Fyodor posted to
BUGTRAQ:
I have just released version 2.00 of nmap, a program for network
security auditing and general Internet exploration. Almost all of
the core code has been rewritten for better performance and
accuracy, and many new features have been added. Here are some of
its current capabilities:
* You can have it do a fast parallel ping of all hosts on a
network to determine which ones are up. You can use the traditional
ICMP echo request (ping), a TCP ACK packet, or a TCP SYN packet to
probe for responses. By default it uses both ACKs & ICMP pings
to maximize the chance of sneaking through packet filters. There is
also a connect() version for under-privileged users. The syntax for
specifying what hosts should be scanned is quite flexible.
* The hosts found to be up can be port scanned to determine what
services are running. Techniques you can use include the SYN
(half-open) scan, FIN, Xmas, or Null stealth scans, connect scan
(does not require root), FTP bounce attack, and UDP scan. Options
exist for common filter-bypassing techniques such as packet
fragmentation and setting the source port number (to 20 or 53, for
example). It can also query a remote identd for the usernames that
servers are running under. You can select any (or all) port
number(s) to scan, since you may want to just sweep the networks
you run for 1 or 2 services recently found to be vulnerable.
* Remote OS detection via TCP/IP fingerprinting allows you to
determine what operating system release each host is running. This
functionality is similar to the awesome queso program, although
nmap implements many new techniques. I wrote an article about these
techniques for the next Phrack, but the impatient can always read
the source code. In many cases, nmap can narrow down the OS to the
kernel number or release version. A database of ~100 fingerprints
for common operating system versions is included, thanks to a
couple dozen wonderful beta testers who worked on the last 19
private beta releases.
* TCP ISN sequence predictability lets you know what sequence
prediction class (64K, time dependent, “true random”, constant,
etc) the host falls into. A difficulty index is provided to tell
you roughly how vulnerable the machine is to sequence
prediction.
* Decoy scans are also allowed. The idea is that for every
packet sent by nmap from your address, a similar packet is sent
from each of the decoy hosts you specify. This is useful due to the
rising popularity of stealth port scan detection software. If such
software is used, it will generally report a dozen (or however many
you choose) port scans from different addresses at the same time.
It is very difficult to determine which address is doing the
scanning, and which are simply innocent decoys.
* There are many other features which are useful in special
situations, see the documentation for full details.
Nmap is quite portable, and has been reported to run on Linux,
FreeBSD, OpenBSD, NetBSD, Solaris, IRIX, HP/UX, and BSDI. It uses
its own raw networking library for packet transmission, and the LBL
Libpcap library for raw receives.
Nmap is free software, distributed as source code under the
terms of the GNU public license. Comments, questions, and problems
can be sent to fyodor@dhp.com.
You are also encouraged to send me the fingerprints for operating
systems it fails to detect (if at least one port is open and the
machine is not behind a filtering firewall — I want the reference
fingerprints to be pristine). Anything with a TCP stack is fair
game for detection, including firewalls, palm pilots, ‘net cameras,
etc.
The newest version of nmap is always available at the nmap home
page: http://www.insecure.org/nmap/ .
Check out the man page to learn how to do the things above and for
examples of common usage.
Cheers, Fyodor
-- Fyodor 'finger pgp@www.insecure.org | pgp -fka' In a free and open marketplace, it would be surprising to have such an obviously flawed standard generate much enthusiasm outside of the criminal community. --Mitch Stone on Microsoft ActiveX