UNIX System Administration Handbook - Evi Nemeth [393]
Port State Protocol Service
53 unfiltered tcp domain
80 open tcp http
179 unfiltered tcp bgp
443 open tcp https
Nmap run completed -- 1 IP address (1 host up) scanned in 122 seconds
In this case, it’s clear that the host is set up to handle web traffic only. A firewall blocks access to other ports. DNS and BGP traffic is allowed through, but no servers are running to receive it. Ideally, the firewall at this site should block traffic to all unused services (such as BGP and DNS in this case), so that these ports cannot be hijacked for other purposes.
In addition to straightforward TCP and UDP probes, nmap also has a repertoire of sneaky ways to probe ports without initiating an actual connection. In most cases, these probes send packets that look like they come from the middle of a TCP conversation (rather than the beginning) and wait for diagnostic packets to be sent back. The stealth probes may be effective at getting past a firewall or at avoiding detection by a network security monitor on the lookout for port scanners. If your site uses a firewall (see Firewalls on page 675), it’s a good idea to probe it with these alternate scanning modes to see what they turn up.
nmap has the magical and useful ability to guess what OS a remote system is running by looking at the particulars of its implementation of TCP/IP. The -O option turns on this behavior. For example:
% nmap -O disaster mrhat lollipop
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on disaster.xor.com (192.108.21.99):
...
Remote operating system guess: HP-UX 11.00
Interesting ports on mrhat.xor.com (192.108.21.2):
...
Remote operating system guess: BSDI 4.0
Interesting ports on lollipop.xor.com (192.108.21.48):
...
Remote operating system guess: Solaris 2.6 - 2.7
Nmap run completed -- 3 IP addresses (3 hosts up) scanned in 5 seconds
This feature can be very useful for taking an inventory of a local network. Unfortunately, it is also very useful to hackers, who can base their attacks on known weaknesses of the target OS.
SAINT: check networked systems for vulnerabilities
SAINT is an updated version of SATAN, a network security checker released in 1995 amid much hand-wringing about how it would bring about the end of the world. The original SATAN was written by Dan Farmer and Wietse Venema; SAINT is now maintained by World Wide Digital Security, Inc., from whose web site it can be downloaded (www.wwdsi.com). It’s free.
Like nmap, SAINT probes computers on a network to find out what servers they are running. But unlike nmap, SAINT knows quite a lot about the actual UNIX server programs and their historical vulnerabilities. It looks for common misconfigurations that degrade security, and it also checks for the presence of known bugs.
Because a SAINT report essentially provides instructions for breaking into a system, a small but vocal minority of system administrators feel that you would be wise to run SAINT—or a similar program such as Nessus, below—on your systems before the hackers do.
SAINT’s user interface is entirely web based, and it requires that a web browser be installed on the machine on which it runs. Fortunately, SAINT makes good use of HTML and can present its results in a variety of well-designed formats. SAINT does not require that nmap be installed but will use nmap if it is available. SAINT also claims to make use of the utilities supplied with Samba for checking Windows hosts if they have been installed. See www.samba.org or Chapter 26, Cooperating with Windows, for more information about Samba.
Nessus: next generation network scanner
Renaud Deraison is developing a package called Nessus that promises to provide many of the same features as SAINT, but in a more architecturally clean and more easily extensible way. It’s available from www.nessus.org.
We took a look at an early (pre-1.0) release of Nessus and found that it wasn’t quite ready for prime time. Although it’s not clear how good the final package will be or whether