is an open source tool for network packet generation, response analysis and response time measurement." Just like the well-known Hping tool, Nping allows you to arbitrarily craft packets in order to perform things like host discovery and IDS/IPS/firewall evasion.

Other additions to the Nmap package have included Ncat and Ncrack. Ncat is a "much-improved reimplementation of the venerable Netcat," which is most often referred to as the TCP/IP Swiss Army knife. Using Ncat, you can redirect TCP and UDP ports, proxy connections via SOCKS4 and HTTP, copy files, and interact with network services. It is an amazingly flexible tool that even comes in handy during forensics and incident response for copy files and imaging entire hard drives over the network.

The Nmap-related tool I want to mention is Ncrack. It is a brute-force password-guessing tool like Medusa that I wrote about recently. It isn't as full-featured as Medusa and is considered alpha quality code, but it definitely shows promise already considering it's part of the Nmap project and supports services like FTP, SSH, Telnet, SMTP, HTTP, and HTTPS (although the depth of support for each protocol isn't great as Medusa).

If you always thought Nmap was just a network scanner for finding which hosts are on a network and which services are listening on those hosts, then think again. Each new release brings a host of great, new features. It might be time to rethink some of your tools and how Nmap can fit better into your security processes.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.