Nmap gets more media

[Erik Parker <netmask () 303 org>]

http://www.wired.com/news/news/technology/story/18219.html

The cracker's screwdriver has become more of a Swiss Army knife, his F-16
more of a stealth bomber. 

With awe and alarm, security analysts have observed the capabilities of
Nmap, a network-scanning program that crackers are now using to plot
increasingly cunning attacks. 

"Just before Christmas, we detected a new [network] scanning pattern we'd
never seen before," said John Green, a security expert on the "Shadow"
intrusion-detection team at the US Navy's Naval Surface Warfare Center.
"Other
sites have seen the same activity. The problem was, no one knew what was
causing it." 

Green made the remarks Tuesday in an online briefing hosted by the SANS
Institute, a nonprofit network-security research and education
organization. The group held the briefing to alert network administrators
of the alarming
increase in the strategies of network attacks. 

The culprit software prowling outside the doors of networks participating
in the study is Nmap, an existing software utility used by administrators
to analyze networks. In the hands of intruders, security analysts
discovered, Nmap is a
potent tool for sniffing out holes and network services that are ripe for
attack. 

The analysts didn't look for actual damage that was carried out. Instead,
they silently watched as various networks were scanned by untraceable Nmap
users. 

"The intelligence that can be garnered using Nmap is extensive," Green
said. "Everything that the wily hacker needs to know about your system is
there." 

Rather than feel in the dark to penetrate network "ports" at random, Nmap
allows intruders to perform much more precise assaults. The implications
are a bit unnerving for the network community. The tool makes planning
network
intrusions more effective, while simultaneously bringing this
sophistication to a wider audience of crackers. 

"It takes a lot of the brute force out of hacking," said Green. "It allows
[intruders] to map hosts and target systems that might be vulnerable." 

And that should result in a higher success rate for attempted intrusions. 

"I think we're going to see more coordinated attacks. You can slowly map
an entire network, while not setting off your detection system," said
software developer H. D. Moore, who debriefed network analysts at the
conference. 

But Moore is part of the solution. He authored Nlog, software that
automatically logs activity at a network's ports and parlays it to a
database. Weekly checks of the database enable the user to tell if someone
is performing an Nmap
analysis. 

Nlog serves as a companion tool to Nmap. Just like intruders,
administrators can use Nmap to detect their own network weaknesses, then
plug the holes. 

Prevention is the only defense, Green and Moore said. There is no other
known way to combat an Nmap-planned network attack. 

"Right now it's basically a suffer-along scenario," Green said. But, at
least, Nmap lets administrators "know what the hackers know about you." 


Cheers,
Erik