[8707] in bugtraq
Nmap network auditing/exploring tool V. 2.00 released
daemon@ATHENA.MIT.EDU (Fyodor)
Tue Dec 15 11:12:12 1998
Date: Tue, 15 Dec 1998 05:22:38 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Fyodor <fyodor@DHP.COM>
To: BUGTRAQ@NETSPACE.ORG
I have just released version 2.00 of nmap, a program for network
security auditing and general Internet exploration. Almost all of the
core code has been rewritten for better performance and accuracy, and
many new features have been added. Here are some of its current
capabilities:
* You can have it do a fast parallel ping of all hosts on a network to
determine which ones are up. You can use the traditional ICMP echo
request (ping), a TCP ACK packet, or a TCP SYN packet to probe for
responses. By default it uses both ACKs & ICMP pings to maximize
the chance of sneaking through packet filters. There is also a
connect() version for under-privileged users. The syntax for
specifying what hosts should be scanned is quite flexible.
* The hosts found to be up can be port scanned to determine what
services are running. Techniques you can use include the SYN
(half-open) scan, FIN, Xmas, or Null stealth scans, connect scan
(does not require root), FTP bounce attack, and UDP scan. Options
exist for common filter-bypassing techniques such as packet
fragmentation and setting the source port number (to 20 or 53, for
example). It can also query a remote identd for the usernames that
servers are running under. You can select any (or all) port
number(s) to scan, since you may want to just sweep the networks you
run for 1 or 2 services recently found to be vulnerable.
* Remote OS detection via TCP/IP fingerprinting allows you to
determine what operating system release each host is running. This
functionality is similar to the awesome queso program, although nmap
implements many new techniques. I wrote an article about these
techniques for the next Phrack, but the impatient can always read
the source code. In many cases, nmap can narrow down the OS to the
kernel number or release version. A database of ~100 fingerprints
for common operating system versions is included, thanks to a couple
dozen wonderful beta testers who worked on the last 19 private beta
releases.
* TCP ISN sequence predictability lets you know what sequence
prediction class (64K, time dependent, "true random", constant, etc)
the host falls into. A difficulty index is provided to tell you
roughly how vulnerable the machine is to sequence prediction.
* Decoy scans are also allowed. The idea is that for every packet
sent by nmap from your address, a similar packet is sent from each
of the decoy hosts you specify. This is useful due to the rising
popularity of stealth port scan detection software. If such
software is used, it will generally report a dozen (or however many
you choose) port scans from different addresses at the same time.
It is very difficult to determine which address is doing the
scanning, and which are simply innocent decoys.
* There are many other features which are useful in special
situations, see the documentation for full details.
Nmap is quite portable, and has been reported to run on Linux,
FreeBSD, OpenBSD, NetBSD, Solaris, IRIX, HP/UX, and BSDI. It uses its
own raw networking library for packet transmission, and the LBL
Libpcap library for raw receives.
Nmap is free software, distributed as source code under the terms of
the GNU public license. Comments, questions, and problems can be sent
to fyodor@dhp.com . You are also encouraged to send me the
fingerprints for operating systems it fails to detect (if at least one
port is open and the machine is not behind a filtering firewall -- I
want the reference fingerprints to be pristine). Anything with a TCP
stack is fair game for detection, including firewalls, palm pilots,
'net cameras, etc.
The newest version of nmap is always available at the nmap home page:
http://www.insecure.org/nmap/ . Check out the man page to learn how
to do the things above and for examples of common usage.
Cheers,
Fyodor
--
Fyodor 'finger pgp@www.insecure.org | pgp -fka'
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community. --Mitch Stone on Microsoft ActiveX
