December 29, 2008

Security Book Review: "Nmap Network Scanning"

"Nmap Network Scanning"
Author: Gordon "Fyodor" Lion
Editorial: Nmap Project
Publication date: January 1, 2009
ISBN-10: 0979958717
ISBN-13: 978-0979958717

Summary: The Art of Network Mapping and Scanning Masterpiece.

Score: 5+/5

I could summarize this book review by saying this is THE nmap reference book, what in itself would be an obvious conclusion I already expected before reading a single page, just by looking at the author name. Fyodor is the creator of nmap, a tool he has carefully fed and taken care of during all these years, and slightly knowing him from the Honeynet project, I couldn't expect less.

"Nmap Network Scanning" is a masterpiece that teaches the reader the Art of Network Mapping and Scanning, and
definitely, one of the best books I've read in years. Honestly, there are only a few minor things regarding network scanning you cannot accomplish with a single tool, the current nmap version. The book takes advantage of it.

The official nmap reference guide is simply included on chapter 15, while the rest of the book steers the reader through the nifty art of network mapping and scanning. It disects the network scanning phases and techniques, describing the different options and tool arguments available throughout practical examples and real-world usage tips, here and there, that will improve all your scanning techniques. This is a never-ending book that took Fyodor 5 years to write, and it clearly spreads his experience testing and analyzing networks. This is specially true in the "Solution" section at the end of some chapters, where real-world scenarios are efficiently solved.

Additionally, the book clearly pinpoints the limitations for the multiple platforms (eg. Windows vs Linux) and scenarios (eg. privileged vs non-privileged user) nmap can run on. Besides that, it summarizes most nmap internals without requiring you to dive deep into the source code, what is a challenge in itself. All this information is complemented with some real challenges you find as a penetration tester
today, such as the limitations to spoof Internet traffic from legal ISP, a topic I've been researching about recently.

The most advanced and technical chapters are chapter 7 and 8, detailing the inner workings of the nmap service, application, and OS fingerprinting modules, and chapter 9, providing the NSE knowledge required to read and develop your own nmap scripts.

This is the type of book I recommend you to read in front of your computer, practicing simultaneously. Open a terminal, enable your network connection, and run the latest nmap version as you read throughout the book while testing the different options and examples. You can use multiple target virtual machines to experiment with, or if not available, the site (use with caution). One thing is sure: you will have a lot of fun!

I have been using nmap since 1999, and found the book fits a broader audience, from the novice reader (please, do not get overwhelmed initially by all the available nmap options and scan types), that can learn the principles of the scanning techniques used (the packet flow diagrams on the port scanning chapter are specially helpful), up to the advanced professional,
explaining what's behind the scenes of every technique and nmap argument, at the OS and network traffic level. The book applies to most security professionals, from security administrators that need to manage and secure their environments, to penetration testers interested on driving their skills to a new level.

This is the kind of book that feeds your creativity and research motivation. Fyodor, once again, promotes along the book the open-source philosophy, the need to share and contribute to the community, in this case in the form of OS and service fingerprints, NSE scripts, or just reporting nmap bugs.

Some minor things I would have liked to see mentioned for an extra finishing touch,
offering my tiny contribution for a future version, are:
  • A statistical analysis of the most common ICMP types currenty allowed on the field, similar to the study for TCP and UDP ports Fyodor did. On my experience, for example, I find ICMP timestamps allowed much frequently than ICMP netmask requests today.
  • Extend the analysis of port knocking with the Single Packet Authorization (SPA) concept.
  • Finally, I would have loved to see specific sections for the new nmap-related tools, such as ndiff (the command line version), or ncat.
Respectfully, once I finished reading the book I feel like Raul "Fyodor" Siles..., you will do too! :)

Fyodor was generous enough to release an extensive portion of the book for free on the official nmap book website. Take a look at it and you won't doubt about getting your own full copy.

UPDATE: Amazon review.

Labels: ,


Post a Comment

<< Home