Re: Examples of legit nmap usage?

[Max Vision <vision () whitehats com>]

Hello,

I think there are two tactics that could improve your luck here
tremendously.

First, don't scan for everything.  I don't know if you already limit your
scans, but nmap -F, or better yet nmap -p with a port list, is going to
dramatically change the level of network activity, and the time it takes
your scan to complete as well.  In your situation, you are going to have
to explain what you are looking for.  How useful is it in practical
terms, knowing that you don't have the time nor writeoff to do a full
penetration test of your network, to scan the thousand some odd ports
possible (nmap-services lists 1020 tcp ports that will be checked if you
specify -F).  You should limit your scan to the services that you can,
youself, explain why they are interesting or should be checked for.

Second, find alternate language that you can use that doesn't include
port, icmp, tcp, udp, scan, etc.  Refer to server security from a user
standpoint, such as "people running personal webserver that shouldn't" or
"I want to look at the network to determine how many Suns are likely to be
vulnerable to these RPC attacks mentioned in the CERT advisory".  For some
reason, these fuzzier wordings can push through a lot of the red tape.

The mention of CERT brings me to another idea, which is to go through all
of the CERT advisories for the past couple of years, and come up with a
list of ports based on the advisories.  This port list is likely to get
attention from Management because of the source.  In my opinion, CERT is
hardly a definitive resource - however they are established, and have
fairly good writeups covering common security issues.  If you could say
you wanted to verify <blah list of services here>, then you would already
have some lengthy documentation (CERT advisories) to back each one of the
ports (say "services" :) that you are trying to scan (say "verify")..
I have made such a list if you want it drop me an email (I needed it to
justify adding some Checkpoint FW-1 rules for very primitive IDS for a
client who had no IDS at all (this was before the current snort/visionids
stuff))

Also you mentioned commercial scanning tools.  Some of them are quite
excellent, and I would be interested to hear your opinions on their
shortcomings and where you applied nmap to fill the gaps (aside from OS
detection).  In particular ISS and Cybercop have various portscanning
options (including syn, ack, fin, and even direct rpc scanning) in
addition to the standard service checks (which include the CERT-related
services I mention above).  They excel at handling the druge of high-level
assessment of large number of hosts.  Personally, I feel they are very
useful in scenarios such as yours, if configured correctly.

But that's just my opinion :)

Good luck!
Max

On Fri, 17 Sep 1999, Foust, Adam G. wrote:

> nmap has the potential of becoming an extremely useful tool for me in my job
> (not in the hacker sense, but in the discovery and security sense). I ran it
> for a while and built up a picture of our intranet WAN (with the help of a
> custom bit of perl and CGI programming), but now I'm being told knock it off
> for good based on the high amount of messages that began to accumulate in
> our router logs. All of our other $$$ commercial network tools have so far
> provided a rather piecemeal view of things, and I would like to continue to
> use this excellent nmap tool to augment our picture of things (particularly
> having an inventory of TCP services).
>
> Can anyone help me out with a good "business case" for administratively
> running nmap in a corporate environment? What would be the impact to routers
> and hosts of say automating a weekly scan on a rather large network (I won't
> give specifics, but I will say that if I seed nmap with a list of ping-able
> IP addresses it requires a couple of days to complete a single sweep)? Is
> using nmap in this fashion a dumb idea?
>
> Any good examples of nmap being used for network discovery in any
> corporations out there?
>
> Any information you can provide would be of great use. Thanks.