By Jeff Kabachinski
This month’s installment of Tech Savvy takes a peek at a network utility called NMAP (Network Mapping). It’s been around for the past 20 years or so. NMAP is a free, open sourced (released under GPL) network security tool. It is a robust tool heavily supported and resourced. A quick search in Amazon reveals recent titles related to performance support of using NMAP. The NMAP GPL gives you the right to run, study, share, and modify the software. You can find the NMAP source code at: https://github.com/nmap/nmap.
NMAP is claimed to be the de facto standard for network mapping and port scanning. This gives the network administrator a way to find network nodes and services currently in use on your network as well as building a map of who/what’s happening on the network.
Although usually used for port scanning, NMAP offers many additional features: host discovery, operating system detection, service version detection, network information about targets, such as DNS names, device types, and MAC addresses plus the ability to scan for well-known vulnerabilities.
When you download the NMAP utility you also get the GUI (Graphical User Interface) called Zenmap. This makes using NMAP much easier. Once instituting a scan Zenmap offers a number of different looks at the port scanning that NMAP provides.
Zenmap’s main screen shows the results of the port scanning. You pick which host or network node to scan. Start by scanning yourself and see what ports you have active. NMAP categorizes scanned ports in 6 types:
The Six Port States Recognized by NMAP
• Open – An application is actively accepting TCP connections on this port, Open ports are an avenue for attack. The trick is to keep attackers from exploiting open ports while keeping them available to legitimate users.
• Closed – A closed port is still accessible but without an application currently using it and continues to reply to NMAP probe packets. It can help to know that the node is running on a particular IP address and as part of OS (Operating System) detection.
• Filtered – it cannot be determined whether the port is open due to packet blockage or filtering from firewalls or router rules preventing NMAP probes from connecting to the port. These ports discourage hackers because they provide so little information.
• Unfiltered state means that a port is accessible, but can’t tell if it’s open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state.
• Open|filtered – ports are placed in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response.
• Closed|filtered – ports are placed in this state when NMAP can’t determine whether a port is closed or filtered.
TCP Port Number Ranges
TCP port numbers or addresses are 2 bytes written as one number in decimal notation – from 0 to 65535. It’s helpful to know the TCP port numbers when doing an analysis via NMAP. You can see who/what the various port assignments are by visiting www.iana.org. There are three groups of ports to consider:
Port Numbers 0-1023
Are “well known ports” assigned by the IANA (Internet Assigned Numbers Authority). Some examples: http uses port 80, FTP (File Transfer Protocol) data – 20, FTP control -21, SMTP (Simple Mail Transfer Protocol) – 25, POP3 (Post Office Protocol) – 110, and DICOM (Digital Imaging and Communications in Medicine) – 104, 1044, and 4006.
Port Numbers 1024-49151
Are requested from the IANA to become “registered ports.” For example: Googletalk has registered ports numbered 19294, 19295, 19302
Port Numbers 49152-65535
Unassigned open space or Free Space – an area open to use and often where cybercriminals are apt to play. Keep an eye on what applications are using this port range.
Zenmap
The first screen in Zenmap is called NMAP output. It shows the results of the port scan for the selected target IP address. It shows port connections for all ‘non-closed’ ports as well as other details such as MAC (Ethernet) address, operating system in use, the network distance and service information. Another tab off the main screen shows more details on the ports NMAP found open. Other tabs include views of the network mapping, other scanned host details as well as scan histories.
Zenmap also allows you to save scans. In this way you can create a baseline and have something to compare to when trouble arises. NMAP is worth a look if you’re interested in what’s happening on your network.