Every good network administrator has a set of network scanning tools in his or her utility belt. These applications not only help find problems in existing networks, but also are invaluable when configuring new equipment. A network scanner can quickly determine if a machine is working properly and if the desired services are running. It will also identify any other services that are running.
The most basic network-scanning tool is the “ping” command. When typed at a prompt, this will send a special “echo” packet out to the target machine. Often, machines will respond by sending back the same type of packet—thus the term “echo.” Often, network administrators use this technique to determine if a machine has been properly connected to the network. In the “security considerations” section we’ll explain
why this is a really bad thing.
A more advanced level of tool is called a port scanner. Network services that use TCP/IP (Transmission Control Protocol/Internet Protocol, explained in Chapter 23)
accept incoming connections using a system called “ports.” A port is simply an additional piece of address information attached to network data—sort of like an apartment number. Most common Internet services use standard port numbers. Web servers (Hypertext Transfer Protocol [HTTP]), for example, listen for connections on TCP port 80. Mail servers listen on TCP port 25. Custom applications will use ports with higher numbers, such as 4009, or 63335.
A port scanner looks at each port within a specified range. The scanner notes each port that has a service actively listening. It then cross-references these ports against a database of applications to figure out the type of application that is running. Advanced port scanners will actually connect to the service to obtain additional information. For example, connecting to a web port will let the scanner figure out
the type of Web server software that is running. “Nmap” is the name of one of the most popular port scanning tools.
A “fingerprinting scanner” attempts to determine the operating system of the target machine. It does this by using a number of obvious and obscure clues. Some services, such as telnet and some versions of Secure Shell (SSH), report the operating system and version upon connection. This is pretty obvious, but some systems are harder to figure out. Advanced techniques can also be used, such as looking for patterns in the way connections are handled. These patterns can be matched against a signature database. Current fingerprint systems can be eerily accurate with extremely little information. The Nmap network scanner has fingerprinting ability built into it.
A “vulnerability scanner” tests the target machine for susceptibility to exploits. Two approaches to this process exist. The first is to fingerprint the target machine. If the target appears to be running vulnerable software based on the fingerprint, an alert is generated. The second approach is to actually run programs that take advantage of all the known vulnerabilities. These programs usually don’t harm the target machine; instead they simply note whether they were able to successfully gain access. This is a much more effective strategy, but certain types of exploits will damage the target system due to their nature. Therefore, a combination of both approaches is often the best choice for comprehensive and safe scanning. Popular vulnerability scanners include “Nessus,” “SAINT,” “SANTA,” “SATAN,” and so on.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.