AltSci Concepts

Network Mapping
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Nov 11-13, 2005

NetMap2 0.2.2 Source [sig]
NetMap1 0.2.1 Source [sig]

DESCRIPTION

Netmap1 Neg9 Talk
Netmap2 Neg9 Talk
Netmap2 Neg9 Project
BitTorrent Attack

The Network Mapping project (also known as Neg9 UW Network Project) plans to develop tools to report on the usage of public networks through active scanning of ports. The first two tools are known as netmap1. It uses Nmap to discover available hosts and discover open ports on the hosts. Netmap1 involves two tools that can be run as part of a script. parse_ping1.py and parse_port1.py are run by the script scan_full1.sh. The output of the script are a set of xml files and records in a MySQL database.

Since running a MySQL server concurrently while scanning ports is a ironic security vulnerability, the two tools can run without reporting to MySQL and will produce xml files that can be tarred, encrypted, and transported to a secure local network where the data can be imported into the database.

REQUIREMENTS

Netmap1 requires Nmap, Python, MySQL for Python, Bash, and a MySQL server.

There is a bug in certain wireless drivers that will result in a full kernel hang when running Nmap in a certain configurations used in Netmap1. This is a bug of the wireless driver. Use at your own risk.

METHODS

Nmap is a very useful program for scanning networks, detecting computers, and finding open ports. But using Nmap on a public network with default options is foolish. For one, it puts a lot of stress on the hosts being scanned. Secondly, it is easily detectable and blockable by system admins. Finally, it is slow when the number of targets is very large (10,000). Netmap1 looks only for the ports that are useful in identification of computers.

The first command used is nmap which generates an xml file with hosts up and down.

nmap -sP -oX ping1.xml --host_timeout 1000 $IP
This command can be run as a user or as root, with different methods for each. Depending on security, it may be advisable to run as root.

I recommend not using the --randomize_hosts option. Although it would be useful, it is broken in the current revision (3.93).

The second command is parse_ping2.py. This parses the output of the previous command and creates a shell file to scan hosts.

python parse_ping2.py ping1.xml port1_
In the script, scan_full1.sh, we output this command to a file and then execute it.

The output of the previous command looks like this.

nmap -sS -sV -O -P0 -T2 \
-p "21,22,23,25,37,53,80,113,135,139,443,445,\
1025,1433,3306,3389,5800,5900,6000,6881-6889" \
-oX port1_192.168.0.1.xml 192.168.0.1
The option -sS (Stealth SYN Scan) requires root. If you do not wish to use root, you can use -sT (Connect Scan) instead by modifying the script.

Using -p with the various ports ensures that the command finishes as fast as possible.

The commands -sV and -O are the core of Netmap2. The function of netmap2 is to find out what operating system and what services are running, so -sV finds the version by banner grabbing. -O uses open and closed ports to find out which operating system is running by the header data it receives. -O requires root.

The last command simply prints the ports in the XML in case you missed them. If you are using MySQL, it inserts the ports into the database.

python parse_port2.py port1_192.168.0.1.xml
A sample network map database created with Netmap1 can be found here: Netmap1

USAGE

Edit scan_full1.sh and run.
More detailed information coming soon.