Category: Port Scanner and network analysis tool
Name of tool: Nmap/NmapNT
Company name: Insecure.org
Price: Free for the downloading
URL: Unix: www.insecure.org/nmap; Windows: www.eeye.com/html/Research/Tools/nmapnt.html
Platforms supported: Various Unix (Nmap), various Windows operating systems (NmapNT)
*** = Hey, not bad -- one notch below very cool.
Scan for security weaknesses on your network by using the same tool many hackers use.
Simple and easy to use
Powerful and versatile
NmapNT requires separate WinPcap driver installation
Terse command line arguments will take some study to tune and use
I have written about jack-of-all-trades security tools in the past, but one very worthwhile tool that I haven't covered is called Nmap, developed by Fyodor and long a favorite of hackers. This tool was strictly for Unix until a few years ago, when eEye Security ported it to the Windows platform. Lately, eEye has improved the Windows version and it is close to the abilities of its Unix cousin.
Nmap is a lot like those vegematic (or at the risk of dating myself, Bass-o-matic from the old Saturday Night Live TV shows) commercials. It slices, it dices, and it probes your network in so many different ways that it really should have its own late-night infomercial. It belongs in your toolkit, and once you learn how to use it, you will come back to it for many different circumstances.
I tried out the NmapNT Version 2.53 SP1 on a Windows 2000 Server PC, probing machines both on my internal test networks, as well as out over the Internet. It took a few minutes to install, given one issue I had with the program. To run Nmap on Windows, you'll need to install the WinPcap packet driver. While eEye includes these drivers as part of its distribution of the software, it is a lot easier to just load them with the Windows-based installer from http://netgroup-serv.polito.it/winpcap/.
I also had a PC with several Ethernet interfaces configured, so Nmap needed to be told which one was the correct one to do its work on. That was easily solved by adding an "-e2" switch to my command line string.
Give Nmap an IP address or a range of addresses, and not only will it probe the open ports but it provides all sorts of other useful information, such as figuring out the underlying operating system and the NetBIOS name of the computer running at a particular IP address -- it correctly figured out my Windows 2000 Professional PC version and name, for example.
There is one major drawback to Nmap and that is, given its Unix heritage, the command-line syntax is extremely terse and, of course, case-sensitive. You will drive yourself crazy figuring out whether one command uses an upper case letter "O" or the numeral "0" and if you forget to type in one letter, your commands won't work.
What are some typical commands? Here is one to scan all well-known ports of a particular IP address:
NmapNT -sT 192.168.1.0
This makes use of the TCP connect command to open a connection to every port on that particular IP address. If you want to scan an entire subnet, append a /24 or /16 for the entire class C or B subnet, respectively. (You can also use asterisks in the IP address, such as 192.168.1.*)
Other scanning options include a TCP SYN stealth scan where you send a SYN packet and wait for a response but don't really open the connection (-sS), stealth FIN scan (-sF), UDP port scans (-sU), ftp proxies, ping sweeps and many, many more. If you are trying to probe a network and want to do so without being detected, this tool is for you. If you are trying to probe your own corporate network from the outside to ensure that your own defenses are working, then you should definitely get acquainted with Nmap because this is what many hackers start out with to rattle your own virtual doorknobs. I tested my own firewall in this fashion, to make sure that it would send me alerts when it was being scanned, and it delivered various alerts to me.
Nmap is a terrific tool, and one that anyone concerned with network security should learn and use regularly.
If you are going to make the best use of Nmap, I suggest you buy one of the following books. While you can read the supplied documentation that comes with the program, the books go into more details about the various uses and provide many more examples of command-line arguments to create the exact testing and probes that you desire. The books are:
Exposed, by Scambray et al. (Osborne, $40)
I.T., by Klevinsky et al. (Addison Wesley, $43) Strom-meter key:
**** = Very cool, very useful
*** = Hey, not bad -- one notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value. About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant, and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at firstname.lastname@example.org.
This was first published in March 2002