Manage Learn to apply best practices and optimize your operations.

Interpreting and acting on Nmap scan results

As we continue our series on Nmap in the enterprise, SearchSecurity expert contributor Michael Cobb explains how to run some of the more regular Nmap scans.

This is the eighth in a series of tips on how to use Nmap in an enterprise network environment.

One of the regular tasks you'll be performing with Nmap is verifying that your firewall rules are performing as intended. To do so, run a scan to look for ports that appear open to the outside world and check whether they are filtered or not. A simple firewall audit scan would be something similar to:

nmap -v -sA -ff -r -n -oA firewallaudit

The Nmap TCP ACK scan (-sA) establishes whether packets can pass through your firewall unfiltered, and by adding the -ff option you can also test how it handles fragmented traffic. To make it easier to follow how packets are handled by the firewall, it is best to scan ports in numerical order. This can be done by adding the –r option. I would also use the -oA output option so that you create a searchable grepable file as well as an XML file to use for proper record keeping and reporting. You can use these output files to review the traffic flow through any unfiltered ports and then modify your firewall rule sets where necessary. If you do make changes to your firewall, rerun the audit scan to ensure that your changes were successful. It's a good idea to run this type of audit scan on a regular basis to ensure that your firewall configuration has not been modified unexpectedly.

As most new viruses and spyware programs create open ports on infected machines you can use an Nmap scan to search for open ports after a reported outbreak using an ICMP ping (-PE) and TCP SYN and UDP scans, options -sS and -sU. Only the ports specifically used by the particularly malware need to be searched using the -p option. A Nmap command such as:

nmap -PE -sS -sU -sV -p U:2140,T:2745 -oG infected

creates an output file called infected that can be searched for the word open. Any machine with an unauthorized application on an open port can be isolated and checked. You can use the -sV option to identify the application running on the machine.

With many organizations having remote or virtual offices it is essential that regular audits are carried out of the devices connecting to the network, both for security and licensing purposes. The following scan will produce a categorized inventory of client and server devices, as well as routers, switches and printers:

nmap -vv -sS -O -n -oA inventory

The SYN scan (-sS) combined with OS fingerprinting (-O) uses very few packets while still gathering the required information. If you are auditing a remote office over a slow link then you can add a timing policy, such as -T 2, to slow down the scan and use less bandwidth and resources on the target machines. Finally, while you're running an Nmap scan you can change certain options or request status messages without having to abort and restart the scan. For example, typing V will increase the verbosity of the output while most keys will give you status update showing hosts completed and estimated time remaining.

Nmap technical manual

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).

Next Steps

Analyze your hosts and ports with Nmap

This Nmap tutorial teaches how to use Nmap to scan for vulnerability discovery

Join the discussion: Interpreting and acting on Nmap scan results

This was last published in September 2006

Dig Deeper on Open source security tools and software