There are many tools that can be used to scan systems and make a network map. The best known of these tools is nmap. Nmap is available from http://nmap.org/. There are many excellent sources of information for the auditor or security professional wanting to discover more about this tool. Other then the section in the Firewall chapter of this book, the following sites should be one of the first stops in this process:
- · http://nmap.org/docs.html
- · http://www.nmap-tutorial.com/
Though nmap has been ported to Windows, it works best under Linux or UNIX. Too many of the options available within nmap are “broken” by the Microsoft network stack.
We covered using nmap for individual scans in an earlier chapter, “Testing the Firewall”. In this section we look at how to automate the response and make this tool useful for reporting.
The prime limitations with nmap are its reporting capabilities. Nmap does provide output in a “grep’able” format, but there are far more effective tools that can query the data. PBNJ (this package includes ScanPBNJ and OutputPBNJ) can import nmap scan results from an nmap “-oX”, XML format and provides the capability to query this data. The program is written in Perl and provides a means to instantaneously identify changes to the systems and network.
ScanPBNJ can be used directly to scan the network using nmap directly. Using nmap to scan and then import the output into ScanPBNJ requires the use of the nmap XML output format (-oX). ScanPBNJ with the “-x” option can import the results of the nmap XML report.
PBNJ is a suite of tools that provides that capacity to monitor change across a network over time. It has the capacity to save nmap results into a database and check for changes on the target host(s). It saves the details concerning the services running on these hosts as well as the service state. PBNJ can then parse the data from an nmap scan and store the results in the database. PBNJ uses Nmap as a scanning engine. It is available from http://pbnj.sourceforge.net/.
The benefits of PBNJ include:
· The ability to configure automated Internal and external Scans,
· A configurable and flexible querying language and alerting system,
· The ability to parse Nmap XML output files
· The ability to access Nmap output using a database (SQLite, MySQL or Postgres),
· The ability to use distributed scanning with separate consoles and scan engines, and
· PBNJ runs on Linux, BSD and Windows (Linux or UNIX are recommended over Windows in this instance).
ScanPBNJ default scan options
By default, ScanPBNJ runs an nmap scan using the command options; “nmap -vv -O -P0 -sS -p 1-1025”. This output is extremely verbose with operating system identification set. It will also not ping host by default. The options above run an nmap SYN scan over TCP ports between 1 and 1025.
It is possible to override the default options in ScanPBNJ using the “-a” switch. For instance to scan all TCP ports on the host 10.50.20.10 the following command could be used;
ScanPBNJ –a “-A –sS –P0 -p 1-65535” 10.50.20.10
The other options of the previous command include using the SYN scan option, version scanning, not pinging the host and using operating system detection. Any of the standard nmap switches and scan types may be used.
The ability to query the ScanPBNJ results is provided using OutputPBNJ. OutputPBNJ uses a query yaml config file to perform queries against the information collected by ScanPBNJ. OutputPBNJ display the results of the scans using a variety of formats (such as csv, tab and html).
A number of predefined queries have been included with OutputPBNJ. These may be used to query the nmap results. The configuration file “query.yaml” contains default queries that have been defined on the system.
By default, there are only a small number of queries are limited. It is both possible to modify the existing default queries and/or to query the database directly. An ODBC connection to the database could also be used to load data from the database into another tool.