Network scanning secrets revealed

Comprehensive scans

We can use Nmap to discover even more information about the target machine by using some different scan types. Try the 'Intense scan, all TCP ports' scanning option. This takes a few moments to complete, but it scans the entire range of possible TCP port numbers (1 to 65,535), looking for open holes. It also performs operating system identification checks as well as trying to spot the software running behind each open port.

Going back to the Ports/Hosts tab, it now shows not only the two ports we saw a moment ago, but also the names of the applications running on them. In the case of Apache 2, it also displays the version of the software and even the underlying operating system name (Ubuntu, in our case).

Next, click on the Host Details tab. This is an option that often has the power to shock people into installing a proper firewall. Expand the sections to see more detail.

Nmap knows that our machine is running Linux (including the version of the running kernel). It also knows the network card's MAC address, which enables it to look up the manufacturer. Knowing this could give a skilled hacker a means to crash the card.

Interestingly, our copy of Zenmap also found a P2P file-sharing application that was running. It was technically connected to a port, but it was not connected to the Internet at the time of the scan.

The most comprehensive of the default scans that Zenmap has at its disposal is the 'Slow comprehensive scan'. This takes quite a while to complete, but it leaves no stone unturned while looking for even tiny details of the target host. As you scan more targets, these are added to the topology diagram in Zenmap, giving you a unique graphical view of your network.

If you have a network segmented into subnets using a router or switch, try scanning that too. Nmap – with or without the Zenmap front end – is a great tool for explaining to people why they need to ensure that only the ports they actually need should be open on the firewall, and that using old versions of networked software is very dangerous.

For example, older versions of Apache 2 have vulnerabilities that are exploitable directly using a buffer overflow attack. A hacker only needs to know which version of Apache 2 is being used to decide which attack to try, a piece of information that Nmap can work out in a few moments.

Network snooping

'Sniffing' network traffic as it goes by is another important technique used by hackers, and it can be even more revealing. One industry standard tool for network sniffing is Wireshark, which was previously known as Ethereal.

During my past life as a network security consultant, one of my jobs was to assess the internal security of networks for corporate clients. The first thing I'd do would always be to set Ethereal running. I remember one tough assignment where everything seemed very secure indeed. I had nothing much to tell the client in my subsequent presentation and report.

However, towards the end of my time on-site, I suddenly noticed some telnet traffic going by in Ethereal, including the username 'root' and a password. My heart leapt. Linux and Unix users will recognise 'root' as the system administration account – the so-called 'super user'.

Telnet sends usernames and passwords over the network as plain text. A system administrator was logging into a server using this when he should have been using a secure connection. I quickly logged into the server myself using the same account, downloaded the system's password file and began running it through a password cracker.

I soon realised that usernames and passwords were the same on other servers, giving me free range to log in wherever I pleased. At the final presentation, I passed an envelope to each of the rather bored-looking network administration team. It was rather satisfying to watch their faces become ashen as they read the messages inside, which told them their personal, supposedly secure account passwords.

But now, back to business. Download the executable for Wireshark and run it to begin installation. During this process, you'll again be asked if you'd like to install Pcap. This time decline, but also untick the Services box on the same screen that allows users without administrator access to capture traffic. This prevents normal users discovering that Wireshark is installed and using it to snoop on others.

Once installed, run Wireshark. The program uses Pcap to put the network card into 'promiscuous' mode, which means that it will accept packets that aren't meant for it. This is easy in Linux, but the writers of Windows never envisioned that such functionality would ever be needed – hence the need for Pcap.

Capturing traffic

Select 'Interfaces' from the Capture dropdown menu and a box will pop up listing all of the interfaces, including virtual ones. You can select any of these and capture traffic from them, but if you're connected directly to your broadband connection, let's try something that might just shock you.

Locate the WAN interface. It's the one with a public IP address, and its name will be something like 'WAN (PPP/SLIP) Interface'. Press the associated 'Start' button, and Wireshark will begin its capture.

Now, go to your mail client and set it to download new messages from your ISP's server. Back in Wireshark, you'll see that data will begin to accumulate. After a moment or so, the traffic will subside. Once this has happened, go to Wireshark's Capture menu and select 'Stop'.

Each captured packet has a time, a source and destination address, an associated protocol and a short description of its content or type. Scroll through the data and look for the entries with information columns starting with the words 'Request: USER' and 'Request: PASS'. You should recognise them as being the username and password you used to log into your ISP's mail server – being sent over the internet in clear text!

If your ISP's email server supports username and password encryption, use it to prevent this happening. If it doesn't, but the ISP's webmail interface uses SSL (the URL begins with 'HTTPS'), then use this instead. SSL is ideal if you're worried about your credentials being sent in plain text and intercepted en route, because the connection and information will be encrypted before it even leaves your web browser.