Jing An Telescope Factory (JATF): A network security case study, The

Journal of Information Systems Education, Fall 2003 by White, Doug, Rea, Alan

It is also worth noting that NMAP is available with add-ons, such as NMAPFE, which provide graphical interfaces for using NMAP. There also is a Windows version available. A simple self-scan from NMAP can be performed any number of ways, but a basic scan might look like this:

nmap -sT -vv -O localhost (assuming localhost is defined as the loopback address of 127.0.0.1)

Figure 1 provides the return of the scan for this basic machine. The scan reveals a great deal of information about this system. It illustrates two things: 1) what the system looks like when a would-be intruder scans the system; 2) any unusual or unneeded services that may be running. Even though this system is firewalled off, there are still ports open that may be attacked from users inside the firewall. (Appendix B in the Teaching Notes provides a list of well-known ports and what they are typically used for.) It's important to know each port's function so that you can identify which system services are running at each open port. Conversely, you should know when a port should not be open.

The most critical information provided by the scan is the examination of open ports. In this case, the machine has eight open ports that may be running services that are in use, or perhaps the administrator has simply failed to disable unused services that are set up by default.

6.3.2 Working with the Ports: All of these ports can be Trojans or other hacking tools in disguise. NMAP simply reports the most common usage of the ports. The fact that NMAP says "printer" does not necessarily mean this is actually a printer port, it merely means that this is the most common usage of port 515. Many Trojans intentionally use common ports to avoid detection through misdirection. The best rule is to disable any service you are not using. If the corporate network administrator feels uncomfortable with this approach, the next best approach would be to log all activity on the port and see how and if the port is being used.

The remainder of the NMAP scan provides some information about the operating system. As Figure 1 illustrates, NMAP is always trying to collect fingerprint information to better discern which operating system is being run. This is useful only in regard to the failure of NMAP to identify the operating system and the warning that IPID (Internet Protocol Identification) scanning is possible (this is a subtle form of systems probing for information).

Creating a script to automate the scan on a regular basis is a very good means of keeping an update on your servers. You can create scripts that email you a scan of all your servers once a week. You will quickly develop a "feel" for what your servers are running and a change should be obvious without a great deal of scanning of logs.

6.3.3 Ethernet Sniffing: Ethernet sniffing has declined in popularity with the rise of switched as opposed to hubbed networks. Unlike hubs, which broadcast all packets across the network, switches usually filter broadcasts so sniffing is only a useful tactic for hackers if they can get close access to devices they wish to sniff.