I have just released version 2.00 of nmap, a program for network security auditing and general Internet exploration. Almost all of the core code has been rewritten for better performance and accuracy, and many new features have been added. Here are some of its current capabilities: * You can have it do a fast parallel ping of all hosts on a network to determine which ones are up. You can use the traditional ICMP echo request (ping), a TCP ACK packet, or a TCP SYN packet to probe for responses. By default it uses both ACKs & ICMP pings to maximize the chance of sneaking through packet filters. There is also a connect() version for under-privileged users. The syntax for specifying what hosts should be scanned is quite flexible. * The hosts found to be up can be port scanned to determine what services are running. Techniques you can use include the SYN (half-open) scan, FIN, Xmas, or Null stealth scans, connect scan (does not require root), FTP bounce attack, and UDP scan. Options exist for common filter-bypassing techniques such as packet fragmentation and setting the source port number (to 20 or 53, for example). It can also query a remote identd for the usernames that servers are running under. You can select any (or all) port number(s) to scan, since you may want to just sweep the networks you run for 1 or 2 services recently found to be vulnerable. * Remote OS detection via TCP/IP fingerprinting allows you to determine what operating system release each host is running. This functionality is similar to the awesome queso program, although nmap implements many new techniques. I wrote an article about these techniques for the next Phrack, but the impatient can always read the source code. In many cases, nmap can narrow down the OS to the kernel number or release version. A database of ~100 fingerprints for common operating system versions is included, thanks to a couple dozen wonderful beta testers who worked on the last 19 private beta releases. * TCP ISN sequence predictability lets you know what sequence prediction class (64K, time dependent, "true random", constant, etc) the host falls into. A difficulty index is provided to tell you roughly how vulnerable the machine is to sequence prediction. * Decoy scans are also allowed. The idea is that for every packet sent by nmap from your address, a similar packet is sent from each of the decoy hosts you specify. This is useful due to the rising popularity of stealth port scan detection software. If such software is used, it will generally report a dozen (or however many you choose) port scans from different addresses at the same time. It is very difficult to determine which address is doing the scanning, and which are simply innocent decoys. * There are many other features which are useful in special situations, see the documentation for full details. Nmap is quite portable, and has been reported to run on Linux, FreeBSD, OpenBSD, NetBSD, Solaris, IRIX, HP/UX, and BSDI. It uses its own raw networking library for packet transmission, and the LBL Libpcap library for raw receives. Nmap is free software, distributed as source code under the terms of the GNU public license. Comments, questions, and problems can be sent to fyodorat_private . You are also encouraged to send me the fingerprints for operating systems it fails to detect (if at least one port is open and the machine is not behind a filtering firewall -- I want the reference fingerprints to be pristine). Anything with a TCP stack is fair game for detection, including firewalls, palm pilots, 'net cameras, etc. The newest version of nmap is always available at the nmap home page: http://www.insecure.org/nmap/ . Check out the man page to learn how to do the things above and for examples of common usage. Cheers, Fyodor -- Fyodor 'finger pgpat_private | pgp -fka' In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:56 PDT