Activate Scenario - NMap (OSS)

ZeroNorth Experts
, ,
1

Overview

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap Product Configurations

The following are the most popular Nmap configurations provided by ZeroNorth:

  • nmap-dos (–script dos -Pn) - is one of the Nmap Scripting Engines (NSE) that may cause a denial of service. Sometimes this is done to test vulnerability to a denial-of-service method. More commonly, however, it is an undesired but necessary side effect of testing for a traditional vulnerability. These tests sometimes crash vulnerable services.
  • nmap-host-port-discovery (-top-ports 25) - examines the set of 25 ports on a host most commonly used and reports their status. Note that this configuration will always produce 25 issues, each issue indicating whether the port is open or not.
  • nmap-host-discovery (-sP) - this scan will search for hosts on a subnet.
  • nmap-ssl-discovery (–script ssl-enum-ciphers -p 443) - repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.
  • nmap-exploit (–script exploit) - is one of the Nmap Scripting Engines (NSE) that aims to actively exploit some vulnerability. Examples include jdwp-exec and http-shellshock.
  • nmap-vuln (–script vuln) - is one of the Nmap Scripting Engines (NSE) that checks for specific known vulnerabilities and generally only reports results if they are found. Examples include realvnc-auth-bypass and afp-path-vuln.
  • nmap-smb-security-mode (-Pn -sV --script smb-security-mode.nse -p445) - Returns information about the SMB security level determined by SMB.
  • nmap-unusual-port (-Pn -sV --script unusual-port) - this will scan for all open ports on a host or subnet.
  • nmap-host-discovery (-sP) - this scan will search for hosts on a subnet.

Activating an Nmap Scenario

To use Nmap via ZeroNorth, you must first “activate” an Nmap Scenario. As an open-source tool, the use of Nmap via the ZeroNorth platform has no added cost, and requires no special server installation.

To activate an Nmap Scenario:

  1. Sign in to the ZeroNorth web UI at https://fabric.zeronorth.io .
  2. Go to zn ADM > Scenarios .
  3. Locate the Product “Nmap”.
  4. Click on the +Add Scenario button to the bottom right of the Product.
  5. Enter a Name . The best practice is to indicate the scenario configuration in the Name.
  6. In the subsequent Scenario details panel, select the desired Scenario Configuration (e.g. one of the ones described above).
  7. Click Save .

The Nmap Scenario is now ready for use in a Policy.

Using Custom Templates

ZeroNorth’s Nmap integration offers additional flexibility by allowing the customer to create custom templates that can be used in your Nmap Scenarios. Once created, these templates are available to all Nmap Scenarios within the customer account.

The following customizations are possible:

  • Any Nmap command line flag (e.g -sP, -Pn, etc.).
  • Use of any of the Nmap .nse scripts that Nmap ships with. There are over 500 available scripts. To use this feature, create a Template like this:
    image
    image1137×227 16.3 KB