Vulnerability announcements are a daily occurrence in the security world. Servers, applications, routers, switches, desktop computers, any other network connected device has the potential to be exploited. When problems are identified with a device or application, announcements are usually made through security mailing lists and manufacturer web pages.
When the public vulnerability announcement is made, the problem has been identified, testing has been completed, and the manufacturer has created a patch for the problematic operating system, application, or driver. If the vulnerability affects many systems or the problem has dramatic security repercussions, it's important to patch the affected systems as quickly as possible.
When an application must be upgraded, the scope of the upgrade may not be readily apparent. The security team may know of most systems using the vulnerable software, but there may be other systems on the network of which the security team is unaware. This was a common problem in January of 2003 when the SQL Slammer worm attacked Microsoft SQL Server systems. Although many network teams had patched all known SQL Server systems, many organizations had non-production SQL Server systems that were not known. These unknown and unpatched systems were quickly infected and the vast flood of network traffic created by the SQL Slammer worm creative massive network disruptions.
The nmap scan can locate application services that are using known port numbers, and nmap's version scan can provide more information about the application service. Nmap's customized application fingerprints can even provide the application version number, in some cases.
Vulnerability Assessment Details
- Nmap ping type: If ICMP is not filtered, an effective nmap ping is the ICMP echo request ping (-PE). The nmap ping requirements are important, since the entire network will be scanned.
- Nmap scan type: In many cases, a limited number of ports would be scanned. If Microsoft SQL Server was the concern, then UDP port 1434 would be scanned. Since nmap only has a single UDP scan (-sU), the scanning option in this example is limited to this single scan type. If the destination port was TCP-based, many different scan types could be selected based on speed and accuracy.
- IP Addresses: The IP addresses will usually be a range of addresses that covers the entire network. Nmap's wildcards and naming conventions can be used to specify subnets and address ranges. In most cases, these IP addresses will be saved in a file that can be included with the –iL option.
- Port Ranges: Microsoft SQL Server's monitor access is through UDP port 1434. In this example, this UDP port is the only port that needs to be scanned. Specifying the ports with a U: or T: specification is unnecessary, but it can often be helpful for clarification.
- Reverse DNS: In an organization with many hosts, a reverse DNS may assist by identifying a remote device by name. This name resolution process will add delays to the scan, but the identification of the host name may outweigh the time delay associated with the DNS lookups.
- Version Detection: The version detection option (-sV) is the key to this scan. In many cases (such as this one), nmap can provide version information based on the included version signatures.
This SQL Server scan would be based on this nmap command line (disregard the line break):
# nmap -vv -PE -sU –iL input.lst –-excludefile banned.lst -p U:1434 -n -oA sql_svr -sVThe nmap output shows the identification of the Microsoft SQL Server monitor port and detailed version information:
Interesting ports on 192.168.0.3: PORT STATE SERVICE VERSION 1434/udp open ms-sql-m Microsoft SQL Server 8.00.194 (ServerName: DT; TCPPort: 1433) MAC Address: 00:30:48:27:2C:2A (Supermicro Computer)The version scan provides the SQL Server version number, the server name, and the TCP port used by inbound remote connections to the SQL Server application. Notice that this is a different port than the one used in the nmap scan.
With this information, the network administrators can clearly identify all Microsoft SQL Server processes, the IP addresses for all SQL Server devices, and the version number information.