How does Cyberscope use Nmap for vulnerability scanning?

Why Nmap is essential for security professionals and hackers

Nmap (Network Mapper) is a network scanner that reveals technical details about a network and the devices connected to that network. It gathers these details by sending out probes on the network and analyzing the responses. Example probes are ICMP echo requests, ARP requests, and TCP SYN pings.

Nmap can discover technical details about devices connected to the network, including active IP addresses, MAC addresses, hostnames, host operating systems, open and closed TCP/UDP ports, and the services running on a host. Filtering through this information can identify vulnerabilities, such as unknown devices, open ports, and unprotected hosts. Finding network vulnerabilities makes Nmap invaluable for security professionals looking to protect the enterprise network and hackers wanting to exploit weaknesses in a network.

CyberScope includes a full version of the open-source Nmap tool. This blog discusses how CyberScope leverages Nmap to conduct and simplify vulnerability site assessments.

Why is it necessary to search for specific vulnerabilities

Nmap is a command-line tool with numerous scan scripts and hundreds of configuration options. For example, the command nmap 192.168.0.1 scans a host at the specified IP address to discover services and open ports. Adding a flag to this command, nmap sA 192.168.0.1, shows if this host has an active firewall.

cyberscope main screen
Figure 1: The CyberScope main screen provides access to Nmap and AutoTest applications.

Although Nmap provides a plethora of information about the network, it does not highlight values and settings that may be a security concern. Conducting vulnerability scans with Nmap requires knowledge of the specific weakness being sought. For example, scan for web servers with HTTP port 80 open or supporting TLS versions 1.1 or earlier.

Once a weakness is known, a script can be developed[i] to execute the appropriate scan type and highlight the relevant data. Scripts are created using the Nmap Scripting Engine (NSE), which is an integral part of Nmap.

CyberScope allows you to import third-party scripts or custom scripts through Link-Live. For example, the Nmap organization provides over six hundred scripts, most of which are security-related; see https://nmap.org/nsedoc/scripts. Nmap scripts can also be downloaded from publicly available repositories like GitHub.

Why Nmap vulnerability scripts should be automated

There are three ways to run a vulnerability script on CyberScope. The script can run on-demand using the Nmap application or automatically using the AutoTest application. Figure 1 shows how Nmap and AutoTest can be accessed on CyberScope.

Although automating tasks has many well-known benefits, including improved efficiency, reduced risks of errors, and operational compliance, the inimitable reason for automating vulnerability scans on CyberScope is scalability. Automation allows individuals in central and remote branch locations to effectively conduct site security assessments without needing them to be trained in network and security concepts and technologies.

How CyberScope AutoTest automates Nmap test scripts

The CyberScope AutoTest application defines profiles, where a profile is a suite of tests. CyberScope provides two default profiles:

  • The wired profile executes tests via Ethernet and can be configured to focus on specific network attributes, such as VLAN IDs, MAC IDs, and 802.1X-carried EAP types.
  • The wireless profile executes tests on Wi-Fi networks and can be configured to focus on specific Wi-Fi network attributes, such as SSIDs or Wi-Fi authentication types2.

CyberScope users can modify the default profiles or create new profiles by adding Nmap scripts as tests. Figure 2 shows how tests can be easily added to a profile by selecting the checkbox.  

Figure 2: Illustrates how “Graded Ports scanme.org” and “scanme.nmap” tests are added to a profile.

CyberScope AutoTest profiles can be run manually using a start and stop button or automatically when CyberScope is connected to an Ethernet or Wi-Fi network.

How CyberScope uses Nmap to make endpoint discovery actionable

The CyberScope Discovery application uses active and passive scanning to find devices on wireless and wired networks3. Passive RF scanning of the wireless networks starts when CyberScope is powered on. Active scanning, using network probes and queries, begins when the wired or wireless interfaces are connected.

Based on this scanning, CyberScope lists the connected devices and associated attributes, such as the device name and MAC address. It also classifies the type of connected device. This device list can be sorted and filtered based on a device’s attributes and classification.

In addition, the Discovery application uses Nmap test scripts to identify network conditions that may indicate potential problems. Problems are grouped into three categories: network, Wi-Fi, and security. Examples of security problems are unknown, unauthorized, or unspecified devices. These devices are flagged for further investigation to ensure they do not represent a security vulnerability.

CyberScope can upload all Nmap vulnerability scan results to NetAlly’s Live-Live cloud platform for further analysis and reporting.

What you should do next

Nmap test scripts are a powerful tool for identifying network vulnerabilities. If you are a network or security professional, you should have a rudimentary knowledge of Nmap. Recommend next steps are:

  • Define the objectives and scope for conducting vulnerability scans in your organization.
  • Build a list of known vulnerabilities applicable to your organization’s network.
  • Identify the Nmap test scripts that check for these known vulnerabilities or whether a customized Nmap script is needed.
  • Ensure that these Nmap test scripts are from a reputable source, describe how the script checks for vulnerabilities, and indicate the likelihood of false positives.
  • Assess the Nmap test scripts’ impact on network performance and whether running the script introduces security concerns.
  • Define when and how often you will run the Nmap vulnerability scripts. For example, running scripts outside of regular business hours to minimize the impact on business-critical systems or at discrete intervals to prevent IDS/IPS from detecting the scans. 
  • Decide whether the Nmap vulnerability scan should be run on-demand using the CyberScope Nmap application, automatically using the CyberScope AutoTest application, or as part of finding devices on the network using the CyberScope Discovery application.

[1] See https://cyberscope.netally.com/building-custom-nse-discovery-scripts/ for how to build custom NSE scripts.
[2] See https://cyberscope.netally.com/blog/wireless-security-types/ for a list of Wi-Fi authentication types.
[3] See https://cyberscope.netally.com/blog/active-vs-passive-vulnerability-scanning/ for a description of active and passive scanning

Author Bio –
Author and public speaker

Dr. Avril Salter is an author and acclaimed public speaker with over 20 years of in-depth technical and executive experience working in wireless and network security. She holds senior business and technical architect positions with a history of success in setting direction in major corporations and start-ups. She has an exceptional breadth of technical expertise in wireless standards and network security protocols and is a strategic thinker with a solid understanding of the IT and telecommunications industries.

More Posts