Date: Wed, 3 Mar 1999 13:16:48 -0600 (CST) From: Erik Parker To: nmap-hackers@insecure.org Subject: Nmap gets more media Message-ID: http://www.wired.com/news/news/technology/story/18219.html The cracker's screwdriver has become more of a Swiss Army knife, his F-16 more of a stealth bomber. With awe and alarm, security analysts have observed the capabilities of Nmap, a network-scanning program that crackers are now using to plot increasingly cunning attacks. "Just before Christmas, we detected a new [network] scanning pattern we'd never seen before," said John Green, a security expert on the "Shadow" intrusion-detection team at the US Navy's Naval Surface Warfare Center. "Other sites have seen the same activity. The problem was, no one knew what was causing it." Green made the remarks Tuesday in an online briefing hosted by the SANS Institute, a nonprofit network-security research and education organization. The group held the briefing to alert network administrators of the alarming increase in the strategies of network attacks. The culprit software prowling outside the doors of networks participating in the study is Nmap, an existing software utility used by administrators to analyze networks. In the hands of intruders, security analysts discovered, Nmap is a potent tool for sniffing out holes and network services that are ripe for attack. The analysts didn't look for actual damage that was carried out. Instead, they silently watched as various networks were scanned by untraceable Nmap users. "The intelligence that can be garnered using Nmap is extensive," Green said. "Everything that the wily hacker needs to know about your system is there." Rather than feel in the dark to penetrate network "ports" at random, Nmap allows intruders to perform much more precise assaults. The implications are a bit unnerving for the network community. The tool makes planning network intrusions more effective, while simultaneously bringing this sophistication to a wider audience of crackers. "It takes a lot of the brute force out of hacking," said Green. "It allows [intruders] to map hosts and target systems that might be vulnerable." And that should result in a higher success rate for attempted intrusions. "I think we're going to see more coordinated attacks. You can slowly map an entire network, while not setting off your detection system," said software developer H. D. Moore, who debriefed network analysts at the conference. But Moore is part of the solution. He authored Nlog, software that automatically logs activity at a network's ports and parlays it to a database. Weekly checks of the database enable the user to tell if someone is performing an Nmap analysis. Nlog serves as a companion tool to Nmap. Just like intruders, administrators can use Nmap to detect their own network weaknesses, then plug the holes. Prevention is the only defense, Green and Moore said. There is no other known way to combat an Nmap-planned network attack. "Right now it's basically a suffer-along scenario," Green said. But, at least, Nmap lets administrators "know what the hackers know about you." Cheers, Erik