Directory and file names: —prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] —exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [same as prefix] —bindir=DIR user executables in DIR [EPREFIX/bin] —sbindir=DIR system admin executables in DIR [EPREFIX/sbin] —libexecdir=DIR program executables in DIR [EPREFIX/libexec] —datadir=DIR read-only architecture-independent data in DIR [PREFIX/share] —sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] —sharedstatedir=DIR modifiable architecture-independent data in DIR [PREFIX/com] —localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] —libdir=DIR object code libraries in DIR [EPREFIX/lib] —includedir=DIR C header files in DIR [PREFIX/include] —oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] —infodir=DIR info documentation in DIR [PREFIX/info] —mandir=DIR man documentation in DIR [PREFIX/man] —srcdir=DIR find the sources in DIR [configure dir or ] —program-prefix=PREFIX prepend PREFIX to installed program names —program-suffix=SUFFIX append SUFFIX to installed program names —program-transform-name=PROGRAM run sed PROGRAM on installed program names Host type: —build=BUILD configure for building on BUILD [BUILD=HOST] —host=HOST configure for HOST [guessed] —target=TARGET configure for TARGET [TARGET=HOST] Features and packages: —disable-FEATURE do not include FEATURE (same as —enable- FEATURE=no) —enable-FEATURE[=ARG] include FEATURE [ARG=yes] —with-PACKAGE[=ARG] use PACKAGE [ARG=yes] —without-PACKAGE do not use PACKAGE (same as —with-PACKAGE=no) —x-includes=DIR X include files are in DIR —x-libraries=DIR X library files are in DIR —enable and —with options recognized: —with-libpcap[=DIR] Look for pcap include/libs in DIR —with-libnbase=DIR Look for nbase include/libs in DIR [root@NIX1 nmap-2.54BETA34]# Complete this step by issuing the configure command, shown here: Nmap 375 # ./configure [root@NIX1 nmap-2.54BETA34]# ./configure loading cache ./config.cache checking for gcc (cached) gcc checking whether the C compiler (gcc -I/usr/local/include - L/usr/local/lib) works yes checking whether the C compiler (gcc -I/usr/local/include - L/usr/local/lib) is a cross-compiler no checking whether we are using GNU C (cached) yes checking whether gcc accepts -g (cached) yes checking host system type i686-pc-linux-gnu checking for main in -lm (cached) yes checking for gethostent (cached) yes checking for setsockopt (cached) yes checking for nanosleep (cached) yes checking how to run the C preprocessor (cached) gcc -E checking for pcap.h (cached) no checking for ANSI C header files (cached) yes checking for string.h (cached) yes checking for getopt.h (cached) yes checking for strings.h (cached) yes checking for memory.h (cached) yes checking for sys/param.h (cached) yes checking for sys/sockio.h (cached) no checking for netinet/if_ether.h (cached) yes checking for bstring.h (cached) no checking for sys/time.h (cached) yes checking for pwd.h (cached) yes checking for unistd.h (cached) yes checking whether time.h and sys/time.h may both be included (cached) yes ———————————— Snipped for brevity ———————————— checking for gcc (cached) gcc checking whether the C compiler (gcc ) works yes checking whether the C compiler (gcc ) is a cross-compiler no checking whether we are using GNU C (cached) yes checking whether gcc accepts -g (cached) yes checking for gtk-config (cached) /usr/bin/gtk-config checking for GTK - version >= 1.0.0 yes creating ./config.status creating Makefile [root@NIX1 nmap-2.54BETA34]# NOTE You’ll need root privileges to complete the installation. If you’ve logged in with a user account, simply issue the su command and enter the root pass- word to grant these privileges. 376 Chapter 12 Step 6. Build and install the package by issuing the make command, shown here: # make all [root@NIX1 nmap-2.54BETA34]# make all Compiling libpcap make[1]: Entering directory ’/home/nmap-2.54BETA34/libpcap- possiblymodified’ gcc -I. -O2 -DHAVE_CONFIG_H -c ./pcap-linux.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./pcap.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./inet.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./gencode.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./optimize.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./nametoaddr.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./etherent.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./savefile.c rm -f bpf_filter.c ln -s ./bpf/net/bpf_filter.c bpf_filter.c gcc -I. -O2 -DHAVE_CONFIG_H -c bpf_filter.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./bpf_image.c gcc -I. -O2 -DHAVE_CONFIG_H -c ./bpf_dump.c gcc -I. -O2 -DHAVE_CONFIG_H -c scanner.c gcc -I. -O2 -DHAVE_CONFIG_H -Dyylval=pcap_lval -c grammar.c sed -e ‘s/.*/char pcap_version[] = “&”;/’ ./VERSION > version.c gcc -I. -O2 -DHAVE_CONFIG_H -c version.c ar rc libpcap.a pcap-linux.o pcap.o inet.o gencode.o optimize.o nametoaddr.o etherent.o savefile.o bpf_filter.o bpf_image.o bpf_dump.o scanner.o grammar.o version.o ranlib libpcap.a make[1]: Leaving directory ’/home/nmap-2.54BETA34/libpcap- possiblymodified’ Compiling libnbase cd nbase; make make[1]: Entering directory ’/home/nmap-2.54BETA34/nbase’ gcc -I/usr/local/include -Wall -g -DHAVE_CONFIG_H - DNCRACK_VERSION=\”\” -DHAVE_CONFIG_H=1 -c -o snprintf.o snprintf.c gcc -I/usr/local/include -Wall -g -DHAVE_CONFIG_H - DNCRACK_VERSION=\”\” -DHAVE_CONFIG_H=1 -c -o nbase_str.o nbase_str.c gcc -I/usr/local/include -Wall -g -DHAVE_CONFIG_H - DNCRACK_VERSION=\”\” -DHAVE_CONFIG_H=1 -c -o nbase_misc.o nbase_misc.c Compiling libnbase rm -f libnbase.a ar cr libnbase.a snprintf.o nbase_str.o nbase_misc.o ranlib libnbase.a make[1]: Leaving directory ’/home/nmap-2.54BETA34/nbase’ gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o main.o main.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” Nmap 377 -DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap- possiblymodified -c -o nmap.o nmap.c nmap.c: In function ’parse_scanflags’: nmap.c:69: warning: implicit declaration of function ’strcasestr’ gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o targets.o targets.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o tcpip.o tcpip.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o nmap_error.o nmap_error.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o utils.o utils.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o idle_scan.o idle_scan.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o osscan.o osscan.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o output.o output.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o scan_engine.o scan_engine.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o timing.o timing.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase 378 Chapter 12 -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o charpool.o charpool.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o services.o services.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o protocols.o protocols.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o nmap_rpc.o nmap_rpc.c gcc -g -I/usr/local/include -Wall -Ilibpcap-possiblymodified -Inbase -DHAVE_CONFIG_H -DNMAP_VERSION=\”2.54BETA34\” -DNMAP_NAME=\”nmap\” - DNMAP_URL=\”www.insecure.org/nmap/\” -DNMAP_PLATFORM=\”i686-pc-linux- gnu\” -DNMAPDATADIR=\”/usr/local/share/nmap\” -Ilibpcap-possiblymodified -c -o portlist.o portlist.c Compiling nmap rm -f nmap gcc -Llibpcap-possiblymodified -L/usr/local/lib -Lnbase -o nmap main.o nmap.o targets.o tcpip.o nmap_error.o utils.o idle_scan.o osscan.o output.o scan_engine.o timing.o charpool.o services.o protocols.o nmap_rpc.o portlist.o -lm -lnbase -lpcap FAILURES HERE ARE OK — THEY JUST MEAN YOU CANNOT USE nmapfe cd nmapfe; test -f Makefile && make VERSION=0.2.54BETA34 STATIC=; make[1]: Entering directory ’/home/nmap-2.54BETA34/nmapfe’ gcc -g -O2 -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 - I/usr/lib/glib/include -I/usr/X11R6/include -Wall -I /nbase - DVERSION=\”0.2.54BETA34\” -DHAVE_CONFIG_H=1 -I. -c nmapfe.c gcc -g -O2 -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 - I/usr/lib/glib/include -I/usr/X11R6/include -Wall -I /nbase - DVERSION=\”0.2.54BETA34\” -DHAVE_CONFIG_H=1 -I. -c nmapfe_sig.c gcc -g -O2 -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 - I/usr/lib/glib/include -I/usr/X11R6/include -Wall -I /nbase - DVERSION=\”0.2.54BETA34\” -DHAVE_CONFIG_H=1 -I. -c nmapfe_error.c gcc -g -O2 -I/usr/include/gtk-1.2 -I/usr/include/glib-1.2 - I/usr/lib/glib/include -I/usr/X11R6/include -Wall -I /nbase - DVERSION=\”0.2.54BETA34\” -DHAVE_CONFIG_H=1 -I. -L /nbase -o nmapfe nmapfe.o nmapfe_sig.o nmapfe_error.o -L/usr/lib - L/usr/X11R6/lib -lgtk -lgdk -rdynamic -lgmodule -lglib -ldl -lXi - lXext -lX11 -lm -lnbase make[1]: Leaving directory ’/home/nmap-2.54BETA34/nmapfe’ END OF SECTION WHERE FAILURES ARE OK [root@NIX1 nmap-2.54BETA34]# Nmap 379 NOTE Advanced users can optionally edit the makefile with vi Makefile. Other Installations To install the X86/RPM version, use the following syntax: rpm -vhU http://download.insecure.org/nmap/dist/nmap-2.53-1.i386.rpm rpm -vhU http://download.insecure.org/nmap/dist/nmap-frontend- 0.2.53-1.i386.rpm For Mac OS X Users Before using some of the tools in this part, one of them being Nmap, you’ll have to enable the root account on your Mac OS X operating system. To do so, follow these simple steps: Step 1. From Finder/Go, click Applications. Step 2. Click to open the Utilities folder. Step 3. Click to open the NetInfo Manager application. Step 4. From the menu, click to select Domain/Security/Authenticate and enter an administrator’s name and password in the dialog; then click on the OK button. Step 5. Select from the menu Domain/Security/Enable Root User. NOTE You may be required to enter a password for the root user. Step 6. Modify the path so that some of the scanners can locate Nmap on your Mac OS X system. The easiest way to view the current path on your system is to issue the $PATH command at the terminal prompt, as shown here: [] tiger1% $PATH /Users/tiger1/bin/powerpc-apple-darwin:/Users/tiger1/bin:/usr/local /bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin: You should also see the path, along with other useful information, by issuing the set command: []tiger1% set _ $PATH addsuffix argv () autocorrect autoexpand autolist cdpath /Users/tiger1 correct cmd 380 Chapter 12 cwd /Users/tiger1 default_tcsh_initdir /usr/share/init/tcsh dextract dir /Users/tiger1/Library/Frameworks dirstack /Users/tiger1 dunique echo_style bsd edit fignore (~ .bak .o .bin RCS CVS) framework_path (/Library/Frameworks /System/Library/Frameworks) gid 20 group staff histfile /Users/tiger1/.tcsh_history history 150 home /Users/tiger1 host tiger1.tigertools.net inputmode insert interactive listjobs long loginsh matchbeep notunique nokanji nostat (/afs /net /Net /Network/Servers) owd path (~/bin/powerpc-apple-darwin /Users/tiger1/bin /usr/local/bin /usr/bin /bin /usr/local/sbin /usr/sbin /sbin) prompt [%m:%c3] %n%# prompt2 %R -> prompt3 OK? %R? promptchars %# recexact savehist 150 shell /bin/tcsh shlvl 1 status 0 symlinks ignore tcsh 6.10.00 tcsh_initdir /usr/share/init/tcsh term vt100 tty ttyp1 uid 501 user tiger1 user_tcsh_initdir /Users/tiger1/Library/init/tcsh version tcsh 6.10.00 (Astron) 2000-11-19 (powerpc-apple-darwin) options 8b,nls,dl,al,sm,rh,color [] tiger1% Nmap 381 Among the easiest techniques for temporarily modifying your path to include the locations for Nmap is to issue the set command, as follows: set path=($path /Users/your-login-name/nmap-2.54BETA34 /Users /your-login-name/Netscape) To verify the modification, issue the $PATH command once more, as shown here: [] tiger1% $PATH /Users/tiger1/bin/powerpc-apple-darwin:/Users/tiger1/bin:/usr/local /bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/Users/tiger1 /nmap-2.54BETA34:/Users/tiger1/Netscape: NOTE A Mac OS X front end for Nmap known as XNmap is available at www.homepage.mac.com/natritmeyer. According to that site, to enable features that require root privileges using XNmap, follow these steps: 1. Open the terminal and navigate inside xnmap.app to the Resources folder. 2. Type su . 3. Type your root password. 4. Type chown root.wheel nmap. 5. Type chmod u+s nmap. 6. Type exit. ON THE CD The CD-ROM that accompanies this book contains hands-on simulations of the remaining sections in this chapter. These simulations are found at CDDrive:\Simulations\UNIX\Nmap. Using Nmap Let’s further explore port scanning using Nmap with the most common probing tech- niques. With the different combinations of scan types and options, there are countless uses of this product; we’ll look at those most popular basic uses here. The following syntax is consistent for both the *NIX and the Windows version of Nmap: nmap V. 2.53 Usage: nmap [Scan Type(s)] [Options] <host or net list> Common Scan Types: -sT TCP connect() port scan. The default. -sS TCP SYN stealth port scan. Best all-around TCP scan. -sU UDP port scan 382 Chapter 12 TEAMFLY Team-Fly ® -sP ping scan. Find any reachable machines. -sF,-sX,-sN Stealth FIN, Xmas, or Null scan. For experts only. -sR/-I RPC/Identd scan. Use with other scan types. Common Options (none is required; most can be combined): -O. Use TCP/IP fingerprinting to guess remote operating system. -p <range> ports to scan. Example range: 1-1024,1080,6666,31337. -F. Only scans ports listed in nmap-services. -v Verbose. Its use is recommended. Use twice for greater effect. -P0. Don’t ping hosts (needed to scan www.microsoft.com and others). -Ddecoy_host1,decoy2[, ]. Hide scan using many decoys. -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>. General timing policy. -n/-R. Never do DNS resolution/Always resolve (default: sometimes resolve). -oN/-oM <logfile>. Output normal/machine parseable scan logs to <logfile>. -iL <inputfile>. Get targets from file; Use ‘-’ for stdin. -S <your_IP>/-e <devicename>. Specify source address or network interface. TCP Scanning This method is the most basic form of scanning. With it you attempt to open a full TCP port connection to determine whether that port is active or listening. We’ll perform, by using Nmap, a typical TCP scan to illustrate this method’s output, as follows: Syntax: nmap -sT -v 192.168.0.48 Host (192.168.0.48) appears to be up good. Initiating Connect() Scan against (192.168.0.48) Adding TCP port 1032 (state open). Adding TCP port 53 (state open). Adding TCP port 139 (state open). Adding TCP port 135 (state open). Adding TCP port 70 (state open). Adding TCP port 42 (state open). Adding TCP port 81 (state open). Adding TCP port 21 (state open). The Connect() Scan took 0 seconds to scan 1542 ports. Interesting ports on (192.168.0.48): (The 1534 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 42/tcp open nameserver 53/tcp open domain 70/tcp open gopher 81/tcp open hosts2-ns 135/tcp open loc-srv 139/tcp open netbios-ssn 1032/tcp open iad3 Nmap 383 UDP Scanning Although less complex than TCP scanning, this method is actually much more diffi- cult. Open ports don’t have to send an acknowledgment in response to your probe, and closed ports aren’t even required to send an error packet. Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a packet to a closed UDP port. Thus you can determine whether a port is closed and, by exclusion, which ports are open. The following is a typical UDP scan to illustrate this method’s output: Syntax: nmap -sU -v 192.168.0.48 Host (192.168.0.48) appears to be up good. Initiating UDP Scan against (192.168.0.48) The UDP Scan took 4 seconds to scan 1453 ports. Interesting ports on (192.168.0.48): (The 1448 ports scanned but not shown below are in state: closed) Port State Service 42/udp open nameserver 53/udp open domain 135/udp open loc-srv 137/udp open netbios-ns 138/udp open netbios-dgm Half-Open (Stealth) Scanning This technique is called half-open, or stealth, scanning because it does not require you to open a full TCP connection. You send a SYN packet as if you were going to open a real connection; then you wait for a response. A SYN-ACK indicates that the port is listen- ing. Therefore, an RST response is indicative of a nonlistener. If a SYN-ACK is received, you would immediately send an RST to tear down the connection. The primary advan- tage of this scanning method is that fewer sites will log it. We’ll perform a half-open scan to illustrate this method’s output: Syntax: nmap -sS -v 192.168.0.48 Host (192.168.0.48) appears to be up good. Initiating SYN Stealth Scan against (192.168.0.48) Adding TCP port 21 (state open). Adding TCP port 81 (state open). Adding TCP port 139 (state open). Adding TCP port 1032 (state open). Adding TCP port 135 (state open). Adding TCP port 42 (state open). Adding TCP port 70 (state open). Adding TCP port 53 (state open). The SYN Stealth Scan took 0 seconds to scan 1542 ports. Interesting ports on (192.168.0.48): 384 Chapter 12 [...]... 0 -Z stop at attack level 0 N OT E You should execute SAINT with superuser privileges To begin from a terminal, change to the SAINT directory (i.e., cd saint-3.5) and type /saint to call up the main screen in your Web browser, as shown in Figure 13.1 There are seven menu options to the left of the Web interface, as shown in the figure Before you look at those, however, review this list of the security. .. myhost2.local.com ■ ■ Range example: 192.1 68. 0.1 to 192.1 68. 0.250 Step 2 Click to select whether to scan the target host(s) only or to scan all the hosts in the target’s subnet (see Figure 13.4) Figure 13.3 Selecting the primary target SAINT Figure 13.4 Primary target selection options Step 3 Select the scan level you prefer SAINT to run against your host(s) As shown in Figure 13.5, your options of scanning levels... information and download links on these, visit www.TigerTools.net on the Web 391 AM FL Y TE Team-Fly® CHAPTER 13 SAINT SAINT Corporation describes its Security Administrator Integrated Network Tool (SAINT) (www.saintcorporation.com/saint/downloads/) as an updated, enhanced version of the Security Administrator Tool for Analyzing Networks (SATAN), a program written by Dan Farmer and Weite Vegema to recognize... modify, such as where to store data, time to wait before timing out, how many times to guess a password, how intrusive your scan should be, the proximity of your scan, and more Target Selection The Target Selection menu option is actually the standard opening for a vulnerability scan with SAINT Follow these steps to configure a scan: Step 1 From the Target Selection screen, click to enter the primary... copied to a saint-3.5 directory Change directories to the new directory by typing cd saint-3.5 In the subdirectory, you can issue the ls command to see its contents, shown here: # ls bin CHANGES config configure configure.in html include install-sh Makefile.in old perl perllib README READMEs reconfig rules scripts saint src saint.1 The following files are installed by SAINT: bin/* Programs in this directory... compile newer editions Data Management The Data Mgmt menu option displays the page shown in Figure 13.2 SAINT uses databases to store records such as hosts, as well as to store the results from a scan All output is stored in a default set of databases located in the saint-data directory From this page you have the option to open or create a new SAINT database or merge with an existing SAINT database SAINT... yppasswdd detected (updated: 6/13/02) talk vulnerabilities (new: 5/ 28/ 02) SAINT Home The SAINT Home menu option reloads the start page shown in Figure 13.1 From there you can link to the SAINT Web site to check for the latest version of the software On this start page you’ll also find links to CVE and SANS It’s important to know that when you download a newer version of SAINT, you’re actually retrieving the... named SAINT network security products among the finalists for its 2002 Information Security Excellence Awards, which annually recognize the IT security industry’s leading products as voted by the magazine’s subscribers System Requirements The following are the minimum system requirements for SAINT: ■ ■ SunOS 4.1.3_U1, SunOS 5.3 to 5.6 (Solaris 2.3 to 2.6), Irix 5.3 to 6.5 .8, HP-UX 10.20 to 11.00, Linux,... further to attacks such as Teardrop and Land After each attack, ping them to see whether they have crashed When you finally crash them, you will likely have narrowed what they are running down to one service pack or hotfix I have not added this functionality to nmap, although I must admit it is very tempting SYN Flood Resistance Some operating systems will stop accepting new connections if you send too... boxes prior to 2.0.35 keep the flag set in their response I have not found any other OS to have this bug However, some operating systems seem to reset the connection when they get a SYN+BOGUS packet This behavior could be useful in identifying them 385 386 Chapter 12 TCP ISN Sampling The idea here is to find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection . 192.1 68. 0. 48 Host (192.1 68. 0. 48) appears to be up good. Initiating UDP Scan against (192.1 68. 0. 48) The UDP Scan took 4 seconds to scan 1453 ports. Interesting ports on (192.1 68. 0. 48) : (The 14 48 ports. extracted and copied to a saint-3.5 directory. Change directories to the new directory by typing cd saint-3.5. In the sub- directory, you can issue the ls command to see its contents, shown here: # ls bin. Syntax: nmap -sS -v 192.1 68. 0. 48 Host (192.1 68. 0. 48) appears to be up good. Initiating SYN Stealth Scan against (192.1 68. 0. 48) Adding TCP port 21 (state open). Adding TCP port 81 (state open). Adding