Get an iPad with Online Courses Now!

Intrusion Detection FAQ: What is nmap and what can it do?

(This was taken from a report done by the Shadow Intrusion Detection team and released to the public domain by NSWC Dahlgren - Author John Green)

Summary

Nmap was the source of strange new scan patterns started being detected by the SHADOW ID Systems located throughout the Internet.

The reported traffic varies from incident to incident. However, it can generally be categorized into two distinct groups.

The first group is denoted as the "random scan" category. This scan’s signature is characterized by SYN packets sent to apparently random destination (or service) ports over some discreet range of values. At the end of these scans we typically see several packets to high numbered tcp and udp ports, followed by a small number of packets to a common destination port. (See Figure 1)

The second class of traffic is called (for the lack of a better term) "exploits plus". Although the signature of these probes can vary with respect to the service ports accessed, the basic characteristics closely resemble the random scan discussed above. The primary difference is the exclusion of random destination ports in favor of well-known (and highly exploited) service ports. (See Figure 4)

Details, Details… The "Random Scan"

Let’s take a closer look at a real-life example from the "random scan" category. This sanitized excerpt was taken from an actual incident report that was filed by the Army Research Laboratory - Adelphi Md.

Timestamp Source >
Destination Flag Sequence Numbers Window size

18:42:25.241999 hostile.org.42558 >
victim.mil.688: S 3596953827:3596953827(0) win 4096
18:42:25.251999 hostile.org.42558 >
victim.mil.451: S 3596953827:3596953827(0) win 4096
18:42:25.481999 hostile.org.42558 >
victim.mil.185: S 3596953827:3596953827(0) win 4096
18:42:25.491999 hostile.org.42558 >
victim.mil.41: S 3596953827:3596953827(0) win 4096
18:42:25.651999 hostile.org.42558 >
victim.mil.721: S 3596953827:3596953827(0) win 4096
18:42:25.661999 hostile.org.42558 >
victim.mil.122: S 3596953827:3596953827(0) win 4096
18:42:25.681999 hostile.org.42558 >
victim.mil.883: S 3596953827:3596953827(0) win 4096
18:42:25.681999 hostile.org.42558 >
victim.mil.567: S 3596953827:3596953827(0) win 4096
18:42:25.731999 hostile.org.42558 >
victim.mil.331: S 3596953827:3596953827(0) win 4096
18:42:25.731999 hostile.org.42558 >
victim.mil.880: S 3596953827:3596953827(0) win 4096
18:42:25.731999 hostile.org.42558 >
victim.mil.752: S 3596953827:3596953827(0) win 4096
18:42:25.741999 hostile.org.42558 >
victim.mil.358: S 3596953827:3596953827(0) win 4096
18:42:25.741999 hostile.org.42558 >
victim.mil.957: S 3596953827:3596953827(0) win 4096
18:42:25.751999 hostile.org.42558 >
victim.mil.206: S 3596953827:3596953827(0) win 4096
18:42:25.751999 hostile.org.42558 >
victim.mil.248: S 3596953827:3596953827(0) win 4096
18:42:25.761999 hostile.org.42558 >
victim.mil.208: S 3596953827:3596953827(0) win 4096
18:42:25.771999 hostile.org.42558 >
victim.mil.300: S 3596953827:3596953827(0) win 4096
18:42:25.791999 hostile.org.42558 >
victim.mil.999: S 3596953827:3596953827(0) win 4096
18:42:25.951999 hostile.org.42558 >
victim.mil.354: S 3596953827:3596953827(0) win 4096
18:42:25.951999 hostile.org.42558 >
victim.mil.376: S 3596953827:3596953827(0) win 4096
18:42:25.951999 hostile.org.42558 >
victim.mil.618: S 3596953827:3596953827(0) win 4096
18:42:25.881999 hostile.org.42558 >
victim.mil.24: S 3596953827:3596953827(0) win 4096
18:42:26.151999 hostile.org.42558 >
victim.mil.741: S 3596953827:3596953827(0) win 4096
18:42:26.151999 hostile.org.42558 >
victim.mil.165: S 3596953827:3596953827(0) win 4096
18:42:26.151999 hostile.org.42567 >
victim.mil.13: SFP 1769772146:1769772146(0) win 4096 urg 0
18:42:26.151999 hostile.org.42558 >
victim.mil.33119: udp 300
18:42:26.151999 hostile.org.42558 >
victim.mil.33119: udp 300
18:42:26.171999 hostile.org.42564 >
victim.mil.13: S 1884246333:1884246333(0) win 4096
18:42:26.171999 hostile.org.42563 >
victim.mil.13: S 1884246332:1884246332(0) win 4096
18:42:26.171999 hostile.org.42562 >
victim.mil.13: S 1884246331:1884246331(0) win 4096
18:42:26.221999 hostile.org.42561 >
victim.mil.13: S 1884246330:1884246330(0) win 4096
18:42:26.221999 hostile.org.42560 >
victim.mil.13: S 1884246329:1884246329(0) win 4096


(Figure 1. Example "Random Scan")

Author’s note: The traffic examples throughout this paper have been beautified in an attempt to isolate the signatures created by nmap. Therefore, the packets sent by nmap have been retained, while responses from the victim hosts have been removed. In addition, responses from the hostile system (i.e. RSTs sent in response to SYN/ACKs from the victim) have also been removed for the sake of signature clarity.

A quick analysis of the traffic can yield some important clues that can helpful in determining what might have caused it. For example, the timestamp fields of this scan reveal that it was automated. This also indicates that the host "victim.mil" was not part of a larger parallel scan by "hostile.org". A review of the ports used in this scan show a fixed source port of 42558 with some minor deviations at the end. The destination ports that were accessed seem to have a random distribution, again, showing some variation at the end of the activity. The variation is comprised of a packet with the SYN/FIN/PUSH flags set, followed by udp datagrams destined for high-numbered ports. The scan concludes by sending several more SYN packets to a fixed destination port (in this case, port 13).

A New Version of Nmap

The prominent features of the scan discussed in the previous section indicate an automated process for constructing packets and scanning a target host with them. We can infer from the widespread incident reporting that the agent is a tool that is readily available to the hacker community.

The obvious way to begin testing this theory is by looking for scan tools that produce a similar signature. The question is "What is the tool and what exactly is it doing?" A search of the exploit archives reveals a release of "Nmap V2.02" in late December of 1998. The next step in the discovery process is to use nmap to perform a test on a limited number of ports for a particular machine. Given the appropriate set of arguments, the resulting pattern (Figure 2, below) correlates beautifully with the real scan seen in Figure 1.

Timestamp Source
Destination Flag Sequence Numbers Window size

01:41:25.180240 nmap.mil.54548 >
victim.mil.24: S 1301162276:1301162276(0) win 1024
01:41:25.180274 nmap.mil.54548 >
victim.mil.12: S 1301162276:1301162276(0) win 1024
01:41:25.180305 nmap.mil.54548 >
victim.mil.1: S 1301162276:1301162276(0) win 1024
01:41:25.180336 nmap.mil.54548 >
victim.mil.25: S 1301162276:1301162276(0) win 1024
01:41:25.180380 nmap.mil.54548 >
victim.mil.11: S 1301162276:1301162276(0) win 1024
01:41:25.180411 nmap.mil.54548 >
victim.mil.10: S 1301162276:1301162276(0) win 1024
01:41:25.180455 nmap.mil.54548 >
victim.mil.16: S 1301162276:1301162276(0) win 1024
01:41:25.180499 nmap.mil.54548 >
victim.mil.4: S 1301162276:1301162276(0) win 1024
01:41:25.180942 nmap.mil.54548 >
victim.mil.21: S 1301162276:1301162276(0) win 1024
01:41:25.180977 nmap.mil.54548 >
victim.mil.6: S 1301162276:1301162276(0) win 1024
01:41:25.181007 nmap.mil.54548 >
victim.mil.7: S 1301162276:1301162276(0) win 1024
01:41:25.183345 nmap.mil.54548 >
victim.mil.17: S 1301162276:1301162276(0) win 1024
01:41:25.183375 nmap.mil.54548 >
victim.mil.15: S 1301162276:1301162276(0) win 1024
01:41:25.183420 nmap.mil.54548 >
victim.mil.23: S 1301162276:1301162276(0) win 1024
01:41:25.183461 nmap.mil.54548 >
victim.mil.3: S 1301162276:1301162276(0) win 1024
01:41:25.183834 nmap.mil.54548 >
victim.mil.8: S 1301162276:1301162276(0) win 1024
01:41:25.183867 nmap.mil.54548 >
victim.mil.20: S 1301162276:1301162276(0) win 1024
01:41:25.184060 nmap.mil.54548 >
victim.mil.18: S 1301162276:1301162276(0) win 1024
01:41:25.184091 nmap.mil.54548 >
victim.mil.22: S 1301162276:1301162276(0) win 1024
01:41:25.184122 nmap.mil.54548 >
victim.mil.19: S 1301162276:1301162276(0) win 1024
01:41:25.184165 nmap.mil.54548 >
victim.mil.9: S 1301162276:1301162276(0) win 1024
01:41:25.184195 nmap.mil.54548 >
victim.mil.5: S 1301162276:1301162276(0) win 1024
01:41:25.184239 nmap.mil.54548 >
victim.mil.13: S 1301162276:1301162276(0) win 1024
01:41:25.184281 nmap.mil.54548 >
victim.mil.2: S 1301162276:1301162276(0) win 1024
01:41:25.184324 nmap.mil.54548 >
victim.mil.14: S 1301162276:1301162276(0) win 1024
01:41:25.187237 nmap.mil.54555 >
victim.mil.1: S 1815095948:1815095948(0) win 1024
01:41:25.187310 nmap.mil.54557 >
victim.mil.1: SFP 1815095948:1815095948(0) win 1024
01:41:25.187388 nmap.mil.54559 >
victim.mil.40289: S 1815095948:1815095948(0) win 1024
01:41:25.188223 nmap.mil.54548 >
victim.mil.40289: udp 300
01:41:25.402977 nmap.mil.54549 >
victim.mil.1: S 1815095949:1815095949(0) win 1024
01:41:25.413377 nmap.mil.54550 >
victim.mil.1: S 1815095950:1815095950(0) win 1024
01:41:25.433429 nmap.mil.54551 >
victim.mil.1: S 1815095951:1815095951(0) win 1024
01:41:25.453555 nmap.mil.54552 >
victim.mil.1: S 1815095952:1815095952(0) win 1024
01:41:25.473427 nmap.mil.54553 >
victim.mil.1: S 1815095953:1815095953(0) win 1024
01:41:25.493411 nmap.mil.54554 >
victim.mil.1: S 1815095954:1815095954(0) win 1024


(Figure 2. Tcpdump output of nmap test run)

As indicated above, only the correct set of arguments produces this signature. In an effort to answer the question "What’s going on here?", I will explain the pertinent arguments used to generate this signature. Of course, other command line arguments will produce varied, and in some cases, completely different signatures.

commandline_prompt> ./nmap -v -sS -P0 -O -p1-25 victim.mil


The -sS argument tells nmap to use a SYN half-open stealth scan. The -P0 argument tells nmap not to ping the destination host. Perhaps the most crucial argument in this example is the -O option. This activates the TCP/IP fingerprinting routines that try to guess what operating system and version the victim host is running. This operating system identification is responsible for the strange (even by nmap standards) signature at the end of the scan. Finally the -p1-25 tells nmap to use destination ports one though twenty-five.

Nmap provides a surprising amount of information (using -v for verbose) about the targeted host. Below are the results from the test run of nmap seen in figure 2.

tarting nmap V. 2.02 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
Adding TCP port 9 (state Open).
Adding TCP port 1 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 21 (state Open).
Adding TCP port 22 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 23 (state Open).
The SYN scan took 0 seconds to scan 25 ports.
For OSScan assuming that port 1 is open and port 35401
is closed and neither are firewalled

Interesting ports on victim.mil (xxx.xxx.xxx.xxx):
Port State Protocol Service
1    open   tcp     tcpmux
7    open   tcp     echo
9    open   tcp     discard
13   open   tcp     daytime
19   open   tcp     chargen
21   open   tcp     ftp
22   open   tcp     unknown
23   open   tcp     telnet
25   open   tcp     smtp

TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 584D7800 584E7200 584F6C00 58506600
58516000 58525A00
Remote operating system guess: IRIX 6.2 - 6.5
OS Fingerprint:
TSeq(Class=64K)
T1(Resp=Y%DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=
148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up)
scanned in 0 seconds

(Figure 3. Nmap output)

The output of a Nmap scan provides crucial information to the hacker. First, it provides a list of services that are active on the remote host. Second, by sending invalid tcp packets, nmap performs a TCP stack analysis of the remote system. Since these anomalous packets are not covered by the RFCs, each operating system handles them differently. Nmap compares the responses to these packets against an internal database and provides a ‘best guess’ as to the operating system and version number running there. This combination allows the hacker to target the specific vulnerabilities on a given host, providing a higher success rate and a much lower attack signature. Finally, Nmap tells the user how difficult tcp sequence number prediction is for the remote host. This information can be used to target hosts that have a high potential for session hijacking. Such measures might be employed when a remote system has no vulnerable services running, or when it is shielded behind a firewall.

Details, Details... The “Exploits Plus Scan”

As mentioned earlier SHADOW sensors have detected another scan that appears to be a variation of the random scan detailed above. This scan probes commonly exploited service ports and concludes with the signature of the fingerprinting process. Figure 4 is also a sanitized excerpt from a real incident reported by the SHADOW Team at NSWC, Dahlgren.

Timestamp Source >
Destination Flag Sequence Numbers Window size

01:07:37.870000 hostile.org.23035 >
victim.mil.12345: S 2443641632:2443641632(0) win 512
01:07:37.870000 hostile.org.23053 >
victim.mil.143: S 1849709624:1849709624(0) win 512
01:07:37.870000 hostile.org.23112 >
victim.mil.635: S 1979681472:1979681472(0) win 512
01:07:37.880000 hostile.org.23174 >
victim.mil.53: S 2831594802:2831594802(0) win 512
01:07:37.880000 hostile.org.23225 >
victim.mil.31337: S 200714632:200714632(0) win 512
01:07:38.160000 hostile.org.23243 >
victim.mil.143: S 4224441585:4224441585(0) win 512
01:07:38.160000 hostile.org.23302 >
victim.mil.635: S 3131164300:3131164300(0) win 512
01:07:38.160000 hostile.org.23353 >
victim.mil.53: S 27440843:27440843(0) win 512
01:07:38.460000 hostile.org.23366 >
victim.mil.143: S 2018442450:2018442450(0) win 512
01:07:38.460000 hostile.org.23417 >
victim.mil.635: S 3598088389:3598088389(0) win 512
01:07:38.460000 hostile.org.23430 >
victim.mil.53: S 3603076159:3603076159(0) win 512
01:07:38.790000 hostile.org.23479 >
victim.mil.53: S 942548711:942548711(0) win 512
01:07:38.790000 hostile.org.23497 >
victim.mil.635: S 1558966803:1558966803(0) win 512
01:07:38.800000 hostile.org.23559 >
victim.mil.143: S 1627652454:1627652454(0) win 512
01:07:39.090000 hostile.org.23608 >
victim.mil.53: S 2308481275:2308481275(0) win 512
01:07:39.090000 hostile.org.23610 >
victim.mil.635: S 375730554:375730554(0) win 512
01:07:39.090000 hostile.org.23614 >
victim.mil.143: S 2363444754:2363444754(0) win 512
01:07:39.390000 hostile.org.23623 >
victim.mil.53: S 2983142263:2983142263(0) win 512
01:07:39.390000 hostile.org.23672 >
victim.mil.635: S 2931404189:2931404189(0) win 512
01:07:39.390000 hostile.org.23674 >
victim.mil.143: S 30889188:30889188(0) win 512
01:07:39.720000 hostile.org.35959 >
victim.mil.42721: S 2995015889:2995015889(0) win 4096
01:07:39.730000 hostile.org.35961 >
victim.mil.42721: FP 2995015889:2995015889(0) win 4096 urg 0
01:07:39.730000 hostile.org.35948 >
victim.mil.42721: udp 300
01:07:40.150000 hostile.org.35948 >
victim.mil.42721: udp 300
01:07:42.590000 hostile.org.35959 >
victim.mil.33621: S 495516404:495516404(0) win 4096
01:07:42.590000 hostile.org.35961 >
victim.mil.33621: FP 495516404:495516404(0) win 4096 urg 0
01:07:42.600000 hostile.org.35948 >
victim.mil.33621: udp 300
01:07:43.060000 hostile.org.35948 >
victim.mil.33621: udp 300
01:07:45.340000 hostile.org.35959 >
victim.mil.41663: S 1550032560:1550032560(0) win 4096
01:07:45.340000 hostile.org.35961 >
victim.mil.41663: FP 1550032560:1550032560(0) win 4096 urg 0
01:07:45.350000 hostile.org.35948 >
victim.mil.41663: udp 300
01:07:45.910000 hostile.org.35948 >
victim.mil.41663: udp 300

(Figure 4. Example "Exploits Plus" Scan)

At first glance, this attack bears only a minor semblance to the random scan activity. Examining the pertinent features of this probe, one might notice several distinctions. First, exploits plus employs random (within a range) source ports. Second, as its name implies, this scan focuses on service ports with well-known vulnerabilities. Third, the sequence numbers appear more realistic, as compared to those in the random scan. Finally, the end of the scan appears to be three separate OS fingerprinting attempts.

One might be inclined to think that this is the result of a second tool. However, by coding a simple shell script with multiple calls to nmap, this signature can be easily duplicated as shown in the following script:

#!/bin/sh
nmap –v -sS -P0 -p12345 victim.mil & # SYN half-open stealth probe for netbus
nmap –v -sS -P0 -p143 victim.mil & # SYN half-open stealth probe for imap
nmap –v -sS -P0 -p635 victim.mil & # SYN half-open stealth probe for linux mountd
nmap –v -sS -P0 -p53 victim.mil & # SYN half-open stealth probe for domain
nmap –v -sS -P0 -p31337 victim.mil & # SYN half-open stealth probe for back orifice
nmap –v -sS -P0 -p143 victim.mil &
nmap –v -sS -P0 -p635 victim.mil &
nmap –v -sS -P0 -p53 victim.mil &
nmap –v -sS -P0 -p143 victim.mil &
nmap –v -sS -P0 -p635 victim.mil &
nmap –v -sS -P0 -p53 victim.mil &
nmap –v -sS -P0 -p53 victim.mil &
nmap –v -sS -P0 -p635 victim.mil &
nmap –v -sS -P0 -p143 victim.mil &
nmap –v -sS -P0 -p53 victim.mil &
nmap –v -sS -P0 -p635 victim.mil &
nmap –v -sS -P0 -O -p143 victim.mil & # S h-o probe for imap PLUS OS fingerprinting

When this script is run, tcpdump shows the resulting network traffic. This matches the detected probe.

Timestamp Source 
Destination Flag Sequence Numbers Window size

03:50:28.255696 nmap.mil.58893 >
victim.mil.12345: S 3529719230:3529719230(0) win 4096
03:50:28.255696 nmap.mil.45313 >
victim.mil.635: S 1289452862:1289452862(0) win 4096
03:50:28.255696 nmap.mil.40444 >
victim.mil.143: S 1053163340:1053163340(0) win 4096
03:50:28.265696 nmap.mil.37458 >
victim.mil.53: S 2174813682:2174813682(0) win 4096
03:50:28.285696 nmap.mil.45830 >
victim.mil.143: S 1208327640:1208327640(0) win 4096
03:50:28.295696 nmap.mil.46840 >
victim.mil.53: S 2484113855:2484113855(0) win 4096
03:50:28.295696 nmap.mil.33736 >
victim.mil.31337: S 3316743593:3316743593(0) win 4096
03:50:28.305696 nmap.mil.43105 >
victim.mil.143: S 2743618682:2743618682(0) win 4096
03:50:28.315696 nmap.mil.42914 >
victim.mil.635: S 2564506522:2564506522(0) win 4096
03:50:28.335696 nmap.mil.43127 >
victim.mil.635: S 2522641932:2522641932(0) win 4096
03:50:28.345696 nmap.mil.45102 >
victim.mil.53: S 2127702081:2127702081(0) win 4096
03:50:28.375696 nmap.mil.54256 >
victim.mil.53: S 3126700193:3126700193(0) win 4096
03:50:28.375696 nmap.mil.42342 >
victim.mil.635: S 3932342401:3932342401(0) win 4096
03:50:28.395696 nmap.mil.60042 >
victim.mil.143: S 1863130126:1863130126(0) win 4096
03:50:28.415696 nmap.mil.53612 >
victim.mil.53: S 3665870250:3665870250(0) win 4096
03:50:28.425696 nmap.mil.44699 >
victim.mil.635: S 1882012961:1882012961(0) win 4096
03:50:28.465696 nmap.mil.63497 >
victim.mil.143: S 2634475111:2634475111(0) win 4096
03:50:28.465696 nmap.mil.63508 >
victim.mil.31576: S 3872554032:3872554032(0) win 4096
03:50:28.465696 nmap.mil.63510 >
victim.mil.31576: FP 3872554032:3872554032(0) win 4096
urg 0 03:50:28.465696 nmap.mil.63497 > victim.mil.31576: udp 300
03:50:30.685696 nmap.mil.63508 >
victim.mil.31181: S 229752757:229752757(0) win 4096
03:50:30.685696 nmap.mil.63510 >
victim.mil.31181: FP 229752757:229752757(0) win 4096
urg 0 03:50:30.685696 nmap.mil.63497 > victim.mil.31181: udp 300
03:50:32.905696 nmap.mil.63508 >
victim.mil.30523: S 1585272933:1585272933(0) win 4096
03:50:32.905696 nmap.mil.63510 >
victim.mil.30523: FP 1585272933:1585272933(0) win 4096
urg 0 03:50:32.905696 nmap.mil.63497 > victim.mil.30523: udp 300

(Figure 5. Tcpdump output of the scripted nmap run)

A quick look at the output from the nmap script reveals some interesting tidbits that help us to understand the resulting network traffic. In the script, each call to nmap (except the last one) generates a block of output as shown below:

Starting nmap V. 2.02 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
The SYN scan took 0 seconds to scan 1 ports.
No ports open for host victim.mil (xxx.xxx.xxx.xxx)
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

This tells us that none of the services that we are looking for are running on this machine. In contrast, the output from the last call to nmap produces the following output.

Starting nmap V. 2.02 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
The SYN scan took 0 seconds to scan 1 ports.
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
No ports open for host victim.mil (xxx.xxx.xxx.xxx)
No OS matches for this host. TCP fingerprints:
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

What we discover is that nmap is unable to find the specified port open. It tries three times to find an open tcp/udp port for the purposes of fingerprinting the operating system. This is the activity responsible for the three fingerprinting signatures at the end of the scan. Finally the fingerprinting attempt fails, reporting that it was unable to identify the operating system.

If the host had been running the imap service on port 143, the signature of the scan would have been slightly different, as shown below. For the sake of brevity, we will only show the output for a successful fingerprint attempt.

04:49:24.845696 nmap.mil.47997 > 
victim.mil.143: S 1746270164:1746270164(0) win 4096
04:49:24.845696 nmap.mil.48004 >
victim.mil.143: S 904899788:904899788(0) win 4096
04:49:24.845696 nmap.mil.48006 >
victim.mil.143: SFP 904899788:904899788(0) win 4096 urg 0
04:49:24.845696 nmap.mil.48008 >
victim.mil.34691: S 904899788:904899788(0) win 4096
04:49:24.845696 nmap.mil.48010 >
victim.mil.34691: FP 904899788:904899788(0) win 4096 urg 0
04:49:24.845696 nmap.mil.47997 >
victim.mil.34691: udp 300
04:49:25.095696 nmap.mil.47998 >
victim.mil.143: S 904899789:904899789(0) win 4096
04:49:25.115696 nmap.mil.47999 >
victim.mil.143: S 904899790:904899790(0) win 4096
04:49:25.135696 nmap.mil.48000 >
victim.mil.143: S 904899791:904899791(0) win 4096
04:49:25.155696 nmap.mil.48001 >
victim.mil.143: S 904899792:904899792(0) win 4096
04:49:25.175696 nmap.mil.48002 >
victim.mil.143: S 904899793:904899793(0) win 4096
04:49:25.195696 nmap.mil.48003 >
victim.mil.143: S 904899794:904899794(0) win 4096

In this case, the final output of the nmap script shows the following:

Starting nmap V. 2.02 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Initiating SYN half-open stealth scan against victim.mil (xxx.xxx.xxx.xxx)
Adding TCP port 143 (state Open).
The SYN scan took 0 seconds to scan 1 ports.
For OSScan assuming that port 143 is open and
port 32159 is closed and neither are firewalled
Interesting ports victim.mil (xxx.xxx.xxx.xxx):

Port State Protocol Service
143  open   tcp      imap

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Sequence numbers: 8EE8EDC6 6A9E9A8B DA6DB46D 5D9366 CFE64AAB 4822733B
Remote operating system guess: Linux 2.0.35-36
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

Conclusions

Nmap is a powerful tool that is capable of generating a multitude of signatures depending on how it is used. However, if we understand the operation of the tool in general, it is easier to recognize its overall signature in network traffic. Dissecting the signature into sub-patterns one can differentiate between fingerprinting attempts that were successful and those that were not. It is important to understand that we have examined only one of the scan types that nmap can perform, the SYN half-open stealth scan. Several other scans are supported by Nmap: Tcp connect, FIN, Xmas, NULL, udp, ping, and even ftp-bounce. Expect to see these in the near future!

The intelligence that can be garnered by using nmap is extensive. It provides all the information that is needed for a well-informed, full-fledged, precisely targeted assault on a network. Such an attack would have a high probability of success, and would likely go unnoticed by organizations that lack intrusion detection capabilities.

Advisory


Now that we understand what is causing the recently detected traffic patterns, we should avoid becoming complacent. I’ve often heard "That’s just a reset scan" or "It’s only a icmp mapping attempt, what’s the harm?". Psychological operations, subterfuge, and decoy mechanisms are both prevalent and effective modern warfare methods. Information warfare is no different. The network analyst should always assume that there is more to an incident than meets the eye.

SHADOW has some evidence that this might indeed be the case in this latest round of scans. There are known overt organized efforts underway to create a detailed database of all Internet hosts. Why shouldn’t there be underground ones? Nmap provides many of the tools to make this possible and fairly easy.

In the past the cost of storing such a map was prohibitive, this is no longer an issue. Even moderately funded groups could undertake such a venture, given the arrival of 40-gigabyte disk drives that cost less than $2000.

In figure 4, I showed just a minute fraction of the scan reported by the NSWC SHADOW team. The structure of the actual scan indicates concurrent, cooperating processes. "Process 1" used the ping scan mode of nmap to create a map of hosts that responded to the query from our class B network. About half way through the ping mapping, another process started scanning only the hosts that replied to the icmp query. This implies that process 1 (the mapping process) was writing a file that process 2 (the scanning process) was reading, simultaneously. This falls under the category of "slick time saving" techniques. So, in a matter of less than ten minutes every machine that would respond to an icmp echo request or tcp ping had been mapped and its operating system fingerprinted.

Many of the responding systems were infrastructure computers. Since this class of computer is fairly static on any given network, hackers are willing to sacrifice an ISP account in order to construct maps that will likely be valid for a long time. These scans should be taken seriously, and should be considered a strong indication and warning of future attacks.

There may still be skeptics who think that cost or storage required to create such a map is insurmountable. Please take a moment to consider the worst case scenario and "work through the numbers".

Let’s begin by determining how much disk space might be required to store such a map using a non-optimal, brute force method. Ignoring the fact that IANA has set aside "reserved address blocks", there are 2554 or 4,228,250,625 possible addresses. Each address is a 32-bit representation that can be stored as an integer. So, storing every possible Internet address would require 4 bytes (the integer representation) times the 4,228,250,625 possible addresses. This multiplication yields 16,913,002,500 bytes.

Assume that each of these hosts has an average of 10 tcp and 10 udp services running and can be mapped. If we store these 20 services as short integers (2 bytes each), then the amount of space required would be 16,913,002,500 bytes times 20 services times 2 bytes or 676,520,100,000 bytes or 645.18 gigabytes. At 40 gigabytes per disk, it would take 645.18 gigabytes divided by 40 gigabytes per disk, or 17 disk drives. Seventeen disk drives times $2000 dollars yields a final cost of $34,000. Presupposing we had a $40,000 budget, this leaves $6000 dollars to buy 4 PCs to house the hard disks.

John Green - Shadow Team Leader NSWC Dahlgren

Track 3: The Most Advanced Intrusion Detection Immersion Training Avilable
< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >