2.2 Free Network Scanning Tools

Following is an introduction to a small number of scanning tools that I will discuss throughout the book.

2.2.1 nmap

The command-line driven nmap utility is a port scanner designed to scan large networks and determine which hosts are up and which TCP and UDP network services they offer. nmap supports a large number of popular ICMP, TCP, and UDP scanning techniques, also offering a number of advanced features such as service protocol fingerprinting, IP fingerprinting, stealth scanning and low-level filter analysis.

nmap is available from http://www.insecure.org/nmap/. Currently nmap can be run under Windows 2000 and Unix operating systems, including Linux and MacOS X.

2.2.2 Nessus

Nessus is a vulnerability assessment package that can perform many automated tests against a target network, including:

  • ICMP sweeping

  • TCP and UDP port scanning

  • Banner grabbing and network service assessment

  • Brute force against common network services

  • IP fingerprinting and other peripheral functions

I know of auditing teams within the big five accounting firms who use Nessus to undertake much of their network scanning and assessment work. Nessus has two components (daemon and client) and deploys in a distributed fashion that permits effective network coverage and management.

Nessus has a good reporting engine that can present comprehensive results along with relevant CVE entries. CVE is a detailed list of common vulnerabilities maintained by the MITRE Corporation (accessible at http://cve.mitre.org).

Nessus is available for download from http://www.nessus.org. At the time of writing, the daemon component is available only for Unix-based systems such as Linux, Solaris, and FreeBSD. The Unix Nessus client software is bundled with the daemon component in a single package; Windows clients are also available.

2.2.3 NSAT

Mixter's Network Security Analysis Tool (NSAT) is a fast bulk network scanner with decent functionality. Although the NSAT checklist of vulnerabilities isn't as comprehensive as that found in Nessus, the utility is very fast and can perform a high-level sweep of a target network space in order to identify potentially interesting components.

In particular, NSAT performs ICMP, TCP, and UDP scanning along with good assessment of common services including Telnet, FTP SMTP, DNS, POP3, RPC, NetBIOS, SNMP, and HTTP. With NSAT, you can also define virtual network interfaces to scan through, so that in a situation in which an IDS protected network is being assessed, you can assess the space from IP addresses in your network block that aren't being used.

NSAT can be run under Linux, FreeBSD, and Solaris at the time of writing. The tool is available from the NSAT project page at http://sourceforge.net/projects/nsat/.

2.2.4 Foundstone SuperScan

A Windows GUI-based ICMP, TCP, and UDP network scanning utility, SuperScan is extremely fast and efficient. When it locates plaintext network services (such as FTP, Telnet, SMTP, or HTTP), the tool performs banner grabbing to extract additional service information (which usually includes version numbers and details of enabled options).

SuperScan is available from http://www.foundstone.com/knowledge/scanning.html along with a selection of other freely downloadable network scanning utilities.