Using a network er to help Linux management and security

This tip we will share with you about the network Nmap) is an open source web browser that is ideal for network fault diagnosis, browsing, and auditing. This tool can be used to identify devices in the network or services running on specific devices. In addition, advanced information, such as the operating system in use, specific service names and versions, and network filters and firewalls can also be identified.

Using Nmap service identification is achieved through fingerprint databases with more than five thousand fingerprints. This database is supported by the Community to allow the submission of known fingerprints.

Network er used as an inventory check tool

One of the common applications of network mappers is to generate basic inventory reports. This is useful for network maps, maintenance of updates on network devices and nodes, and identification of rogue, unauthorized, or forgotten devices.

The basic scanning of the check uses ping scanning. For example, the following scan shows the hosts available in the 192.168.1.0/24 network. -SP indicates that Nmap performs a ping scan, while-n indicates that name resolution is not performed.

Nmap-sP-n 192.168.1.0/24 Starting Nmap 4.76 (http://nmap.org) at CDT Host 192.168.1.1 appears to be up. MAC Address: 00: 18: 3A: A4: 43: BA (Westell Technologies) Host 192.168.1.2 appears to be up. host 192.168.1.3 appears to be up. MAC Address: 00: 17: EE: 01: 95: 19 (Motorola CHS) Host 192.168.1.4 appears to be up. MAC Address: 00: 16: CB: A3: 27: E4 (Apple Computer) Host 192.168.1.5 appears to be up. MAC Address: 00: 1E: 52: 7D: 84: 7E (Apple) Nmap done: 256 IP addresses (5 hosts up) scanned in 2.17 seconds

This ping scan is very useful for quickly establishing an inventory list. It can also be a more complex script and program to verify the network address and change the structure unit. For example, the following command reports the new host 192.168.1.5 in the network from two daily scans to the text file ):

Diff Monday. scan Tuesday. scan | grep "> Host"> Host 192.168.1.5 appears to be up.

Host inventory check

Take a look at the specific host that determines the service running. You can use Nmap. For example, let's take a closer look at 192.168.1.5. It looks like it was found some time before Monday scan and Tuesday scan:

Nmap-n 192.168.1.5 Starting Nmap 4.76 (http://nmap.org) at CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports port state service 22/tcp open ssh 88/tcp open kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 515/tcp open printer 548/tcp open afp 631/tcp open ipp 1021/tcp open unknown 1022/tcp open unknown 1023/tcp open netvenuechat 2049/tcp open nfs 3300/tcp open unknown 5900/tcp open vnc 20221/tcp open unknown 20222/tcp open unknown MAC Address: 00: 16: CB: A3: 27: E4 (Apple Computer) Nmap done: 1 IP address (1 host up) scanned in 10.46 seconds

It looks like a Unix System Based on ssh, but MAC address recognition makes the system very much like an Apple MAC computer. However, more information can be collected by using Nmap service and Version Detection. -The sV parameter is used here:

Mb3 :~ Root # nmap-n-sV 192.168.1.5 Starting Nmap 4.76 (http://nmap.org) at CDT Interesting ports on 192.168.1.5: Not shown: 984 closed ports port state service version 22/tcp open ssh OpenSSH 5.1 (protocol 1.99) 88/tcp open kerberos-sec Mac OS X kerberos-sec 111/tcp open rpcbind 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (wo Rkgroup: WORKGROUP) 515/tcp open printer 548/tcp open afp? 631/tcp open ipp CUPS 1.3 1021/tcp open rpcbind 1022/tcp open rpcbind 1023/tcp open rpcbind 2049/tcp open rpcbind 3300/tcp open unknown? 5900/tcp open vnc VNC (protocol 3.8) 20221/tcp open unknown? 20222/tcp open unknown?

Even if data is returned, I still serve unknown data.

If you know this service/version, submit the following fingerprint to the http://www.insecure.org/cgi-bin/servicefp-submit.cgi:

SF-Port548-TCP: V = 4.76% I = 7% D = 5/14% Time = 4A0C5929% P = i386-apple-darwin9.4.0 % r (SF: SSLSessionReq, 172, "\ x01 \ x03 \ 0 \ 0Q \ xec \ xff \ 0 \ 0 \ x01b \ 0 \ 0 \ 0 \ 0 \ 0 \ x18 \ 0 \" AD9 SF: 6fa4242ed039c \ 0 \ x04mini "); MAC Address: 00: 16: CB: A3: 27: E4 (Apple Computer) Service Info: OS: Mac OS X Host script results: | Discover OS Version over NetBIOS and SMB: Unix | _ Discover system time over SMB: 12:49:02 UTC-5 Service detection completed MED. please report any incorrect results athttp: // nmap.org/submit /. nmap done: 1 IP address (1 host up) scanned in 119.68 seconds

Now the Administrator knows that it is mac OS X and is used to share Windows files with Samba. It is most likely to share the printer via CUPS, in addition, this system is configured for Virtual Network Computing for remote management.

Secure Nmap Application

As mentioned above, Nmap is very practical for administrators and has powerful security audit capabilities. For example, many companies do not allow network servers to run in user networks, such as networks connected to users' computers and laptops ). Nmap can be easily used to identify all systems by running network services on well-known ports 80 and 443:

Nmap-n-p 80,443 192.168.1.0/24 | egrep "ports | open" Interesting ports on 192.168.1.1: 80/tcp open http 443/tcp open https Interesting ports on 192.168.1.2: interesting ports on 192.168.1.3: Interesting ports on 192.168.1.4: Interesting ports on 192.168.1.5:

Another useful feature is to identify a specific version to determine whether the system is vulnerable to attacks with a certain predicted weakness. For example, let's assume that the Samba team has predicted a security accident for a specific version of Samba, and you need to identify all Samba versions. The Samba versions are described below:

Nmap-n-sV-p 139 192.168.1.0/24 | egrep "ports | 139" Interesting ports on 192.168.1.1: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.2: 139/tcp closed netbios-ssn Interesting ports on 192.168.1.3: 139/tcp filtered netbios-ssn Interesting ports on 192.168.1.4: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: HQ) interesting ports on 192.168.1.5: 139/tcp open netbios-ssn Samba smbd 2.1 (workgroup: REMOTE)
Interesting ports on 192.168.1.15: 139/tcp open netbios-ssn Samba smbd 3.2 (workgroup: WORKGROUP)

This technique has demonstrated how Nmap is used for network inventory scanning, more thorough inventory and audit, Identifying unauthorized services, and assisting in security attack assessment. Nmap is a ready-to-use tool. linking it with a specific string in the search object command line or search file will become a powerful reporting tool.