Network security: Analyze your hosts and ports with nmap, Nessus, and netcat

Application expert explains security testing tool options like nmap, Nessus and netcat to keep your software safe and secure. According to Chris McMahon some of the key areas to focus on when using open source tools are your ports, IP address and connection preference, the tools used in this tip should help.

Chris McMahon

if you intend to experiment with these tools on a corporate network, we strongly advise you to seek the cooperation of your local IT and Network Administration staff. All the of tools described in this article are capable of performing actions that will set off network intrusion detection systems. All of the tools described in this article are capable of performing actions that will likely violate company policies. At some companies, unauthorized possession of these tools behind the company firewall is grounds for immediate termination.

Finding hosts with nmap
nmap is a mature open source project for network exploration and security auditing. nmap has an enormous number of features, of which this article will use only one: the ability to discover hosts on the network. All the examples are from the author's home LAN; your network is probably much more complex.

To begin with, you'll need to know something about how your network is set up. It likely has a DHCP server that issues IP addresses in a certain range, like 192.168 with some digits following. There are three of these "private networks" that may not be used for public internet addresses, and which are used for local networks: – (16,777,216 addresses) – (1,048,576 addresses) – (65,536 addresses)

While it is possible to scan for all possible addresses on your particular network, you will likely want to limit your nmap search. On my LAN, I only want to see some low numbers so I tell nmap

nmap -v sP 192.168.0-5.1-254

where "-sP" means "-sP: Ping Scan - go no further than determining if host is online". This is a very simple scan, but even so it yields some interesting and complex results. I am running nmap from the Zenmap controller, which gives me a graphical display of my local network topography as well as a high-level analysis of the host activity on my LAN. Many other kinds of scans are possible with nmap, but all I want is a list of hosts in order to check them for security vulnerabilities using Nessus.

Scan for vulnerabilities with Nessus
Nessus is a proprietary tool, so please read the license before deciding how to use it. There is an open source port of an earlier version of Nessus known as OpenVAS.

After setting up Nessus, I need to do a couple of things in order to scan for security issues on my LAN. First, I need to set a Policy, where I have accepted most of the default values. Then I need to add a Scan that uses the Policy. nmap found these hosts on my LAN and told me what ports they had open:

now I'll put that list into my nessus Scan and click "Launch Scan".

Nessus has a large library of known security exploits. When I launch my scan, Nessus will look for open ports on each of the hosts in the lists, and upon finding an open port, attempt to discover if whatever is listening on that port has any known security flaws. The process takes some time.

Of the six machines Nessus scanned on my LAN, nessus found a couple of high risk security problems. One is on an old Mac laptop I had not even powered up in some time. Here is some of the quoted text:

The remote host is affected by a vulnerability in its WMV decoder.

The remote Mac OS X host is running a version of Flip4Mac that contains an unspecified vulnerability in its decoder.

Flip4Mac is an extension that lets users read '.wmv' movie files. By enticing a user on the remote host to read a malformed '.wmv' file, an attacker may be able to execute arbitrary commands on the remote system.

Upgrade to Flip4Mac Version 2.2.1 or later.

I'd better fix that!

Here's a high risk vulnerability on my old Windows XP machine that Nessus found:

An account on the remote Windows host uses a default password.

The 'db2admin' account on the remote Windows host uses a known password. This account may have been created during installation of DB2, for use managing the application, and likely belongs to the Local Administrators group.

Note that while the DB2 installation no longer uses a default password for this account, the upgrade process does not force a password change if the 'db2admin' account exists from a previous install.

Assign a different password to this account as soon as possible.

See Also

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Output
Nessus was able to gain access using the following credentials :

Login : db2admin Password : db2admin

This is something that would likely happen on an Enterprise desktop machine.

Nessus found a medium-level vulnerability in my wife's Linux laptop:

It is possible to obtain information about the remote host.

The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.

Filter incoming traffic to UDP port 5353 if desired.

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin Output
Nessus was able to extract the following information :

  • Computer name : uptowngardener-laptop.local.
  • Ethernet addr : 00:19:d2:90:d2:65
  • Computer Type : I686
  • Operating System : LINUX

Getting deep with Netcat The vast majority of networks in the world (including the Internet) run on a protocol called TCP/IP. netcat is a tool that lets the user manipulate traffic on TCP/IP networks at a very low level but with some fairly intuitive commands. Like all the tools in this article, netcat can be used for many things, but in the context of network security testing and analysis, there are a few areas to examine.

For one thing, as a port scanner it is a lot faster than nmap or nessus if you know the host IP address:

$ nc -z 1-1000 Connection to 80 port [tcp/http] succeeded! Connection to 139 port [tcp/netbios-ssn] succeeded! Connection to 443 port [tcp/https] succeeded! Connection to 515 port [tcp/printer] succeeded!

For another thing, netcat can send unexpected input to any given server. Once you know what each port is doing thanks to nmap and nessus, you can craft your own input for your own servers:

$ nc -v -n 80 Connection to 80 port [tcp/*] succeeded! GET Content-Type: text/html Content-Length: 112


Finally, netcat can transfer files to and from hosts. The security implications should be clear:

nc -l -p 1234 >hack.txt

Get hacking

There are dozens or hundreds of tools available for network analysis and security testing, of which these three are just really great and useful examples. Happy hacking!

About the author: Chris McMahon is a software tester and former professional bass player. His background in software testing is both deep and wide, having tested systems from mainframes to web apps, from the deepest telecom layers and life-critical software to the frothiest eye candy. Chris has been part of the greater public software testing community since about 2004, both writing about the industry and contributing to open source projects like Watir, Selenium, and FreeBSD. His recent work has been to start the process of prying software development from the cold, dead hands of manufacturing and engineering into the warm light of artistic performance. A dedicated agile telecommuter on distributed teams, Chris lives deep in the remote Four Corners area of the U.S. Luckily, he has email: [email protected]
Do you know all of the hosts on your network? Are you *sure*? Do you know if all of those hosts are secure from malicious tampering? In this article, you will learn how to find that information for yourself using three tools: nmap, nessus, and netcat.

Dig Deeper on Topics Archive