Now that we’ve described the concepts of port scanning, enumeration and fingerprinting, it is time to discuss implementing them with open source tools. This article will cover two categories of tools: scanning tools and enumeration tools.
Port scanners accept a target or a range as input, send a query to specified ports, and then create a list of the responses for each port. The most popular scanner is nmap, written by Fyodor, and which is available from www.insecure.org. There are several open source tools for scanning, but Fyodor’s multipurpose tool has become a standard item among penetration testers and network auditors.
style="display:inline-block;width:728px;height:90px"
data-ad-client="ca-pub-8834983181171783"
data-ad-slot="8926342897">
Open Source Tools: Using nmap
Before scanning active targets, consider using the ping sweep functionality of nmap with the -sP option. This option will not port scan a target, but will simply report which targets are up. When invoked as root with nmap -sP ip_address, nmap will send both ICMP echo packets and TCP SYN packets to determine if a host is up. However, if you know that ICMP is blocked, and don’t want to send those unnecessary ICMP packets, you can simply modify nmap’s ping type with the -P option. For example, -P0 -PS enables a TCP ping sweet, with -P0 indicating “no ICMP ping” and -PS indicating “use TCP SYN method.” By isolating the scanning method to just one variant, you increase the speed as well, which may not be a major issue when scanning only a handful of systems, but when scanning multiple Class C networks, or even a Class B network, you may need the extra time for other testing.
If nmap can’t see the target, it won’t scan unless the -P0 (do not ping) option is used. Using the -P0 option can create problems, since nmap will scan each of the target’s ports, even if the target isn’t up, which can waste time. To strike a good balance, consider using the -P option to select another type of ping behavior. For example, the -PP option will use ICMP timestamp requests, and the -PM option will use ICMP netmask requests. Before you perform a full sweep of a network range, it might be useful to do a few limited tests on known IP addresses, such as web servers, DNS, and so on, so you can streamline your ping sweeps and reduce the number of total packets sent and the time taken for the scan.
Capturing the results of the scan is extremely important, as you will be referring to the this information later in the testing process. The easiest way to capture all the needed information is to use the -oA flag, which outputs scan results in three different formats simultaneously: plain text (file extension .nmap), greppable test (.gnmap), and XML (.xml). The gnmap format is especially important to note, because if you need to stop a scan and resume it later, nmap will require this file to continue by using the –resume switch.
In the next article, we will continue our look at open source tools by covering some of nmap’s various options.
External Links:
insecure.org – features nmap news and several open source tools, including security tools
The post Open Source Tools: Part One (nmap) appeared first on pfSense Setup HQ.