|
|
Log in / Subscribe / Register

Security

A look at nmap 4.0

February 13, 2006

This article was contributed by Jake Edge.

With its first major release in nearly 2 years, Nmap has made great strides in speed and usability. Nmap 4.00 was released on 31 January and has a very large list of features and upgrades since the 3.50 release in February 2004.

Nmap is a "network mapper" that allows a network administrator or curious user to discover many things about a network or host. Nmap will do host discovery to determine which hosts are available and port scanning to determine open ports and what services are running behind those ports. It can also try to determine which operating system is running on a target machine by examining the contents of packets and responses using a technique known as TCP/IP stack fingerprinting. One of the main uses for Nmap is security auditing a network in order to detect and possibly disable any and all unnecessary services running on a host or network.

The feature that users are most excited about, according to Fyodor, creator of Nmap, is status reporting which provides real-time information on how much progress Nmap has made and an estimated time of completion. One can get this report by pressing return while Nmap is running; other keys will increase or decrease the verbosity and debug levels or toggle packet tracing. This makes for a much nicer user experience:

With Nmap 3.50, you would start a scan and Nmap would quietly chug away for a variable amount of time (from minutes to hours) before suddenly reporting results for a target host. ... Staring at a screen for 30 minutes waiting for Nmap to complete is frustrating, but when you know the time in advance you can simply go out for lunch.

Speed and memory usage improvements in the port scanning engine were a big focus of the improvements made since 3.50. Several functions, such as reverse DNS lookup and UDP scans have been parallelized and Nmap now uses raw Ethernet packets to do ARP requests which speeds up host detection significantly. The speed improvements were not readily apparent in the relatively simple scans the author tried; they are largely geared for scanning many thousands of ports on large numbers of hosts.

Documentation was another focus of the 4.00 effort and Fyodor has rewritten the man page, an install guide, and a version detection guide. He says:

Open source software is frequently characterized as having poor documentation. I tried to fight that stereotype by putting a lot of work into Nmap 4.00 docs.

Thanks to the DAG repository, upgrading to Nmap 4.00 was painless on the (now obsolete) Fedora Core 3 distribution. Running Nmap is fairly straightforward, but there are an enormous number of options and ways to specify targets. Wading through the very comprehensive man page is required to do anything very complicated, though Nmap often seems to suggest useful options when scans fail and this feature can be very helpful.

Nmap 4.00 looks to be a very solid release of a tool that should be on every administrator's list of essential security tools.

Comments (5 posted)

New vulnerabilities

adzapper: denial of service

Package(s):adzapper CVE #(s):CVE-2006-0046
Created:February 9, 2006 Updated:February 15, 2006
Description: If the adzapper proxy advertisement add-on is installed as a squid plugin, it can cause high proxy host CPU resource consumption, resulting in a denial of service.
Alerts:
Debian DSA-966-1 adzapper 2006-02-09

Comments (none posted)

elog: multiple vulnerabilities

Package(s):elog CVE #(s):CVE-2005-4439 CVE-2006-0347 CVE-2006-0348 CVE-2006-0597 CVE-2006-0598 CVE-2006-0599 CVE-2006-0600
Created:February 10, 2006 Updated:February 15, 2006
Description: Several security problems have been found in elog, an electronic logbook to manage notes.
Alerts:
Debian DSA-967-1 elog 2006-02-10

Comments (none posted)

gnutls: denial of service

Package(s):gnutls CVE #(s):CVE-2006-0645
Created:February 13, 2006 Updated:March 6, 2006
Description: Several flaws were found in the way libtasn1 decodes DER. An attacker could create a carefully crafted invalid X.509 certificate in such a way that could trigger this flaw if parsed by an application that uses GNU TLS. This could lead to a denial of service (application crash). It is not certain if this issue could be escalated to allow arbitrary code execution.
Alerts:
Debian DSA-986-1 gnutls11 2006-03-06
Debian DSA-985-1 libtasn1-2 2006-03-06
Fedora-Legacy FLSA:181014 gnutls 2006-02-27
Gentoo 200602-08 libtasn1 2006-02-16
Ubuntu USN-251-1 libtasn1-2 2006-02-16
Mandriva MDKSA-2006:039 gnutls 2006-02-13
Fedora FEDORA-2006-107 gnutls 2006-02-10
Red Hat RHSA-2006:0207-01 gnutls 2006-02-10

Comments (none posted)

heimdal: privilege escalation

Package(s):heimdal CVE #(s):CVE-2006-0582
Created:February 13, 2006 Updated:March 17, 2006
Description: A privilege escalation flaw has been found in the heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite arbitrary files and gain ownership of them.
Alerts:
Gentoo 200603-14 heimdal 2006-03-17
Debian DSA-977-1 heimdal 2006-02-16
Ubuntu USN-247-1 heimdal 2006-02-10

Comments (none posted)

kronolith: cross-site scripting

Package(s):kronolith CVE #(s):CVE-2005-4189
Created:February 14, 2006 Updated:February 15, 2006
Description: Johannes Greil of SEC Consult discovered several cross-site scripting vulnerabilities in kronolith, the Horde calendar application.
Alerts:
Debian DSA-970-1 kronolith 2006-02-14

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Gentoo 200812-15 povray 2008-12-14
Red Hat RHSA-2006:0205-01 libpng 2006-02-13

Comments (1 posted)

noweb: insecure temporary file

Package(s):noweb CVE #(s):CVE-2005-3342
Created:February 13, 2006 Updated:February 27, 2006
Description: Javier Fernández-Sanguino Peña from the Debian Security Audit project discovered that a script in noweb, a web like literate-programming tool, creates a temporary file in an insecure fashion.
Alerts:
Gentoo 200602-14 noweb 2006-02-26
Ubuntu USN-254-1 noweb 2006-02-21
Debian DSA-968-1 noweb 2006-02-13

Comments (none posted)

PostgreSQL: privilege escalation

Package(s):postgresql CVE #(s):CVE-2006-0553
Created:February 15, 2006 Updated:February 19, 2006
Description: From the advisory: "By issuing SET ROLE with a specially crafted argument, it is possible for any logged-in database user to acquire the privileges of any other database user, including superusers. Database superuser status allows access to the machine's filesystem and hence might be used to mount remote attacks against the rest of the server's operating system." This problem has been fixed in PostgreSQL releases 8.0.7, 7.4.12, and 7.3.14.
Alerts:
OpenPKG OpenPKG-SA-2006.004 postgresql 2006-02-19

Comments (none posted)

sun-jdk: privilege escalation

Package(s):sun-jdk CVE #(s):CVE-2006-0614 CVE-2006-0615 CVE-2006-0616 CVE-2006-0617
Created:February 15, 2006 Updated:February 15, 2006
Description: Various vulnerabilities in the Java runtime "reflection" APIs can enable applications to escape the sandbox and access local resources. See this Sun advisory for more information.
Alerts:
Gentoo 200602-07 sun-jdk 2006-02-15

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds