Network scanning secrets revealed
29th Jun 2009 | 12:00
See your system through the eyes of a hacker
Getting started with Nmap
WARNING: Don't try anything you read here outside of your local network. Scanning and exploring distant ports or other people's networks is legally questionable, and could land you in very hot water. DON'T DO IT.
While regularly updating your system and having a firewall and antivirus software installed is essential, this isn't always enough to defeat information-gathering tools. Many of the standard tools used by network security professionals (and malicious hackers themselves) are freely available online.
They can easily reveal shocking details about your network, and using one gives you a better idea of both the need to secure yourself and what to secure. With a few mouse clicks, you can interrogate machines for what's running behind each open port, get details of the user's operating systems, and even find details of their network cards.
Here's how to do it, but there's an important caveat: this is only to be done on your own network. Scanning computers on the internet will get you into trouble.
All about Nmap
Nmap is the work of Gordon Lyon, known to the network security community as 'Fyodor'. What Nmap does is both simple and ingenious. It's essentially a port scanner that's designed to list open TCP and UDP ports on a running, networked computer.
Since its initial release in 1997, this simple functionality has been augmented to turn Nmap into a serious network analysis and attack tool. Nmap can find out far more about the target than just which of its ports are open.
By sending special sequences of data packets and analysing the results sent back by the target's TCP/IP 'stack' software, Nmap can detect the operating system running on the remote machine with a high degree of accuracy. It can also tell the make and model of the network adapter, the uptime of Linux machines and even the version of the software that's connected to a specific port.
This makes this program very dangerous in the wrong hands, but it can also be very useful if you're trying to improve your own security by looking at your system through the eyes of a hacker.
Nmap began life on Linux, but we're going to use the Windows version, which has a graphical user interface that makes things a bit easier to negotiate.
Download the Nmap installation executable and run it. As part of the installation process, the open-source packet-capture software Pcap will be installed. Nmap needs this software to run properly under Windows, so don't be alarmed when you're asked to confirm this.
If you have a previous version installed on your machine, the installation process will uninstall the old one first. Other than this, the whole installation process is a question of simply accepting the licence agreement, then repeatedly hitting 'Next'.
After this is done, you can run Nmap by firing up the Zenmap user interface, which you'll find on the Start menu. Maximise the initial window when it appears.
Let's now perform a basic scan of a machine. If you've not set up your 'hosts' file to map names to IP addresses, enter the IP of a target, otherwise enter its name into the Target input box at the top left of the interface.
In the Profile dropdown menu to the right, select 'Regular Scan' and press the 'Scan' button next to it. The scan takes a few seconds to complete, during which time Nmap's output is piped to the main pane of the user interface.
Launching it on a Linux system with the Apache 2 web server and VNC (remote desktop software) installed reveals almost instantly that port 80 is open for HTTP connections, and that port 5900 is open for remote desktop connections.
If this machine were out unprotected in the wilds of the internet, you could expect to see it being probed at least every few minutes by software with Nmap-like facilities in preparation for an attack.
There are several tabs on the main pane of the Zenmap interface. The Ports/Hosts tab enables you to list and sort the open ports on your network, while the Topology tab gradually draws you a diagram of your network as you scan more hosts. Click on the 'Fisheye' and 'Controls' buttons to zoom in and get a better view of the network layout.
Comprehensive scans and network snooping
We can use Nmap to discover even more information about the target machine by using some different scan types. Try the 'Intense scan, all TCP ports' scanning option. This takes a few moments to complete, but it scans the entire range of possible TCP port numbers (1 to 65,535), looking for open holes. It also performs operating system identification checks as well as trying to spot the software running behind each open port.
Going back to the Ports/Hosts tab, it now shows not only the two ports we saw a moment ago, but also the names of the applications running on them. In the case of Apache 2, it also displays the version of the software and even the underlying operating system name (Ubuntu, in our case).
Next, click on the Host Details tab. This is an option that often has the power to shock people into installing a proper firewall. Expand the sections to see more detail.
Nmap knows that our machine is running Linux (including the version of the running kernel). It also knows the network card's MAC address, which enables it to look up the manufacturer. Knowing this could give a skilled hacker a means to crash the card.
Interestingly, our copy of Zenmap also found a P2P file-sharing application that was running. It was technically connected to a port, but it was not connected to the Internet at the time of the scan.
The most comprehensive of the default scans that Zenmap has at its disposal is the 'Slow comprehensive scan'. This takes quite a while to complete, but it leaves no stone unturned while looking for even tiny details of the target host. As you scan more targets, these are added to the topology diagram in Zenmap, giving you a unique graphical view of your network.
If you have a network segmented into subnets using a router or switch, try scanning that too. Nmap – with or without the Zenmap front end – is a great tool for explaining to people why they need to ensure that only the ports they actually need should be open on the firewall, and that using old versions of networked software is very dangerous.
For example, older versions of Apache 2 have vulnerabilities that are exploitable directly using a buffer overflow attack. A hacker only needs to know which version of Apache 2 is being used to decide which attack to try, a piece of information that Nmap can work out in a few moments.
'Sniffing' network traffic as it goes by is another important technique used by hackers, and it can be even more revealing. One industry standard tool for network sniffing is Wireshark, which was previously known as Ethereal.
During my past life as a network security consultant, one of my jobs was to assess the internal security of networks for corporate clients. The first thing I'd do would always be to set Ethereal running. I remember one tough assignment where everything seemed very secure indeed. I had nothing much to tell the client in my subsequent presentation and report.
However, towards the end of my time on-site, I suddenly noticed some telnet traffic going by in Ethereal, including the username 'root' and a password. My heart leapt. Linux and Unix users will recognise 'root' as the system administration account – the so-called 'super user'.
Telnet sends usernames and passwords over the network as plain text. A system administrator was logging into a server using this when he should have been using a secure connection. I quickly logged into the server myself using the same account, downloaded the system's password file and began running it through a password cracker.
I soon realised that usernames and passwords were the same on other servers, giving me free range to log in wherever I pleased. At the final presentation, I passed an envelope to each of the rather bored-looking network administration team. It was rather satisfying to watch their faces become ashen as they read the messages inside, which told them their personal, supposedly secure account passwords.
But now, back to business. Download the executable for Wireshark and run it to begin installation. During this process, you'll again be asked if you'd like to install Pcap. This time decline, but also untick the Services box on the same screen that allows users without administrator access to capture traffic. This prevents normal users discovering that Wireshark is installed and using it to snoop on others.
Once installed, run Wireshark. The program uses Pcap to put the network card into 'promiscuous' mode, which means that it will accept packets that aren't meant for it. This is easy in Linux, but the writers of Windows never envisioned that such functionality would ever be needed – hence the need for Pcap.
Select 'Interfaces' from the Capture dropdown menu and a box will pop up listing all of the interfaces, including virtual ones. You can select any of these and capture traffic from them, but if you're connected directly to your broadband connection, let's try something that might just shock you.
Locate the WAN interface. It's the one with a public IP address, and its name will be something like 'WAN (PPP/SLIP) Interface'. Press the associated 'Start' button, and Wireshark will begin its capture.
Now, go to your mail client and set it to download new messages from your ISP's server. Back in Wireshark, you'll see that data will begin to accumulate. After a moment or so, the traffic will subside. Once this has happened, go to Wireshark's Capture menu and select 'Stop'.
Each captured packet has a time, a source and destination address, an associated protocol and a short description of its content or type. Scroll through the data and look for the entries with information columns starting with the words 'Request: USER' and 'Request: PASS'. You should recognise them as being the username and password you used to log into your ISP's mail server – being sent over the internet in clear text!
If your ISP's email server supports username and password encryption, use it to prevent this happening. If it doesn't, but the ISP's webmail interface uses SSL (the URL begins with 'HTTPS'), then use this instead. SSL is ideal if you're worried about your credentials being sent in plain text and intercepted en route, because the connection and information will be encrypted before it even leaves your web browser.
First published in PC Plus Issue 282
Liked this? Then check out How to catch hackers on your wireless network
Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register