Finding rogue devices in your network using Nmap

Nmap is a popular open-source network discovery tool used to discover and audit devices on a computer network. It can rapidly scan single hosts up to large computer networks, providing useful information about each host and its software.

Intruders in the network… Wait, what?

Every day, IoT products like smartwatches, fitness trackers, printers, smart cameras, and more are becoming part of our daily lives. Many of these devices are synchronized with our personal or work smartphones. Willfully or not, these devices may be connecting to your corporate network. At least half of the organizations have experienced this just in the last year, according to Infoblox.

But what is the risk? Most IoT devices don't have built-in security and, in many cases, lack firmware and security upgrades. This lack of security is a gold mine for cybercriminals attempting to breach your network security. However, thanks to Nmap discovery and auditing features, you can quickly discover and identify rogue hosts or devices on your network and the software running in it. Let's explore some scenarios.

[ Readers also liked: Running a quick NMAP scan to inventory my network ]

General network discovery

Just knowing what ports are open is not enough, as many times, these services may be listening on non-standard ports. You will also want to know what software and version are behind the port from a security perspective. Thanks to Nmap's Service and Version Detection capabilities, it is possible to perform a complete network inventory and host and device discovery, checking every single port per device or host and determining what software is behind each.

Nmap connects to and interrogates each open port, using detection probes that the software may understand. By doing this, Nmap can provide a detailed assessment of what is out there rather than just meaningless open ports.

To make use of this powerful feature, you should:

1. Enable Service and Version Detection using the parameter -sV.
2. Add the option --allports to scan every single port. By default, Nmap doesn't check port 9100. Many printers use this port, and in some rare cases, Nmap causes them to print.
3. Use -T4 for faster execution, as this discovery may be time-consuming.

$ nmap -sV --allports -T4 10.1.0.0/24
Nmap scan report for 10.1.0.1
Host is up (0.0038s latency).
Not shown: 995 filtered ports
PORT     STATE SERVICE        VERSION
53/tcp   open  domain         Unbound
80/tcp   open  http           nginx
2022/tcp open  ssh            OpenSSH 7.5 (protocol 2.0)
5000/tcp open  ssl/http-proxy HAProxy http proxy 1.3.1 or later
8443/tcp open  ssl/http       nginx
Service Info: Device: load balancer

Nmap scan report for 10.1.0.2
Host is up (0.82s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.3p1 Debian 1 (protocol 2.0)
80/tcp   open  http     nginx
111/tcp  open  rpcbind  2-4 (RPC #100000)
443/tcp  open  ssl/http nginx
2049/tcp open  nfs      3-4 (RPC #100003)
3260/tcp open  iscsi?
6000/tcp open  http     aiohttp 3.6.2 (Python 3.8)
8080/tcp open  http     Apache httpd 2.4.46 ((Debian) mpm-itk/2.4.7-04 OpenSSL/1.1.1g)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

From the output above, Nmap found two hosts: 10.1.0.1 and 10.1.0.2.

The first host is detected as a load balancer—pretty close, as it is my router running pfSense. It also noticed several ports open and the software listening on each. It correctly detected the DNS server as Unbound; Nginx as the webserver behind port 80 (expected) and 8443 (a non-standard port); it also caught port 2022 open, with OpenSSH 7.5 behind it; and in port 5000, Nmap detected HAProxy, with a version of at least 1.3.1.

The second host runs Linux, and every software was identified correctly, except for the iSCSI server behind port 3260.

What do you do with this information? Save it! You will need a baseline to compare to the next time you scan the network for new hosts and services. Check the security vulnerabilities for each software detected. Make sure you recognize each device!

Rogue DHCP servers

DHCP servers are a fundamental component of every network. In essence, there should be only one DHCP server per network, providing all the necessary information required to configure the network properly.

Rogue DHCP servers are just like regular DHCP servers, but they are not managed by the IT or network staff. These rogue servers usually appear when users knowingly or unknowingly connect a router to the network. Another possibility is a compromised IoT device such as mobile phones, printers, cameras, tablets, smartwatches, or something worse, such as a compromised IT application or resource.

Rogue DHCP servers are frustrating, especially if you are trying to deploy a fleet of servers using PXE, as PXE depends heavily on DHCP. Not only that, it is a security risk, and you can start experiencing network outages as the rogue DHCP server can provide wrong network settings and routes.

To perform DHCP discoveries, Nmap includes a script called broadcast-dhcp-discover. This script will send a DHCP request to the broadcast address using the MAC address of DE:AD:CO:DE:CA:FE and report the results.

In the following example, the script broadcast-dhcp-discover is executed on the interface bond0 and discovers a rogue DHCP server:

$ sudo nmap --script broadcast-dhcp-discover -e bond0
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-28 19:24 CDT
Pre-scan script results:
| dhcp:
|   Response 1 of 2:
|     Interface: bond0
|     IP Offered: 10.1.0.78
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 10.1.0.1
|     IP Address Lease Time: 5m00s
|     Subnet Mask: 255.255.255.0
|     Router: 10.1.0.1
|     Domain Name Server: 10.1.0.1
|     Domain Name: lab.opencloud.io
|   Response 2 of 2:
|     Interface: bond0
|     IP Offered: 10.1.0.27
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 10.1.0.3
|     IP Address Lease Time: 2m00s
|     Renewal Time Value: 1m00s
|     Rebinding Time Value: 1m45s
|     Subnet Mask: 255.255.255.0
|     Broadcast Address: 10.1.0.255
|     Router: 10.1.0.3
|_    Domain Name Server: 10.1.0.3
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 10.31 seconds

From the output above, you can see two different responses corresponding to a reply from each DHCP server in the network.

The most important field to watch is Server Identifier, as this will show you the IP of the DHCP server, including the potential rogue one.

What do you do with this information? Every organization's security policies are different. However, in most cases, any rogue DHCP should be stopped and removed from the network.

UPnP devices

UPnP, also known as Universal Plug and Play, is a set of multiple protocols to allow any application to forward a port on your router, saving a lot of time in what would be a manual port forwarding configuration.

However, UPnP is dangerous and, if possible, should be disabled on a network. Imagine having a rogue device on the network running malicious applications. These applications could easily use UPnP to forward the port to the outside world and use it for malicious purposes.

UPnP has been exploited many times. Two of the most prominent cases are Mirai, targeting IP cameras and home routers, and Pinkslipbot, which uses infected machines as HTTPS-based proxies for the actual control servers.

Unfortunately, many home devices use UPnP nowadays, including video game consoles or streaming devices such as the Google Chromecast.

To scan the network 10.1.0.0/24 and discover devices using UPnP, the following command should be run to execute the plugin broadcast-upnp-info. Use -T4 to speed up the discovery:

% nmap -sV --script=broadcast-upnp-info -T4 10.1.0.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-02 18:59 CST
Pre-scan script results:
| broadcast-upnp-info:
|   239.255.255.250
|       Server: Linux/2.6.12, UPnP/1.0, NETGEAR-UPNP/1.0
|       Location: http://192.168.1.204:80/Public_UPNP_gatedesc.xml
|         Manufacturer: NETGEAR, Inc.
|         Name: WAN Device
|         Manufacturer: NETGEAR, Inc.
|         Name: WAN Connection Device
|         Manufacturer: NETGEAR, Inc.

The Nmap script detected only one device making use of UPnP, providing the necessary information such as the manufacturer, operating system, and software version.

What do you do with this information? If you don't need UPnP, it's better to disable it. If that's not possible, make sure you recognize the device and it's upgraded to the latest firmware version.

[ Want to learn more about security? Check out the IT security and compliance checklist. ] 

Conclusion

In this article, we explored how to use Nmap to find potential rogue devices in our networks. With the advent and increasing popularity of IoT devices (many with no security mechanisms), it's crucial now more than ever to keep track of all the devices connected to the network. Nmap is a handy tool to use in these cases and more.