The Swiss Army Knife of Hackers: Nmap & its Consequences
Nowadays it seems that hackers are always on our minds: we see them in the movies being able to hack the pentagon in less than 15 minutes, we see them on the news when they have been able to bypass some security mechanisms of an important company getting its most confidential data, we see them almost even in our dreams.
When I think of how widespread hackers are in our culture today, it always reminds me of this cartoon:
Reality is not always as beautiful and extraordinary as fiction.
But, while the security awareness part is extremely important from an end-user point of view (for example, never tell anyone a password you use to access your bank account on the internet), we also need to understand what kind of tools the hackers are dealing with.
To put it in a real-world context, seeing a thief with a knife in his hand is not the same as seeing the same thief with a spoon: The tools that hackers use to attack our companies matter a lot. By understanding what kind of tools are leveraged and how they are used, we can better understand how to protect our company, both strategically and technically.
Nmap is a tool that hackers (whether ethical or not) use to recognize what services or programs we have available on our PCs and servers. That is, it is literally a piece of software that is dedicated to knocking on the door of our devices to see who answers. Sometimes several can answer at the same time or sometimes no one will answer at all.
It is precisely these door-knocking responses that give Nmap its great value. Nmap has stored in its programming all the “signatures” or ways of answering that each program or service has, so when Nmap knocks on one of the doors, (or ports, as they are really called) it will analyze the response and will be able not only to see if there is someone “listening” at that door but also to know who is behind the answer.
In fact, this phase of the recognition of a server or device will always be the same:
- Nmap finds an open port
- Nmap sends information to the port (as in the diagram, “Hello?”).
- The port, if there really is someone behind it, will answer in a certain way (“Oui?”, “Yes?”).
- Nmap compares this answer with all the answers it has stored in its databases. If it finds this answer, it will automatically know which service or program generated it.
This is all well and good and, if we have understood it, we will be able to know how useful Nmap really is. But, if I were in your place, I would be asking myself right now “That’s great, that’s very nice, but: How is Nmap really going to affect how I operate on a day-to-day basis?” Wait, relax, we’ll get to that in a moment.
The real value of Nmap
Well, before we get into the core of the matter, I want you to visit this page https://www.exploit-db.com/. Don’t read beyond this point, go to the page and just try to browse it for a couple of minutes. Do you know what this website is about, what it does?
ExploitDB is one of the best-known sites in the hacker world (if we don’t take into account the black market sites where security flaws are actually sold between illegal hackers) for being a compendium of all the exploits or ways to hack that exists for each of the services/programs that can be installed on a server. As a sample of ExploitDB’s potential, let’s do a small search on a well-known web server “brand”: Apache.
We see that just by searching Apache, it returns 18 pages of “hacks” that we could do to this program. However, although it seems a lot of results, not all of the hacks will work 100% (some are not verified to work) and not all hacks can be applied to all versions of the program.
Still, as a hacker, we can see that with only four clicks and a search, we could find a feasible way to hack our target’s server. It is at this point where Nmap makes the most sense: If a hacker can use Nmap to recognize which service or program is listening behind each of the doors of our server or PC (remember doors equals ports here), he will be able to do a quick search and see how he can infiltrate and steal all our information.
We can see that, although Nmap itself is not an attack tool, it can be used as a reconnaissance tool, and makes the work of a hacker much easier. Now that we have it clear that it can become a threat, what can we do to defend ourselves from its use?
The best defense is always a good prevention
Here comes the true and harsh reality: There is not much we can do to defend ourselves from a hacker using a tool like Nmap, since it takes advantage of the fact that programs need to have those doors open to connect to the Internet. If we were to close those doors, programs would not be able to access the Internet, which is unthinkable nowadays.
Although we can’t do much to have any exposure to Nmap, we can follow some guidelines to make sure that the use of Nmap has a minimal impact on us and our servers:
- If you don’t use it, throw it away: This principle applies to both real and virtual life. If you don’t use something, why do you want it installed on your device? In the case of servers or PCs, if you have installed a program that you don’t use or that is no longer useful, uninstall it. This will reduce the number of open doors to the Internet, making the work of a potential hacker much more difficult.
- You must know who is calling: It is not always necessary for a program to answer. Let’s imagine that in your company you have developed a piece of custom-made software that, although it needs an Internet connection, speaks its own languages and protocols. In this case, you could engineer ways to ensure that only certain “clients” that knock on the door are answered. In this way, programs like Nmap could interpret that there is no one at that door (port) and move on to the next one.
- The most important thing in fashion is to be up to date: All the exploits or hacks that we have seen in ExploitDB are either from current versions or from old versions of the programs. What is clear is: The older a version of a program is, the more time the hacker community has had to discover the inherent bugs and be able to publish an exploit on ExploitDB. Therefore, it is best that whenever there is an update of the programs or services installed on our servers/PCs, we update them. If we follow this pattern continuously, whenever the manufacturer of the program has a new security patch that fixes any problem, we will be able to have it installed as soon as possible and thus get the best protection.
This has been a quick summary of the capabilities that Nmap has to be able to recognize our servers, but what do you think? Do you have any doubts, or do you disagree with something? Write in the comments everything you think so we can all contribute!
Have a nice day!
Originally published at https://cyberforged.com/swiss-army-nmap/