Find out when servers and services come online anywhere on your network.
If you haven't used it before, nmap is a tremendously useful tool for identifying machines and services on your network. It will perform a number of different types of network scanning (from standard TCP and UDP to more exotic scans like stealth TCP SYN scans, Xmas Tree and NULL probes, and a bunch of other fun options).
Even more interesting is the OS fingerprinting code, which analyzes packets returned by the target machine and compares the results against a database of known operating systems. This is a fascinating bit of code, in that it can typically identify the remote side's operating system without connecting to any actual services, and even return an estimated uptime for the machine being scanned.
ray@linux:~# nmap -O caligula Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on caligula.rob.nocat (10.42.4.7): (The 1600 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Remote operating system guess: Mac OS X 10.1 - 10.1.4 Uptime 5.760 days (since Tue Sep 3 19:14:36 2002) Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds
If you'd like to nmap your entire network and have a bit of time to kill, you can specify a network and subnet on the command line. This performs a TCP SYN scan and fingerprinting for the first 64 addresses of 10.42.4.0:
ray@linux:~# nmap -OsS 10.42.4.0/26 Since nmap prints to STDOUT, you can save the output of a scan run and compare it against previous runs for a differential report, quite easily. We'll run an Xmas tree scan and grep out a couple of lines (like the run time) to eliminate false positives:
ray@linux:~# nmap -sX 10.42.4.0/26 | egrep -v '^(Nmap|Starting)' \ > nmap.output Let's run the same command again (say, the next day, at a random hour):
ray@linux:~# nmap -sX localhost | egrep -v '^(Nmap|Starting)' \ > nmap.output2 and let's do a context diff to see what changed:
ray@linux:~# diff -c nmap.output**** nmap.output Mon Sep 9 14:45:06 2002 --- nmap.output2 Mon Sep 9 14:45:21 2002 *************** *** 1,7 **** Interesting ports on catlin.rob.nocat (10.42.4.6): ! (The 1598 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 80/tcp open http --- 1,8 ---- Interesting ports on catlin.rob.nocat (10.42.4.6): ! (The 1597 ports scanned but not shown below are in state: closed) Port State Service + 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http
ray@linux:~#
Fascinating. It looks like catlin has picked up an ftp server at some point. This technique will find new (and dead) hosts and services each time it is run. By keeping an archive of nmap output (perhaps logged to time and date encoded files, or even to a database) you can keep a log of the state of all machines on your network. Turning it into a shell script and running it from cron is left as an exercise (a hopefully fun, and definitely worthwhile exercise) for the reader.
0 comments:
Post a Comment