Wednesday, 15 May 2019 01:03

Find nmap vulnerabilities in the network

Written by
Rate this item
(0 votes)
Behind any open port on the network is a server program that is likely to contain errors. Sometimes these errors are so serious that they can be exploited to spy on that system, sabotage or even perform malicious code on it. Therefore, the most important step in increasing the security of your corporate network is to control the open ports and close them when necessary.

Introduction: Exploring The Network With Nmap

Using network analysis programs, you get an overview of possible weaknesses in the company's network. This guide introduces three basic analysis techniques with the nmap port scanner. They are used to identifying entities and finding out what services they offer. Finally, we will introduce you two techniques that you can use to help you find vulnerabilities.

With the program  nmap  you can examine the structure of your network. It is considered the "hacker tool" par excellence because it uses deployment details from various network protocols. It finds the endpoint devices in the network, examines them to run server programs, and determines which programs are involved. Thus, nmap reveals extensive details about your business network.

Always remember to work carefully and only examine networks that you are authorized to investigate!

Install And Use Nmap

At  nmap.org  you can download the program. While nmap itself is a pure command line tool, Zenmap provides a graphical user interface.

For some of the techniques described below, nmap sends raw data packets across different layers in the network. Because this requires circumvention of the network stack of the operating system, you need root or administrative rights to the execution.

Analysis Technology 1:  
Find Network Devices With Nmap

Using the first technique, all terminals exist in the same broadcast domain. This means: All computers are connected to each other via switches in the same Ethernet and not separated by routers (ie at IP level). Although one could alternatively send an ICMP echo request (ping) to the network segment's broadcast address - but for security reasons, the current terminals do not normally correspond.

Computer in broadcast domain
Computers A, B and C are connected via a switch and are thus in the same broadcast domain. Computer A can find computers B and C using ARP requests in the network. Computer D is connected to the network via a router. However, ARP requests do not reach him.

If you want to send an IP packet to another computer in the same Ethernet, this is done via an Ethernet frame that is exchanged between two network interfaces. For this, the recipient's hardware address must be known. The mechanism connecting an IP address to the associated hardware or MAC address is provided by the address resolution protocol (ARP).

The broadcast MAC address in the network sends the request to all the terminals in the broadcast domain: "Who has the following IP address?". The terminal that receives packets for this IP address then sends back its MAC address. Now, the network interface can address data to this particular subscriber.

When you create a network segment using ARP, that request is made for each IP address in the specified network segment. If a device is integrated into the network, it must necessarily respond to this request.

The following command finds all current units with the IP addresses from to in a common broadcast domain:

nmap -PR 

Analysis Technique 2:  
Find Open Ports Without Direct Access To The Device

If you have direct access to the target system, you can see open ports under Linux, MacOS and Windows with the "netstat" command. In many cases, this is not possible. Nmap provides alternatives to scanning the target system for open ports.

Find open TCP ports

Behind each open port is a server program that accepts data and evaluates progress. For TCP to determine open ports is simple: Because the protocol is connected-oriented, only three-way handshake must be established to establish a connection (more information on the three-way handshake can be found in our free book "TCP / IP Ethernet for Web IN ISLAND "). Here is a simple SYN package sent to the destination. Depending on the response of the state of the port can be identified:

  • No answer:
    The gate is either not opened or filtered

  • Reset: The
    operating system accepts connection requests to the port but rejects them because no server application runs on the port

  • The connection is accepted:
    The door is open and may pose a security risk

Use the following command to perform a TCP SYN scan on the host with the IP address


Find open UDP ports

Finding open UDP ports is much harder. Unlike TCP, UDP is not connection oriented. Since there are no three-way handshakes, the reaction from the other side is unpredictable.

In the simplest case, the operating system responds to the target system that the port is not available. In this case, this is marked as closed. If no response is sent, it is not possible to say whether the package was accepted by a server program or discarded somewhere along the way. No answer means that the gate is either open or filtered.

A service-specific package is sent to the "usual suspects" under the ports. If the sender receives a response, he knows that the gate is open. This works for example. For resolving computer names via DNS, for the request for an IP configuration via DHCP or for time updates via NTP.

This command performs a simple UDP scan:

nmap -sU 1 

As mentioned above, this scan does not necessarily find all open UDP ports - but for a first overview it is often sufficient.

Find open TCP and UDP ports in the same passport

To simultaneously detect open TCP and UDP ports, you can also combine the commands:

nmap -sS-sU 

Analysis Technology 3:  
Determine The Operating System And Server Programs

Nmap can do more than just find devices and ports: Developers have some freedom to implement network protocols. This ensures that each operating system has a specific fingerprint over which it can be identified.

Determining the operating system does not always work. In most cases, the result is correct.

nmap -0 

In order to find out which services are running on a terminal, nmap can analyze the responses to the open ports. Often, these programs provide a large amount of information, e.g. Which version they are with or which protocols they support. This information evaluates nmap and summarizes it.

nmap -Sv 

Note: If you use sV with SU, ie. UDP scan, nmap sends a battery of comprehensive test packets to each UDP port. This can give you more information on open UDP ports, but it may take a long time!

Close Gates, Increase Safety

Now that there are risks at open ports, these must be minimized in the next step.

Technology 1:  End Server Programs

As a first step, disable all unnecessary server programs. To find out which application opens a port, you can also use the netstat command. In many cases, it is not possible to close server programs on the terminal to close ports, e.g. Lack of access, in case of embedded software, or when server programs are dynamically started when needed. This is where the brush technique described in the next section continues to help.

Technology 2:  Uncomplicated And Efficient - Milling With Microwall

Using Verininselungstechnik potentially endangered systems where open ports cannot be closed, sprinkles in a separate network segment. Communication with this segment is monitored, restricted and logged. To  do  this  ,  a firewall router is installed as the  W & T Microwall  between the respective systems and the surrounding network. The IP traffic routed over it is filtered by rules.

  • Microwall's package filter filters out unwanted communications and discard packages. Although a terminal port is open, it cannot be reached.

  • In NAT mode, all units on the island are hidden behind the microphone. Visible in the network is only Microwall, which forwards and monitors communication.

  • Reinstalled devices are in another broadcast domain. An ARP request and other network level attacks are effectively suppressed.

For detailed information on the embedding strategy, see the  introductory  page.

Read 156 times Last modified on Wednesday, 15 May 2019 01:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.