Nmap From an Ethical Hacker's Point of View

ddonzal notes a new tutorial that introduces Nmap from the viewpoint of an ethical hacker. (Part 1 of 2 parts is up now.) The author is Kirby Tucker, who writes: "After completing this 2 Part Series and having practiced the techniques described, one should not only be able to sit at a 'roundtable' with advanced security professionals and 'hold their own' in a discussion concerning Nmap, but also utilize this great tool in protecting their own network."

Re:Ethnical Hacker? Bleh.

[Tribbin]

Do you think that an title called 'Nmap From a Hacker's Point of View' would inform most people enough about the content of the article?

Re:More 'rich informing' alternative?

try netstat -anpe | grep 9090 as root ?

Re:More 'rich informing' alternative?

[Ant+P.]

>>Is there a more rich informed alternative that would say something like '9090/tcp open zeus-admin/transmission/appX/appY'?

Yes:

# netstat --numeric-hosts --listening --tcp --programs
Active Internet connections (only servers)
Proto Local Address       Foreign Address         State       PID/Program name
tcp   0.0.0.0:svn         0.0.0.0:*               LISTEN      1678/xinetd
tcp   0.0.0.0:netbios-ssn 0.0.0.0:*               LISTEN      1703/smbd
tcp   0.0.0.0:sunrpc      0.0.0.0:*               LISTEN      1531/portmap
tcp   0.0.0.0:http        0.0.0.0:*               LISTEN      2580/lighttpd
etc.

Re:More 'rich informing' alternative?

[Covener]

Is there a more rich informed alternative that would say something like '9090/tcp open zeus-admin/transmission/appX/appY'?

fuser 9090/tcp, lsof -i :9090, netstat -pant | grep :9090

Re:More 'rich informing' alternative?

[ReverendRyan]

How would nmap know which app is really listening on a port? All it has are the ARIN-assigned port numbers from /etc/services. What you were looking for was

# netstat -tcp -l

which will list all TCP ports that are in state "LISTEN" along with the PID of the program that opened the port.

Re:More 'rich informing' alternative?

[Phil246]

http://insecure.org/nmap/man/man-version-detection .html

After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses.

A paper documenting the workings, usage, and customization of version detection is available at http://insecure.org/nmap/vscan/.

Re:More 'rich informing' alternative?

[caluml]

netstat -planet is what I remember.

those switches are for gnu only!

they will fuck you if you ever go to another OS like Solaris, *BSD, OS/X, etc. example:

$ netstat --numeric-hosts --listening --tcp --programs
netstat: unknown option -- -
usage: netstat [-Aan] [-f address_family] [-M core] [-N system]
              netstat [-bdgilmnqrstu] [-f address_family] [-M core] [-N system]
              netstat [-bdn] [-I interface] [-M core] [-N system] [-w wait]
              netstat [-M core] [-N system] -P pcbaddr
              netstat [-s] [-M core] [-N system] [-p protocol]
              netstat [-a] [-f address_family] [-i | -I interface]
              netstat [-W interface]
$ uname -sr
OpenBSD 4.1

Re:Why the adjective?

[chaosite]

I hate this discussion, but about half the people here use the term "Hacker" to mean 'friendly computer programmer who's quite good at it' or perhaps 'security consultant', while the other half uses the term to refer to people who break into computer networks, usually for profit or other "evil" motives. The people who prefer the first definition use the term "Cracker" for the latter definition.

So, an "ethical burglar" would be a locksmith, I guess. Someone who knows how to use the tools, yet refrains from breaking and entering.

I'd leave "ethical rapist" as an exercise to the reader.

Re:Is plagiarism ethical?

[networkuptime]

When I wrote "Secrets of Network Cartography: A Comprehensive Guide to Nmap" two years ago, I made the entire 180 page ebook available online. It's free to read, and it's licensed under Creative Commons. You can copy the entire thing and give it away to anyone for non-commercial use; you just have to provide proper attribution. Like my name. Or my web site. Anything. Work with me, here.

Fyodor has led a great development effort over the last ten years, and part of Nmap's appeal is how such a free and "simple" program can be used to perform powerful port scans, operating system identifications, and application version detections. What started as a simple 10 page tutorial has now grown into multiple ebook editions, free online Nmap webinars, and a for-sale video training series on using Nmap to secure your network.

I'm not surprised that the content and flow of my book was copied, but I'm very disappointed that it was apparently rewritten to hide the copying so that it can allegedly be passed off as original material. The "repurposing" of one of my charts is just one example of the similarities in the flow and tone of my original text. The inclusion of this slighly-used article on an "Ethical Hacker" site has caused my irony meter to melt beyond repair.

To be fair, not all of Kirby "Kev" Tucker's article is "borrowed" from my book; there's at least two paragraphs near the end that aren't associated with any of my original work. I'm not sure where those came from. :)


James "Professor" Messer
Author, Secrets of Network Cartography: A Comprehensive Guide to Nmap