This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
|Insecure.org's Nmap 4.01|
Nmap 4.01 improves on this indispensable free tool with better services, updated OS identification and modest speed improvement.
Nmap is perhaps the best-known port scanner available and the standard against which all others are measured. Freely available from Insecure.org under the GPL license, Nmap will run on just about any operating system in existence, from Microsoft's Windows to your favorite variety of Linux/Unix.
At this point in its life cycle, Nmap 4.01's core port-scanning engine is mature, robust and capable of scanning both IPv4 and IPv6 hosts, independent of whether or not they are protected by firewalls.
Our lab testing on a SUSE 9 Linux workstation showed improved speed (about 10 percent) over the 3.81 Nmap release with which we compared it. (Information Security reviewed Nmap 3.75 in December 2004.) Considering that a typical SYN scan takes about 1.5 seconds per host, the difference will likely be imperceptible to the user when scanning a small number of machines on a network.
The big improvements in Nmap's 4.01 release are in the areas of service and OS identification. If you're willing to take a substantial hit on the amount of time Nmap spends on a host (our results varied widely from 15 to 90 seconds, depending on the number of open ports/services on the host and command-line options used), the application can give you a wealth of information about services running on the target being scanned, including the type of service and the version number (e.g., Microsoft IIS 6.0).
Nmap has expanded its database to include more than 3,000 signatures for some 380 service protocols; this is a very handy tool for determining if the host is running vulnerable versions of popular services, and for giving you the information you need to take appropriate steps to remediate the vulnerabilities.
The OS fingerprinting re-sults in 4.01 were better than what we obtained in 3.81, but there is still room for improvement with this cool feature, especially in speed and accu-racy. For example, Nmap could correctly identify a Windows 2003 SP1 VMware target on a VMware ESX server, but could not identify a Windows NT SP6a target on a different ESX server (it did identify the latter as a generic Windows host).
The service and OS identification portions of Nmap are of particular interest to the security community, so we expect these capabilities to be improved with future versions.
This was first published in May 2006