Re: Examples of legit nmap usage?

[Thomas Reinke <reinke () e-softinc com>]

Two comments - you may be facing an "educational" issue rather than
a technical one.  If no-one sees the value of running nmap, then
the pain of the router logs issue would overcome any other
unknown savings to the people dealing with the logs.

Having said that, I can tell you that I know of at least one
corporation that uses nmap to do scans looking for trojans,
and only for trojans. This boils down to a network sweep
looking for very specific services, against ALL IP addresses
(with of course the idea being that finding one instance
of BO outweighs the network chatter.

Secondly, as operators of a free web based scanning server
(aka Desktop Audits at www.e-softinc.com), I can tell you that
of the users we having using our service, we regularly find 
machines that have been infected with one form of trojan or another.
If you have a large network that would takes DAYS to scan,
I suspect that you would find some interesting results from
such a scan.

The bottom line is that your organization has to see the value
of virus/trojan detection of this form, and they may be to be
educated to see the value. If you cannot see the value, even
after education, then you may be in trouble.

Suggestion: talk to them about a "trial" scan, during which
you attempt to find machines that have been compromised by
virus. Indicate that if the trial is successful, that you'd
be willing to help setup a regular audit of this sort that
would ensure your systems were regularly scanned. On the
flip side, indicate that if your audit is clean, you would
be willing to stop all scans providing no-one saw any benefit.
I've found in the past that this type of approach works quite
well.

Cheers, Thomas

"Foust, Adam G." wrote:
> nmap has the potential of becoming an extremely useful tool for me in my job
> (not in the hacker sense, but in the discovery and security sense). I ran it
> for a while and built up a picture of our intranet WAN (with the help of a
> custom bit of perl and CGI programming), but now I'm being told knock it off
> for good based on the high amount of messages that began to accumulate in
> our router logs. All of our other $$$ commercial network tools have so far
> provided a rather piecemeal view of things, and I would like to continue to
> use this excellent nmap tool to augment our picture of things (particularly
> having an inventory of TCP services).
>
> Can anyone help me out with a good "business case" for administratively
> running nmap in a corporate environment? What would be the impact to routers
> and hosts of say automating a weekly scan on a rather large network (I won't
> give specifics, but I will say that if I seed nmap with a list of ping-able
> IP addresses it requires a couple of days to complete a single sweep)? Is
> using nmap in this fashion a dumb idea?
>
> Any good examples of nmap being used for network discovery in any
> corporations out there?
>
> Any information you can provide would be of great use. Thanks.

-- 
------------------------------------------------------------
Thomas Reinke                            Tel: (416) 460-7021
Director of Technology                   Fax: (416) 598-2319
E-Soft Inc.                         http://www.e-softinc.com