Home > Security Tips > Network Security Tactics > Interpreting and acting on Nmap scan results
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

NETWORK SECURITY TACTICS

Interpreting and acting on Nmap scan results


Michael Cobb
09.12.2006
Rating: -4.12- (out of 5)


Network Security Tactics
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


This is the eighth in a series of tips on how to use Nmap in an enterprise network environment.

One of the regular tasks you'll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not. A simple firewall audit scan would be something similar to:

nmap -v -sA -ff -r -n www.yourorg.com -oA firewallaudit

The Nmap TCP ACK scan (-sA) establishes whether packets can pass through your firewall unfiltered, and by adding the -ff option you can also test how it handles fragmented traffic. To make it easier to follow how packets are handled by the firewall, it is best to scan ports in numerical order. This can be done by adding the –r option. I would also use the -oA output option so that you create a searchable grepable file as well as an XML file to use for proper record keeping and reporting. You can use these output files to review the traffic flow through any unfiltered ports and then modify your firewall rule sets where necessary. If you do make changes to your firewall, rerun the audit scan to ensure that your changes were successful. It's a good idea to run this type of audit scan on a regular basis to ensure that your firewall configuration has not been modified unexpectedly.

As most new viruses and spyware programs create open ports on infected machines you can use Nmap to search for open ports after a reported outbreak using an I



CMP ping (-PE) and TCP SYN and UDP scans, options -sS and -sU. Only the ports specifically used by the particularly malware need to be searched using the -p option. A Nmap command such as: nmap -PE -sS -sU -sV -p U:2140,T:2745 www.yourorg.com/24 -oG infected creates an output file called infected that can be searched for the word open. Any machine with an unauthorized application on an open port can be isolated and checked. You can use the -sV option to identify the application running on the machine.

With many organizations having remote or virtual offices it is essential that regular audits are carried out of the devices connecting to the network, both for security and licensing purposes. The following scan will produce a categorized inventory of client and server devices, as well as routers, switches and printers:

nmap -vv -sS -O -n www.yourorg.com/24 -oA inventory

The SYN scan (-sS) combined with OS fingerprinting (-O) uses very few packets while still gathering the required information. If you are auditing a remote office over a slow link then you can add a timing policy, such as -T 2, to slow down the scan and use less bandwidth and resources on the target machines. Finally, while you're running an Nmap scan you can change certain options or request status messages without having to abort and restart the scan. For example, typing V will increase the verbosity of the output while most keys will give you status update showing hosts completed and estimated time remaining.


Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Network Security Tactics,   Open Source Security Tools and Applications,   Application and Platform Security,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Network Security Tactics
Screencast: Samurai offers pen-testing nirvana
Firewall rule management best practices
Chained Exploits: How to prevent phishing attacks from corporate spies
Rootkit Hunter demo: Detect and remove Linux rootkits
Enterprise UTM security: The best threat management solution?
Making the case for network security configuration management
An inside look at security log management forensics investigations
How to find sensitive information on the endpoint
How to perform Microsoft Baseline Security Analyzer (MBSA) scans
How to spot attacks through Apache Web server log analysis

Open Source Security Tools and Applications
Screencast: Samurai offers pen-testing nirvana
Rootkit Hunter demo: Detect and remove Linux rootkits
When to use open source security tools over commercial products
Screencasts: On-screen demonstrations of today's IT tools
Maltego demo: Identifying a website's trust relationships
Free HP SWFScan tool detects Adobe Flash flaws
L0phtCrack returns
How to use (almost) free tools to find sensitive data
Should open source disk-encryption software be used?
Open source security concerns can trump cost savings

Monitoring Network Traffic and Network Forensics
Chained Exploits: How to prevent phishing attacks from corporate spies
PCI compliance requirement 10: Auditing
Know when you need IDS, IPS or both
An inside look at security log management forensics investigations
How to analyze a TCP and UDP network traffic spike
How to perform a network forensic analysis and investigation
Tying log management and identity management shortens incident response
The telltale signs of a network attack
Cyberattack mapping could alter security defense strategy
Should the government reduce its external Internet connections?

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Blowfish  (SearchSecurity.com)
Kermit  (SearchSecurity.com)
Open Source Hardening Project  (SearchSecurity.com)
SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
More Security Resources for Resellers, VARs and OEMs
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts