The UK government recently started an open-source GitHub repository to help organizations scan networks for vulnerabilities.
The idea behind the Scanning Made Easy project from the National Cyber Security Centre (NCSC) and its i100 industry partnership is to provide a collection of Nmap scripts to users, such as sysadmins, for detecting system vulnerabilities.
The scripts should provide more accessible detection and remediation. Defense is often harder than offense, as there are likely more proofs of concept to exploit than there are secure networks.
The NCSC is open to contributions and is providing detailed guidelines for the approval of a script.
Here we’ll discuss how to get started with Nmap, how attackers use it, and how you can use the UK efforts to improve your cybersecurity.
See the 13 Best Vulnerability Scanner Tools
Getting Started with Nmap
Nmap, or network map, provides a series of tools for auditing systems, such as port scanning, host discovery, or device identification across a network. Both pen testers and threat actors use Nmap to collect information about their target in a process called enumeration.
Technically speaking, Nmap is a free package of command lines you can run in a terminal to achieve various tasks, such as discovering open ports, which ultimately allows you to detect vulnerabilities.
Nmap began as a Linux utility, but it’s now compatible with many operating systems, including Windows or macOS.
It’s recommended that you use local virtual machines instead of an online website.
After installing Nmap, you can run either simple commands or advanced scripts.
One command you can start with is nmap mydomain.local, which will scan for standard ports such as 80 or 443 to see if some are open. Typical software such as SQL and Apache usually occupy these ports while running, providing live hosts to attack.
See the Best Penetration Testing Tools
How Do Attackers Use Nmap?
Even if Nmap can scan single hosts, its primary purpose is to scan large networks fast. Behind the scenes, it uses raw IP packets to identify available hosts and services on the network.
Hackers and pen testers would likely include specific options to cover their tracks. For example, you can use decoy scans (-D option), such as nmap -p 123 -D decoyIP targetIP, to hide your real IP and target a specific port (-p). The command will send source-spoofed packets to the target in addition to the scanning machine packets, making port scan detection harder for defenders.
Attackers can also run zombie scans, also known as idle scans. This side-channel attack involves another machine used as a zombie to send forged SYN packets to the target.
Hackers often select zombie candidates to fool the intrusion detection system (IDS) and operate stealthily. While it’s more complex to achieve than a decoy scan, it’s also more convincing, as the defense will likely mistake the innocent zombie computer for the attacker.
There’s an extensive range of options and techniques you can use to achieve various goals, making the utility a pretty comprehensive tool, but it might be challenging to master.
Beginners can use graphical interfaces such as Zenmap to map networks visually and generate reports, but some cases require a more evolved approach.
Advanced users would combine multiple lines of instructions. In that perspective, the Python language and the python-nmap package can speed up operations.
Also read:
- Getting Started with the Burp Suite: A Pentesting Tutorial
- Getting Started With the Metasploit Framework: A Pentesting Tutorial
How Do You Use Custom Nmap Scripts?
Developers can write Nmap scripts using the Nmap Scripting Engine (NSE) to perform network discovery, vulnerability detection (e.g., backdoor), and even specific exploits using the Lua programming language.
These scripts are .nse files containing descriptions for the end users and code instructions for the machines.
Contributors can attribute specific categories to their scripts. For example:
-- -- Categories -- categories = {"safe", "vuln"}
Source: Nmap nse vulnerability scripts
Users can write and share scripts that automate and parallelize essential tasks, which can significantly ease the work of defenders and system admins, like read-to-use recipes.
There are built-in Nmap scripts, and you can use logical operators such as:
nmap --script "not auth" 192.168.1.10
That loads all built-in scripts except those in the “auth” category.
Users can also execute custom files with:
nmap --script myscript.nse 198.168.1.10
You can even pass arguments when necessary using the args option:
--script-args
Does Your System Detect Nmap scans?
If you use SIEM tools, firewalls, and other defensive tools, you will likely receive alerts, or at least the system will log Nmap scans.
Defense capabilities should spot such reconnaissance activity, as hackers use it to find vulnerabilities to exploit. Network reconnaissance is usually the first step of an attack. It can also help lateral movements that lead to privilege escalations.
Early detection can prevent damage before file upload and remote code execution, which makes vulnerability scans worth learning – and the UK’s Nmap script project laudable.
Exim MTA Vulnerabilities Targeted
The initial UK script is for Exim message transfer agent (MTA) remote code execution vulnerabilities (CVE-2020-28017 through CVE-2020-28026, also known as 21Nails).
The script contains information on:
- how it checks for the presence of the vulnerability
- why the check is not intrusive
- why there may be false positives and false negatives
The UK announcement notes that “Even if you don’t think you have an Exim MTA, it’s worth running the scan anyway, you might be surprised by what you find installed on your network!”
The script outputs easy-to-read results, including a description of the vulnerability and a link to the vendor security advisory. “Running this script often and following the linked vendor advice will help to keep your network secure,” the UK program states.
Read next: Top Vulnerability Management Tools