Nmap is a popular open-source network discovery tool used to discover and audit devices on a computer network. It can rapidly scan single hosts up to large computer networks, providing useful information about each host and its software.
Intruders in the network… Wait, what?
Every day, IoT products like smartwatches, fitness trackers, printers, smart cameras, and more are becoming part of our daily lives. Many of these devices are synchronized with our personal or work smartphones. Willfully or not, these devices may be connecting to your corporate network. At least half of the organizations have experienced this just in the last year, according to Infoblox.
But what is the risk? Most IoT devices don't have built-in security and, in many cases, lack firmware and security upgrades. This lack of security is a gold mine for cybercriminals attempting to breach your network security. However, thanks to Nmap discovery and auditing features, you can quickly discover and identify rogue hosts or devices on your network and the software running in it. Let's explore some scenarios.
[ Readers also liked: Running a quick NMAP scan to inventory my network ]
General network discovery
Just knowing what ports are open is not enough, as many times, these services may be listening on non-standard ports. You will also want to know what software and version are behind the port from a security perspective. Thanks to Nmap's Service and Version Detection capabilities, it is possible to perform a complete network inventory and host and device discovery, checking every single port per device or host and determining what software is behind each.
Nmap connects to and interrogates each open port, using detection probes that the software may understand. By doing this, Nmap can provide a detailed assessment of what is out there rather than just meaningless open ports.
To make use of this powerful feature, you should:
- Enable Service and Version Detection using the parameter
-sV
. - Add the option
--allports
to scan every single port. By default, Nmap doesn't check port 9100. Many printers use this port, and in some rare cases, Nmap causes them to print. - Use
-T4
for faster execution, as this discovery may be time-consuming.
$ nmap -sV --allports -T4 10.1.0.0/24
Nmap scan report for 10.1.0.1
Host is up (0.0038s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Unbound
80/tcp open http nginx
2022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
5000/tcp open ssl/http-proxy HAProxy http proxy 1.3.1 or later
8443/tcp open ssl/http nginx
Service Info: Device: load balancer
Nmap scan report for 10.1.0.2
Host is up (0.82s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3p1 Debian 1 (protocol 2.0)
80/tcp open http nginx
111/tcp open rpcbind 2-4 (RPC #100000)
443/tcp open ssl/http nginx
2049/tcp open nfs 3-4 (RPC #100003)
3260/tcp open iscsi?
6000/tcp open http aiohttp 3.6.2 (Python 3.8)
8080/tcp open http Apache httpd 2.4.46 ((Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.1g)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From the output above, Nmap found two hosts: 10.1.0.1 and 10.1.0.2.
The first host is detected as a load balancer—pretty close, as it is my router running pfSense. It also noticed several ports open and the software listening on each. It correctly detected the DNS server as Unbound; Nginx as the webserver behind port 80 (expected) and 8443 (a non-standard port); it also caught port 2022 open, with OpenSSH 7.5 behind it; and in port 5000, Nmap detected HAProxy, with a version of at least 1.3.1.
The second host runs Linux, and every software was identified correctly, except for the iSCSI server behind port 3260.
What do you do with this information? Save it! You will need a baseline to compare to the next time you scan the network for new hosts and services. Check the security vulnerabilities for each software detected. Make sure you recognize each device!
Rogue DHCP servers
DHCP servers are a fundamental component of every network. In essence, there should be only one DHCP server per network, providing all the necessary information required to configure the network properly.
Rogue DHCP servers are just like regular DHCP servers, but they are not managed by the IT or network staff. These rogue servers usually appear when users knowingly or unknowingly connect a router to the network. Another possibility is a compromised IoT device such as mobile phones, printers, cameras, tablets, smartwatches, or something worse, such as a compromised IT application or resource.
Rogue DHCP servers are frustrating, especially if you are trying to deploy a fleet of servers using PXE, as PXE depends heavily on DHCP. Not only that, it is a security risk, and you can start experiencing network outages as the rogue DHCP server can provide wrong network settings and routes.
To perform DHCP discoveries, Nmap includes a script called broadcast-dhcp-discover. This script will send a DHCP request to the broadcast address using the MAC address of DE:AD:CO:DE:CA:FE and report the results.
In the following example, the script broadcast-dhcp-discover is executed on the interface bond0 and discovers a rogue DHCP server:
$ sudo nmap --script broadcast-dhcp-discover -e bond0
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-28 19:24 CDT
Pre-scan script results:
| dhcp:
| Response 1 of 2:
| Interface: bond0
| IP Offered: 10.1.0.78
| DHCP Message Type: DHCPOFFER
| Server Identifier: 10.1.0.1
| IP Address Lease Time: 5m00s
| Subnet Mask: 255.255.255.0
| Router: 10.1.0.1
| Domain Name Server: 10.1.0.1
| Domain Name: lab.opencloud.io
| Response 2 of 2:
| Interface: bond0
| IP Offered: 10.1.0.27
| DHCP Message Type: DHCPOFFER
| Server Identifier: 10.1.0.3
| IP Address Lease Time: 2m00s
| Renewal Time Value: 1m00s
| Rebinding Time Value: 1m45s
| Subnet Mask: 255.255.255.0
| Broadcast Address: 10.1.0.255
| Router: 10.1.0.3
|_ Domain Name Server: 10.1.0.3
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.31 seconds
From the output above, you can see two different responses corresponding to a reply from each DHCP server in the network.
The most important field to watch is Server Identifier, as this will show you the IP of the DHCP server, including the potential rogue one.
What do you do with this information? Every organization's security policies are different. However, in most cases, any rogue DHCP should be stopped and removed from the network.
UPnP devices
UPnP, also known as Universal Plug and Play, is a set of multiple protocols to allow any application to forward a port on your router, saving a lot of time in what would be a manual port forwarding configuration.
However, UPnP is dangerous and, if possible, should be disabled on a network. Imagine having a rogue device on the network running malicious applications. These applications could easily use UPnP to forward the port to the outside world and use it for malicious purposes.
UPnP has been exploited many times. Two of the most prominent cases are Mirai, targeting IP cameras and home routers, and Pinkslipbot, which uses infected machines as HTTPS-based proxies for the actual control servers.
Unfortunately, many home devices use UPnP nowadays, including video game consoles or streaming devices such as the Google Chromecast.
To scan the network 10.1.0.0/24 and discover devices using UPnP, the following command should be run to execute the plugin broadcast-upnp-info. Use -T4
to speed up the discovery:
% nmap -sV --script=broadcast-upnp-info -T4 10.1.0.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-02 18:59 CST
Pre-scan script results:
| broadcast-upnp-info:
| 239.255.255.250
| Server: Linux/2.6.12, UPnP/1.0, NETGEAR-UPNP/1.0
| Location: http://192.168.1.204:80/Public_UPNP_gatedesc.xml
| Manufacturer: NETGEAR, Inc.
| Name: WAN Device
| Manufacturer: NETGEAR, Inc.
| Name: WAN Connection Device
| Manufacturer: NETGEAR, Inc.
The Nmap script detected only one device making use of UPnP, providing the necessary information such as the manufacturer, operating system, and software version.
What do you do with this information? If you don't need UPnP, it's better to disable it. If that's not possible, make sure you recognize the device and it's upgraded to the latest firmware version.
[ Want to learn more about security? Check out the IT security and compliance checklist. ]
Conclusion
In this article, we explored how to use Nmap to find potential rogue devices in our networks. With the advent and increasing popularity of IoT devices (many with no security mechanisms), it's crucial now more than ever to keep track of all the devices connected to the network. Nmap is a handy tool to use in these cases and more.
About the author
Michael Zamot is an open source enthusiast whose passion began in 2004, when he discovered Linux. Ever since then he has worked and played with various open source projects, including Linux, OpenStack, OpenShift/Kubernetes and many more, and participated in community events by teaching, conducting workshops, and providing technical support and mentorship. He currently works for Red Hat as a Cloud Consultant, designing, deploying, and supporting complex cloud solutions.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit