Summary and Objective

This lecture kicks off Module 3, shifting the focus to how Nmap is used by Blue Teams for defensive purposes.

Objective: To teach students how to use Nmap for comprehensive network inventory, establish asset baselines, and track network changes using Ndiff, all from a defensive (Blue Team) perspective.

Notes

Recap & Introduction to Nmap for Blue Team Operations

Quick Recap of Module 2

In Module 2, we explored Nmap from an offensive, Red Team perspective. We covered advanced reconnaissance with NSE (Lectures 5 & 7), dived into vulnerability scanning using vuln scripts (Lecture 6), and conceptually discussed how Nmap supports later penetration testing phases like internal reconnaissance and pivoting (Lecture 8). This involved understanding how an attacker might map out and identify weaknesses in a network.

Shift in Perspective: Nmap for the Blue Team

Now, we pivot our thinking to the Blue Team – the defenders. How can Nmap, often perceived as an attacker's tool, be leveraged to protect and secure a network? Blue Teams use Nmap proactively for a variety of defensive tasks, including understanding their own network, identifying unauthorized changes, ensuring policy compliance, and verifying security controls. It's about knowing your own terrain better than any potential adversary.

Network Inventory and Asset Management: Foundational Security

Effective cybersecurity starts with knowing what you need to protect. Network inventory is the process of discovering and cataloging all devices connected to your network. Asset management expands on this by maintaining detailed information about these assets, including their configurations, software, ownership, and criticality. Without a comprehensive inventory and asset management program, it's impossible to:

Identify and patch all vulnerable systems.
Detect unauthorized or rogue devices.
Ensure compliance with security policies.
Respond effectively to security incidents. You can't protect what you don't know you have.

Nmap's Role for Defenders

Nmap is an excellent tool for defenders to build and maintain this network inventory. It can discover live hosts, identify their operating systems, and enumerate the services and versions running on them. This information is crucial for creating an accurate picture of the network, which forms the basis for many defensive strategies. For a Blue Teamer, Nmap is a tool for visibility and verification.

Comprehensive Network Discovery with Nmap

The first step in building an inventory is to discover all connected assets.

Goal: Find All Connected Devices

The primary goal of using Nmap for inventory is to find every device connected to the network – authorized servers, desktops, laptops, printers, IoT devices, and, importantly, any unauthorized or rogue devices. A complete picture is essential. This often involves scanning all allocated IP address spaces within the organization.

Combining Host Discovery Techniques

To be thorough, Blue Teams should leverage Nmap's diverse host discovery capabilities:

Ping Scan (-sn): This is a good starting point for quickly identifying responsive hosts across large address spaces without performing port scans.

sudo nmap -sn 192.168.1.0/24 -oA initial_sweep_subnet1

ARP Scan (-PR): For local subnets (where the Nmap scanner resides), an ARP scan is the most reliable way to discover all connected devices, even those that might block ICMP or TCP/UDP pings. Nmap often uses this automatically with -sn when run as root on a local segment.

# Usually implicit with -sn as root on local net, but can be specified
sudo nmap -PR 192.168.1.0/24

Scanning for Common Ports: Even if a host doesn't respond to ping probes, it might still be alive if it has services listening. A light scan for common TCP ports (e.g., top 100 with -F or a custom list) can uncover these less responsive hosts.

sudo nmap -T4 -F --open 192.168.1.0/24 # Find hosts with top 100 ports open

Gathering Detailed Asset Information

Once live hosts are identified, gather more details:

OS Detection (-O): Knowing the operating system is crucial for understanding patch levels and potential vulnerabilities.

Service and Version Detection (-sV): This identifies what software is running on open ports and its version number. This is vital for tracking vulnerable software versions. A comprehensive inventory scan might look like this:

# Comprehensive scan for a subnet: host discovery, TCP SYN scan for top ports,
# OS detection, Service/Version detection, default NSE scripts, aggressive timing,
# and output to all formats.
sudo nmap -sS -sV -O -sC -T4 -oA full_inventory_subnet1 192.168.1.0/24

This command attempts to get a rich set of information for each live host. Blue Teams would run such scans across all their network segments.

Tracking Network Changes with Ndiff

A network is not static; devices are added, removed, and reconfigured. Tracking these changes is vital for security.

The Importance of Periodic Scanning and Change Detection

A one-time network inventory quickly becomes outdated. New devices might be connected (sometimes without authorization), services might be enabled or disabled, software versions change due to updates (or lack thereof), and hosts might be decommissioned. Periodic Nmap scans, followed by a comparison to previous scans, allow defenders to detect these changes and investigate any unexpected or unauthorized activity. This forms a core part of continuous monitoring.

Establishing a Baseline with Nmap XML Output (-oX)

The first step in tracking changes is to establish a baseline. This involves performing a thorough, comprehensive Nmap scan of your network (like the one described in the previous section) and saving the results in XML format (-oX). XML is the ideal format because it's machine-readable and Ndiff is specifically designed to work with it.

# Initial baseline scan for a critical server segment
sudo nmap -sS -sV -O -T4 -oX baseline_servers.xml 10.0.10.0/24

This baseline_servers.xml file now represents the known state of that network segment at a specific point in time.

Using Ndiff to Compare Scans

After a period (e.g., daily or weekly), you run an identical Nmap scan and save its XML output under a new name. Then, you use the Ndiff utility to compare the new scan with your baseline (or the previous scan).

# Subsequent scan
sudo nmap -sS -sV -O -T4 -oX current_servers.xml 10.0.10.0/24

# Compare the current scan to the baseline
ndiff baseline_servers.xml current_servers.xml > server_changes.txt

Interpreting Ndiff Output

Ndiff's output clearly highlights the differences between the two scans:

New hosts: Hosts present in the second scan but not the first.
Down hosts: Hosts present in the first scan but not the second.
Port state changes: Ports that opened, closed, or changed from filtered to open, etc.
Service/Version changes: Services that changed (e.g., Apache to Nginx) or updated their version numbers.
OS changes: If the detected operating system changed.

[Instructor: Prepare two slightly different Nmap XML files (scan1.xml, scan2.xml) where scan2.xml has one new host, one host with a new open port, and one host where a service version changed. Run 'ndiff scan1.xml scan2.xml' and show the output.]
-10.0.10.5:
-  Host is up
-  Ports:
-    80/tcp   open  http    Apache httpd 2.4.29
+10.0.10.5:
+  Host is up
+  Ports:
+    80/tcp   open  http    Apache httpd 2.4.54  <-- Version Change
+    443/tcp  open  ssl/http Apache httpd 2.4.54 <-- New Open Port

+10.0.10.17:                                   <-- New Host
+  Host is up
+  Ports:
+    22/tcp open ssh OpenSSH 8.1

This output would immediately alert an administrator to investigate why host 10.0.10.17 appeared, why port 443 opened on 10.0.10.5, and to confirm the Apache version update. Regular use of Nmap and Ndiff helps maintain an up-to-date understanding of the network.

Using Nmap for Asset Baselining and Anomaly Detection

Beyond just listing assets, Nmap helps create detailed baselines for identifying unusual behavior.

What is Asset Baselining?

Asset baselining is the process of creating a detailed, documented snapshot of the known-good configuration and status of all critical assets on your network. This baseline includes information such as IP addresses, MAC addresses, operating systems, open ports, running services, software versions, and even typical network behavior if possible. For Nmap, the rich XML output from a comprehensive scan (-sV -O -sC) serves as an excellent foundation for this baseline data.

Nmap Output for Rich Baselines

The information Nmap gathers is highly valuable for baselining:

IP and MAC Address: Uniquely identifies devices.
Operating System: Helps track OS diversity and patch levels.
Open Ports & Services: Defines the expected listening services on each host.
Service Versions: Critical for vulnerability management; the baseline records the "approved" or known versions.
NSE Script Output (-sC): Can provide further configuration details (e.g., http-title, smb-os-discovery information) that contribute to the baseline. This data, once collected, should be securely stored and managed, often within a dedicated asset management database or even a version control system for tracking changes to the baseline itself over time.

Identifying Anomalies Against the Baseline

Once a baseline is established, Nmap (often via Ndiff or by scripting against Nmap's XML output) can be used to detect anomalies – deviations from this known-good state. Examples include:

New Unexpected Services: A known web server suddenly showing an open FTP port (TCP/21) would be an anomaly against a baseline where only TCP/80 and TCP/443 were expected.
Unauthorized OS Types: Discovering a Windows XP machine (via nmap -O) on a network segment that should only contain Linux servers.
Unexpected Service Banners/Versions: A critical service suddenly reporting a much older, vulnerable version number.
Rogue Devices: Any new host appearing in a scan that isn't documented in the asset inventory or authorized is a significant anomaly. These anomalies require investigation as they could indicate misconfigurations, policy violations, or even a security compromise.

Integration with Other Security Tools (Conceptual)

While Nmap and Ndiff are powerful on their own, their true value for asset management and anomaly detection in larger environments is often realized when integrated with other systems. The XML output from Nmap can be parsed and ingested into:

Asset Management Databases: To automatically update asset information.
SIEM (Security Information and Event Management) Systems: To correlate Nmap findings with other security events and generate alerts for anomalies.
Configuration Management Databases (CMDBs): To verify that deployed configurations match documented standards. Scripting (e.g., Python with an XML parser) can automate the process of running Nmap scans, parsing the output, and feeding it into these larger systems.

Lab

The lab for this lecture will focus on performing inventory scans and using Ndiff to compare results.

Conduct a thorough network audit of the Corporate Network (Scenario 1), documenting all findings. Compare current scans with (simulated or earlier) baseline scans using Ndiff to identify changes.

Nmap/Short Course/Lab 9

Flags

Nmap/Short Course/Lecture 9

From charlesreid1

Contents