User: Password:
Subscribe / Log in / New account


Book review: Nmap Network Scanning

February 18, 2009

This article was contributed by Nathan Willis

Gordon "Fyodor" Lyon is the principal author of the network scanner Nmap, and his new book Nmap Network Scanning is its authoritative guide. Lyon has crafted a precise, readable resource that will serve both newcomers and experienced Nmap users well. Equal parts manual, network scanning textbook, history lesson, and field guide, the book is a detailed reference to what Nmap can do, an explanation of how and why it works, and instructions on how to best use it for maximum result.

For those unfamiliar with the tool, Nmap is a network scanner. It can detect and enumerate the active machines on a computer network -- local or the Internet at large -- scan which TCP and UDP ports are open, and, in most cases, determine what services are running on the open ports and what operating system the host itself is running. It performs this service by sending specially-tailored IP, ICMP, TCP, and other packets, then interpreting the results. At its simplest, Nmap sends a SYN packet asking to open a TCP connection addressed to a particular port. If something responds, there is a service running on the port. But Nmap does far more than that, utilizing nearly every flag ever defined in an RFC, and doing it -- in parallel -- to potentially thousands of ports on thousands of hosts. Nmap has more than one hundred command-line options; understanding them and how best to use them is the subject of Lyon's book.

Like Nmap itself, Nmap Network Scanning begins by addressing the most commonly used features, and explores more complex options later. As prelude, chapter one gives an overview of Nmap's features, introducing the concepts of port scanning, service and OS discovery, and basic usage examples. Chapter two explains how to get and install the code, including its status of various platforms, the Zenmap graphical user interface, community-created scripts, and finding updates to both the code and important data files.

The book then delves into Nmap usage itself, beginning with the fundamental functions: host discovery in chapter three, and port scanning in chapters four and five. The two topics do overlap, as TCP SYN and ACK scans are used to discover hosts as well as to discover ports. But Lyon has chosen to craft the initial chapters of the book so that they mimic the logic of Nmap itself, and host discovery is the first execution step in any Nmap command. This is no accident; Lyon explains Nmap's architecture as only its creator could: with real-world examples, he illustrates how separating host discovery from port scanning allows a professional security or penetration tester to take hours off of a large scan through careful planning. And he explains how some host discovery techniques (such as DNS) expose the user to discovery in exchange for speed, while others (such as ARP pings) give the opposite tradeoff.

Chapter four's discussion of port scanning explains the broad strokes of scanning TCP and UDP ports, lists the most common types of scan, and describes how Nmap distinguishes between open, closed, filtered, and ambiguous ports. Chapter five covers Nmap's port scanning techniques in detail. It describes the basic TCP and UDP scans, contrasts when different techniques produce different results, and explains less commonly used scans and when they are appropriate. Lyon provides thorough examples, including real-world scans the reader can execute, and hypothetical "case study" problems weighing the pros and cons of multiple approaches. Chapter six is a discussion of optimizing Nmap scan performance, centered on how to select the right scanning technique, the right scanning target, and the right timing options. Nmap scans can take a very long time if the wrong parameters are chosen, so mastering the variables is a valuable skill.

Chapter seven looks at the next step beyond port scanning: service and version detection, by which Nmap can determine what applications are running on open ports, and in many cases precisely which version. Chapter eight looks at operating system detection, which Nmap performs by sending a complex series of tests to the target machine, then comparing the resulting "fingerprint" to a database of known profiles. Chapter nine describes one of Nmap's newest features, the Nmap Scripting Engine (NME). NME is a Lua-based engine that allows constructing more complex scans and queries that the Nmap core can perform on its own. The chapter also provides a reference to the carefully-chosen suite of NME scripts that ships with the current Nmap release.

Chapter ten explores how to use Nmap to perform two higher-level tasks: mapping out and bypassing firewall rules, and evading or defeating intrusion detection systems (IDSs). The text covers both general strategies, and sketches of popular firewall and IDS products on the market. Chapter eleven explores the other side of the coin, how to defend against Nmap scans, including detecting scans, blocking or slowing down scans, and misleading service and OS detection.

The remainder of the book is dominated by reference material. Chapter twelve introduces Zenmap, the official Nmap GUI client, including how it can benefit even experienced Nmap hackers. Chapter thirteen explains Nmap's output formats, including human-readable plaintext, machine-friendly XML, and "grepable" text. It also covers manipulating and transforming the XML format for use with other tools. Chapter fourteen describes Nmap's data files, including the version and OS detection databases, and support files used by NME. Chapter fifteen is a comprehensive reference guide for Nmap, detailing all of the over 100 command line options. For further reference, appendix A contains the document type definition (DTD) for Nmap's XML output, and the introductory material includes a helpful reference of IP, TCP, UDP, and ICMP headers.

Documentation and more

Nmap Network Scanning is a thorough guide to Nmap itself, and a lesson in network scanning at no additional charge. If you are new to the subject, the educational material will help you fill in the gaps in your knowledge, from TCP flags and connection setup, to how firewalls determine which packets to stop and which to allow through to their destination. The inline examples explain how Nmap performs its scans (often with real, Internet-accessible URLs as the targets), but also how the user can and should interpret the results. Longer SOLUTION passages discuss more complex problems by presenting a case study of a broadly stated challenge (such as "find all of the servers on a network running an insecure or nonstandard application") and the steps in which Nmap can help hone in on the answer. As the author shows, much of being a good network scanner is knowing what tests to perform, and how to decipher what those tests tell you.

The book is successful as a comprehensive manual, but Lyon makes it more than just documentation by infusing it with his experience. First, he is an experienced scanning and security expert, and in almost every section shares specific, real-world expertise about the good and bad points of the available scanning techniques under discussion. As he points out in the introductory material, when it comes to free software, experience is the only barrier to becoming an expert, and he shares his without reservation. For example, in addition to the predefined scan types, Nmap's --scanflags option allows you to define a custom set of TCP flags for your probe. The author presents an example where crafting a packet with both the SYN and FIN flags set will get by certain firewall configurations because the TCP RFC is ambiguous about how hosts should interpret certain combinations of flags.

Second, Lyon is the creator of Nmap, and while that does not automatically mean he would write a better book on the subject, he uses his background with the project to enhance the text. As noted earlier, he explains design decisions that affect how Nmap performs its scans and tests, and understanding why Nmap works the way it does is far better for the reader than simply understanding what it can and cannot do. For example, chapter nine describes why (unlike other services) detecting Skype requires multiple tests, and Lyon explains why Nmap implements Skype detection as an NME script rather than building a single-purpose test into the service detection code.

He also draws on the history of the entire project to educate the reader. He includes background and discussion about scans and tests (such as the TCP FTP bounce scan) that are less and less useful every year as operating systems and applications servers close old security vulnerabilities. He notes changes in the code, such as the 2006 rewrite of the OS detection module that enhances the program but obsoletes older OS detection fingerprints. And he explains how new and interesting scans (such as Gerhard Rieger's IP Protocol scan) were discovered and added to Nmap's arsenal. Finally, Lyon brings the perspective of an ongoing project lead to the book, encouraging and explaining the importance of participation in Nmap's development process -- from consulting the mailing list, to submitting OS detection fingerprints to the Nmap database, to properly documenting homemade NME scripts.

Whether you are a novice port scanner looking to learn Nmap, or a security professional looking for the definitive reference on the ubiquitous free software scanner, Nmap Network Scanning has something for you. Nmap Network Scanning is available online from a variety of retailers; a current list as well as the best available price can be found at There you can also read several sample chapters in a free online edition.

Comments (3 posted)

Brief items

Follow up: How to write a Linux virus

Blogger "foobar" has written a followup article on the How to write a Linux virus in 5 easy steps article, which was mentioned on LWN here. "Yesterday I published an article about How to write a Linux virus in 5 easy steps. There has been quite an overwhelming response for this. Within just a few hours this article became my most visited blog post ever. Wow! Just goes to show that either the article hit a real nerve, or the other articles on my blog are just really boring. :-)"

Comments (75 posted)

New vulnerabilities

asterisk: information disclosure

Package(s):asterisk CVE #(s):CVE-2009-0041
Created:February 13, 2009 Updated:December 15, 2009
Description: IAX2 authentication in Asterisk provides different responses for non-existent accounts and password mismatches, allowing an attacker to determine whether specific accounts exist. See the Asterisk security report for details.
Debian DSA-1952-1 asterisk 2009-12-15
Fedora FEDORA-2009-11126 asterisk 2009-11-06
Gentoo 200905-01 asterisk 2009-05-02
Fedora FEDORA-2009-0973 libresample 2009-01-27
Fedora FEDORA-2009-0973 dahdi-tools 2009-01-27
Fedora FEDORA-2009-0973 asterisk 2009-01-27

Comments (none posted)

bind: validation bypass

Package(s):bind CVE #(s):CVE-2009-0265
Created:February 16, 2009 Updated:March 9, 2009
Description: From the CVE entry: Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025.
Gentoo 200903-14 bind 2009-03-09
Mandriva MDVSA-2009:037 bind 2008-02-16

Comments (none posted)

dia: arbitrary code execution

Package(s):dia CVE #(s):CVE-2008-5984
Created:February 17, 2009 Updated:December 9, 2009
Description: From the Mandriva advisory: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current dia working directory
Mandriva MDVSA-2009:046-1 dia 2009-12-08
Mandriva MDVSA-2009:046 dia 2009-02-20
Mandriva MDVSA-2009:040 dia 2008-02-16

Comments (none posted)

fail2ban: denial of service

Package(s):fail2ban CVE #(s):CVE-2009-0362
Created:February 16, 2009 Updated:February 18, 2009
Description: From the CVE entry: filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expression that allows remote attackers to cause a denial of service (forced authentication failures) via a crafted reverse-resolved DNS name (rhost) entry that contains a substring that is interpreted as an IP address, a different vulnerability than CVE-2007-4321.
Fedora FEDORA-2009-1737 fail2ban 2009-02-14
Fedora FEDORA-2009-1736 fail2ban 2009-02-14

Comments (none posted)

gedit: arbitrary code execution via Python scripts

Package(s):gedit CVE #(s):CVE-2009-0314
Created:February 16, 2009 Updated:March 31, 2009
Description: From the Mandriva advisory: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current gedit working directory
Gentoo 200903-41 gedit 2009-03-30
Mandriva MDVSA-2009:039 gedit 2008-02-16

Comments (none posted)

libpam-krb5: multiple vulnerabilities

Package(s):libpam-krb5 CVE #(s):CVE-2009-0360 CVE-2009-0361
Created:February 12, 2009 Updated:March 26, 2009
Description: Two vulnerabilities have been found in the Kerberos PAM module. From the Debian alert:

CVE-2009-0360 Russ Allbery discovered that the Kerberos PAM module parsed configuration settings from environment variables when run from a setuid context. This could lead to local privilege escalation if an attacker points a setuid program using PAM authentication to a Kerberos setup under her control.

CVE-2009-0361 Derek Chan discovered that the Kerberos PAM module allows reinitialisation of user credentials when run from a setuid context, resulting in potential local denial of service by overwriting the credential cache file or to privilege escalation.

Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Gentoo 200903-39 pam_krb5 2009-03-25
Ubuntu USN-719-1 libpam-krb5 2009-02-12
Debian DSA-1722-1 libpam-heimdal 2009-02-11
Debian DSA-1721-1 libpam-krb5 2009-02-11

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):CVE-2009-0499 CVE-2009-0500 CVE-2009-0501 CVE-2009-0502
Created:February 13, 2009 Updated:June 25, 2009
Description: From the CVE entries:

Cross-site request forgery (CSRF) vulnerability in the forum code in Moodle 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to delete unauthorized forum posts via a link or IMG tag to post.php. (CVE-2009-0499)

Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to inject arbitrary web script or HTML via crafted log table information that is not properly handled when it is displayed in a log report. (CVE-2009-0500)

Unspecified vulnerability in the Calendar export feature in Moodle 1.8 before 1.8.8 and 1.9 before 1.9.4 allows attackers to obtain sensitive information and conduct "brute force attacks on user accounts" via unknown vectors. (CVE-2009-0501)

Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php in Snoopy 1.2.3, as used in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4, allows remote attackers to inject arbitrary web script or HTML via an HTML block, which is not properly handled when the "Login as" feature is used to visit a MyMoodle or Blog page. (CVE-2009-0502)

Ubuntu USN-791-1 moodle 2009-06-24
Fedora FEDORA-2009-3280 moodle 2009-04-02
Fedora FEDORA-2009-3283 moodle 2009-04-02
SuSE SUSE-SR:2009:007 vim, gvim, apache2, opera, multipath tools, java-1_6_0-openjdk, imp, horde, lcms, moodle, ghostscript 2009-03-24
Fedora FEDORA-2009-1699 moodle 2009-02-13
Debian DSA-1724-1 moodle 2009-02-13
Fedora FEDORA-2009-1641 moodle 2009-02-13

Comments (none posted)

net-snmp: restriction bypass

Package(s):net-snmp CVE #(s):CVE-2008-6123
Created:February 17, 2009 Updated:June 3, 2010
Description: From the CVE entry: The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion."
Ubuntu USN-946-1 net-snmp 2010-06-02
Gentoo 201001-05 net-snmp 2010-01-13
SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09
SuSE SUSE-SR:2009:012 optipng, cups, quagga, pango, strongswan, perl-DBD-Pg, irssi, openssl/libopenssl-devel, net-snmp, ImageMagick/GraphicsMagick, perl, ipsec-tools/novell-ipsec-tools, poppler/libpoppler3/libpoppler4, yast2-ldap-server, tomcat6, gstreamer-plugins/gstreamer010-plugins-bad, apache2-mod_php5 2009-07-03
SuSE SUSE-SR:2009:011 java, realplayer, acroread, apache2-mod_security2, cyrus-sasl, wireshark, ganglia-monitor-core, ghostscript-devel, libwmf, libxine1, net-snmp, ntp, openssl 2009-06-09
CentOS CESA-2009:0295 net-snmp 2009-03-26
Red Hat RHSA-2009:0295-01 net-snmp 2009-03-26
Mandriva MDVSA-2009:056 net-snmp 2009-02-25
Fedora FEDORA-2009-1769 net-snmp 2009-02-17

Comments (none posted)

php5: multiple vulnerabilities

Package(s):php5 CVE #(s):CVE-2008-5557 CVE-2008-5624 CVE-2008-5658 CVE-2007-5625
Created:February 13, 2009 Updated:February 23, 2010
Description: From the Ubuntu advisory:

It was discovered that PHP did not properly handle Unicode conversion in the mbstring extension. If a PHP application were tricked into processing a specially crafted string containing an HTML entity, an attacker could execute arbitrary code with application privileges. (CVE-2008-5557)

It was discovered that PHP did not properly initialize the page_uid and page_gid global variables for use by the SAPI php_getuid function. An attacker could exploit this issue to bypass safe_mode restrictions. (CVE-2008-5624)

It was discovered that PHP did not properly enforce error_log safe_mode restrictions when set by php_admin_flag in the Apache configuration file. A local attacker could create a specially crafted PHP script that would overwrite arbitrary files. (CVE-2007-5625)

It was discovered that PHP contained a flaw in the ZipArchive::extractTo function. If a PHP application were tricked into processing a specially crafted zip file that had filenames containing "..", an attacker could write arbitrary files within the filesystem. This issue only applied to Ubuntu 7.10, 8.04 LTS, and 8.10. (CVE-2008-5658)

Gentoo 201001-03 php 2010-01-05
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
Debian DSA-1940-1 php5 2009-11-25
Fedora FEDORA-2009-3768 php 2009-04-21
Fedora FEDORA-2009-3848 php 2009-04-21
Debian DSA-1789-1 php5 2009-05-04
Red Hat RHSA-2009:0350-01 php 2009-04-14
CentOS CESA-2009:0338 php 2009-04-07
CentOS CESA-2009:0337 php 2009-04-06
Red Hat RHSA-2009:0337-01 php 2009-04-06
Red Hat RHSA-2009:0338-01 php 2009-04-06
Mandriva MDVSA-2009:065 php4 2009-03-05
rPath rPSA-2009-0035-1 php 2009-03-02
Mandriva MDVSA-2009:045 php 2009-02-20
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
Ubuntu USN-720-1 php5 2009-02-12

Comments (none posted)

python-fedora: privilege escalation

Package(s):python-fedora CVE #(s):
Created:February 13, 2009 Updated:February 18, 2009
Description: From the Fedora advisory: This release includes a bugfix to the fedora.client.AccountSystem().verify_password() method. verify_password() was incorrectly returning True (username, password combination was correct) for any input. Although no known code is using this method to verify a user's account with the Fedora Account System, the existence of the method and the fact that anyone using this would be allowing users due to the bug makes this a high priority bug to fix.
Fedora FEDORA-2009-1518 python-fedora 2009-02-12
Fedora FEDORA-2009-1519 python-fedora 2009-02-12

Comments (none posted)

squidGuard: access restriction bypass

Package(s):squidguard CVE #(s):
Created:February 13, 2009 Updated:February 18, 2009
Description: The Red Hat bugzilla notes a "trailing dot" domain access restriction bypass in squidGuard.
Fedora FEDORA-2009-1520 squidGuard 2009-02-12
Fedora FEDORA-2009-1523 squidGuard 2009-02-12

Comments (none posted)

websvn: access violation

Package(s):websvn CVE #(s):CVE-2009-0240
Created:February 16, 2009 Updated:March 9, 2009
Description: From the Debian advisory: Bas van Schaik discovered that WebSVN, a tool to view Subversion repositories over the web, did not properly restrict access to private repositories, allowing a remote attacker to read significant parts of their content.
Gentoo 200903-20 websvn 2009-03-09
Debian DSA-1725-1 websvn 2009-02-15

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds