Network security: Analyze your hosts and ports with nmap, Nessus, and netcat

Application expert explains security testing tool options like nmap, Nessus and netcat to keep your software safe and secure. According to Chris McMahon some of the key areas to focus on when using open source tools are your ports, IP address and connection preference, the tools used in this tip should help.

Chris McMahon
Do you know all of the hosts on your network? Are you *sure*? Do you know if all of those hosts are secure from malicious tampering? In this article, you will learn how to find that information for yourself using three tools: nmap, nessus, and netcat.
Warning
if you intend to experiment with these tools on a corporate network, we strongly advise you to seek the cooperation of your local IT and Network Administration staff. All the of tools described in this article are capable of performing actions that will set off network intrusion detection systems. All of the tools described in this article are capable of performing actions that will likely violate company policies. At some companies, unauthorized possession of these tools behind the company firewall is grounds for immediate termination.

Finding hosts with nmap
nmap is a mature open source project for network exploration and security auditing. nmap has an enormous number of features, of which this article will use only one: the ability to discover hosts on the network. All the examples are from the author's home LAN; your network is probably much more complex.

To begin with, you'll need to know something about how your network is set up. It likely has a DHCP server that issues IP addresses in a certain range, like 192.168 with some digits following. There are three of these "private networks" that may not be used for public internet addresses, and which are used for local networks:

10.0.0.0 – 10.255.255.255 (16,777,216 addresses) 172.16.0.0 – 172.31.255.255 (1,048,576 addresses) 192.168.0.0 – 192.168.255.255 (65,536 addresses)

While it is possible to scan for all possible addresses on your particular network, you will likely want to limit your nmap search. On my LAN, I only want to see some low numbers so I tell nmap

nmap -v sP 192.168.0-5.1-254

where "-sP" means "-sP: Ping Scan - go no further than determining if host is online". This is a very simple scan, but even so it yields some interesting and complex results. I am running nmap from the Zenmap controller, which gives me a graphical display of my local network topography as well as a high-level analysis of the host activity on my LAN. Many other kinds of scans are possible with nmap, but all I want is a list of hosts in order to check them for security vulnerabilities using Nessus.

Scan for vulnerabilities with Nessus
Nessus is a proprietary tool, so please read the license before deciding how to use it. There is an open source port of an earlier version of Nessus known as OpenVAS.

After setting up Nessus, I need to do a couple of things in order to scan for security issues on my LAN. First, I need to set a Policy, where I have accepted most of the default values. Then I need to add a Scan that uses the Policy. nmap found these hosts on my LAN and told me what ports they had open:

    192.168.2.104 192.168.2.1 192.168.2.100 192.168.2.101 192.168.2.102

now I'll put that list into my nessus Scan and click "Launch Scan".

Nessus has a large library of known security exploits. When I launch my scan, Nessus will look for open ports on each of the hosts in the lists, and upon finding an open port, attempt to discover if whatever is listening on that port has any known security flaws. The process takes some time.

Of the six machines Nessus scanned on my LAN, nessus found a couple of high risk security problems. One is on an old Mac laptop I had not even powered up in some time. Here is some of the quoted text:

Synopsis
The remote host is affected by a vulnerability in its WMV decoder.

Description
The remote Mac OS X host is running a version of Flip4Mac that contains an unspecified vulnerability in its decoder.

Flip4Mac is an extension that lets users read '.wmv' movie files. By enticing a user on the remote host to read a malformed '.wmv' file, an attacker may be able to execute arbitrary commands on the remote system.

Solution
Upgrade to Flip4Mac Version 2.2.1 or later.

I'd better fix that!

Here's a high risk vulnerability on my old Windows XP machine that Nessus found:

Synopsis
An account on the remote Windows host uses a default password.

Description
The 'db2admin' account on the remote Windows host uses a known password. This account may have been created during installation of DB2, for use managing the application, and likely belongs to the Local Administrators group.

Note that while the DB2 installation no longer uses a default password for this account, the upgrade process does not force a password change if the 'db2admin' account exists from a previous install.

Solution
Assign a different password to this account as soon as possible.

See Also

CVSS
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Output
Nessus was able to gain access using the following credentials :

Login : db2admin Password : db2admin

This is something that would likely happen on an Enterprise desktop machine.

Nessus found a medium-level vulnerability in my wife's Linux laptop:

Synopsis
It is possible to obtain information about the remote host.

Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.

Solution
Filter incoming traffic to UDP port 5353 if desired.

CVSS
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Output
Nessus was able to extract the following information :

  • Computer name : uptowngardener-laptop.local.
  • Ethernet addr : 00:19:d2:90:d2:65
  • Computer Type : I686
  • Operating System : LINUX

Getting deep with Netcat The vast majority of networks in the world (including the Internet) run on a protocol called TCP/IP. netcat is a tool that lets the user manipulate traffic on TCP/IP networks at a very low level but with some fairly intuitive commands. Like all the tools in this article, netcat can be used for many things, but in the context of network security testing and analysis, there are a few areas to examine.

For one thing, as a port scanner it is a lot faster than nmap or nessus if you know the host IP address:

$ nc -z 192.168.2.100 1-1000 Connection to 192.168.2.100 80 port [tcp/http] succeeded! Connection to 192.168.2.100 139 port [tcp/netbios-ssn] succeeded! Connection to 192.168.2.100 443 port [tcp/https] succeeded! Connection to 192.168.2.100 515 port [tcp/printer] succeeded!

For another thing, netcat can send unexpected input to any given server. Once you know what each port is doing thanks to nmap and nessus, you can craft your own input for your own servers:

$ nc -v -n 192.168.2.100 80 Connection to 192.168.2.100 80 port [tcp/*] succeeded! GET http://192.168.2.100/totally_bogus_hack_url https://192.168.2.100/totally_bogus_hack_url Content-Type: text/html Content-Length: 112

MovedMoved

Finally, netcat can transfer files to and from hosts. The security implications should be clear:

nc -l -p 1234 >hack.txt

Get hacking

There are dozens or hundreds of tools available for network analysis and security testing, of which these three are just really great and useful examples. Happy hacking!


About the author: Chris McMahon is a software tester and former professional bass player. His background in software testing is both deep and wide, having tested systems from mainframes to web apps, from the deepest telecom layers and life-critical software to the frothiest eye candy. Chris has been part of the greater public software testing community since about 2004, both writing about the industry and contributing to open source projects like Watir, Selenium, and FreeBSD. His recent work has been to start the process of prying software development from the cold, dead hands of manufacturing and engineering into the warm light of artistic performance. A dedicated agile telecommuter on distributed teams, Chris lives deep in the remote Four Corners area of the U.S. Luckily, he has email: christopher.mcmahon@gmail.com.
This was first published in March 2010
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close