Open Source Tools: Part One (nmap)

open source toolsNow that we’ve described the concepts of port scanning, enumeration and fingerprinting, it is time to discuss implementing them with open source tools. This article will cover two categories of tools: scanning tools and enumeration tools.

Port scanners accept a target or a range as input, send a query to specified ports, and then create a list of the responses for each port. The most popular scanner is nmap, written by Fyodor, and which is available from There are several open source tools for scanning, but Fyodor’s multipurpose tool has become a standard item among penetration testers and network auditors.

Open Source Tools: Using nmap

Before scanning active targets, consider using the ping sweep functionality of nmap with the -sP option. This option will not port scan a target, but will simply report which targets are up. When invoked as root with nmap -sP ip_address, nmap will send both ICMP echo packets and TCP SYN packets to determine if a host is up. However, if you know that ICMP is blocked, and don’t want to send those unnecessary ICMP packets, you can simply modify nmap’s ping type with the -P option. For example, -P0 -PS enables a TCP ping sweet, with -P0 indicating “no ICMP ping” and -PS indicating “use TCP SYN method.” By isolating the scanning method to just one variant, you increase the speed as well, which may not be a major issue when scanning only a handful of systems, but when scanning multiple Class C networks, or even a Class B network, you may need the extra time for other testing.

If nmap can’t see the target, it won’t scan unless the -P0 (do not ping) option is used. Using the -P0 option can create problems, since nmap will scan each of the target’s ports, even if the target isn’t up, which can waste time. To strike a good balance, consider using the -P option to select another type of ping behavior. For example, the -PP option will use ICMP timestamp requests, and the -PM option will use ICMP netmask requests. Before you perform a full sweep of a network range, it might be useful to do a few limited tests on known IP addresses, such as web servers, DNS, and so on, so you can streamline your ping sweeps and reduce the number of total packets sent and the time taken for the scan.

Capturing the results of the scan is extremely important, as you will be referring to the this information later in the testing process. The easiest way to capture all the needed information is to use the -oA flag, which outputs scan results in three different formats simultaneously: plain text (file extension .nmap), greppable test (.gnmap), and XML (.xml). The gnmap format is especially important to note, because if you need to stop a scan and resume it later, nmap will require this file to continue by using the –resume switch.

In the next article, we will continue our look at open source tools by covering some of nmap’s various options.

External Links:

nmap official site – features nmap news and several open source tools, including security tools

Port Enumeration and Fingerprinting

port enumerationPort Enumeration

Port enumeration is based on the ability to gather information from an open port, by either straightforward banner grabbing when connecting to an open port, or by inference from the construction of a returned packet. There is not much true magic here, as services are supposed to respond in a predictable manner.

Once the open ports are captured, by running a port scanner such as nmap, you need to be able to verify what is running on said ports and thus move one step closer to completing port enumeration. For example, you might assume SMTP is running on TCP port 25, but perhaps the system administrator is trying to obfuscate the service, and is running telnet on that port instead. The easiest way to check the status of a port is a banner grab. Upon connecting to a service, the target’s response is captured and compared to a list of known services, such as the response when connecting to an OpenSSH server.

Some services are wrapped in other frameworks, such as Remote Procedure Call (RPC). On UNIX-like systems, an open TCP port 111 indicates this. UNIX-style RPC can be queried with the rpcinfo command, or a scanner can send NULL commands on the various RPC-bound ports to enumerate what functions a particular RPC service performs.


The next step after port enumeration is system fingerprinting. The goal of system fingerprinting is to determine the operating system version and type. There are two common methods of performing system fingerprinting: active and passive scanning. The more common active methods use responses sent to TCP or ICMP packets. The TCP fingerprinting process involves setting flags in the header that different operating systems and versions respond to differently. Usually, several different TCP packets are sent and the responses are compared to known baselines to determine the remote operating system (OS). Typically, ICMP-based methods use fewer packets than TCP-based methods, so when you need to be more stealthy and can afford a less-specific fingerprint, ICMP is a viable alternative. Higher degrees of accuracy can often be achieved by combining TCP/UDP and ICMP methods, assuming that no device between you and the target is reshaping packets and mismatching the signatures.

Passive fingerprinting provides the ultimate in stealthy detection. Similar to the active method, this style of fingerprinting does not send any packets, but depends on sniffing techniques to analyze the information sent in normal network traffic. If your target is running publicly available services, passive fingerprinting may be a good way to start your fingerprinting. A drawback of passive fingerprinting is that it is less accurate than a targeted active fingerprinting session and relies on an existing traffic stream.

External Links:

Defining Footprinting, Fingerprinting, Enumeration and SNMP Enumeration?? at the World of Information Technology and Security blog

Router Hacking Part 2 (Service Enumeration, Fingerprinting, And Default Accounts at

Fingerprinting at

Penetration Testing: Enumeration

penetration testingOnce you have hardened your system and network, it is always a good idea to scan, or penetration test, your own systems for weaknesses that may already exist or may develop. Changes are constantly made to production systems. In addition, malicious users are constantly discovering and exploiting new weaknesses. Penetration testing your own network will help you see potential weaknesses through the eyes of an attacker and will help you to close the holes.

During the scanning phase of penetration testing, you will begin to gather information about your network’s purpose: specifically, what ports, and possibly what services, it offers. Information gathered during this phase is traditionally also used to determine the operating system (or firmware version) of the target devices. The list of active targets gathered from the footprinting phase is used as the target list for this phase. You can specify any host within your approved ranges, but you may lose time trying to scan a system that perhaps does not exist, or may not be reachable from your network location.

Penetration Testing: The Enumeration Process

In penetration testing, enumeration is the process of listing and identifying the specific services and resources that are offered by a network. You perform enumeration by starting with a set of parameters, like an IP address range, or a specific Domain Name Service (DNS) entry, and the open ports on the system. You goal for enumeration is a list of services that are known and reachable from your source. From these services, you move further into deeper scanning, including security scanning and testing. Terms such as banner grabbing and fingerprinting fall under the category of enumeration. The most common tools associated with enumeration include nmap and amap.

An example of successful enumeration would be to start with host, and TCP port 22 open. After enumeration, you should be able to state that OpenSSH is running, and what version of OpenSSH is running along with the protocol versions. Moving into fingerprinting, ideal results would tell what version of Linux/Unix is running, and what version of the kernel is running. Often your enumeration will not get to this level of detail, but you should set that as your goal.

Keeping good notes is also important during penetration testing, and is important during this phase as well. If the tool you are using cannot output a log follow, make sure you use tools like tee, which allow you to direct the output of a command to a log file. Sometimes you may also want to know the exact flags or switches you used when you ran a tool, or what the verbose output was.

You can perform enumeration using either active or passive methods. Proxy methods may also be considered passive, as the information you gather will be from a third source, rather than intercepted from the target itself. But a truly passive scan should not involve any data being sent from the host system. Active methods are the more familiar ones in which you send certain types of packets and then receive packets in return.

Once enumeration is complete, you will have a list of targets that you will use for the next stage: scanning. You need to have specific services that are running, versions of these services, and any host or system fingerprinting that you could determine. Moving forward without this information could hamper your further efforts in exploitation.

External Links:

Penetration Testing at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy