Monday, August 25, 2008

The Inventory and The Topology

As of today (or yesterday, depending on your time zone), Zenmap has a couple of hot new features:
  • The network inventory
  • Graphical topology visualization
The network inventory is a new concept that allows you to run many scans from inside one Zenmap window, and view all results as if they were a part of one "big" scan. Each host's information is updated every time a scan targeting it has finished executing. This is done carefully, keeping host information from previous scans if the new scan doesn't discover anything new about the host.

Graphical topology visualization is achieved by integrating RadialNet into Zenmap. Every time you run a traceroute scan (nmap --traceroute ...), the network topology (accessible from the "Topology" tab) gets updated.

To illustrate these powerful concepts, consider the following example: we will run a quick nmap -p80 -PN --traceroute google.com/28 scan to enumerate a couple of Google's web servers. Then, we will run a more aggressive scan on a couple of those machines to illustrate the cumulative nature of the underlying network inventory.

After running nmap -p80 -PN --traceroute google.com/28, we get the following:

Notice that the toolbar and the tab interface have been removed from Zenmap, in an ongoing effort to maximize useful space. Now, if we click on the "Topology" tab, we get the following:

And there it is, the path that your packets have travelled on their way to Google. In the bottom of the screen, you can see a number of nodes connected to the localhost node with a dashed line. This indicates that there's no traceroute information available for these nodes. You can find more details about the visualization at the RadialNet homepage.

Now let's say we want to run two in-depth scans on lm-in-f96.google.com and lm-in-f97.google.com. We'll run a regular scan on f96 and an OS detection scan on f97. So, we enter the first target into the "Target" field, select the "Regular Scan" profile, and run it. Without waiting for the first scan to finish, we enter the second target, select the "Operating System Detection" profile, and run the scan. Clicking on the "Scans" tab will get us the following:

We can see that there are two scans running in the background, plus the finished traceroute scan we ran earlier. Back in the "Nmap output" tab, you can select which scan's output you want to see by selecting it from the dropdown box at the top of the tab.


You can see that lm-in-f97.google.com's icon has changed to a penguin image, indicating that there's now an OS detection result for that host. You can view the details in the usual fashion, by selecting lm-in-f97.google.com in the host list and clicking on "Host Details".

Now, we have acquired the information we need, so we'd like to save it. Since there are three scans in the current inventory, we can choose to either save some (or all) of them individually by hand (Scan -> Save Scan), or we can choose to save the entire inventory to a directory (Scan -> Save to Directory). The former works just as you would expect, saving one scan of choice to a .usr file. The latter saves all scans to a given directory, so that the inventory can later be easily loaded by selecting Scan -> Open -> (from the Open Scan dialog) Open Directory.

Note that Zenmap will refuse to save the inventory to a directory that contains files that are not a part of the inventory. However, you can save the inventory to a directory it has been loaded from, since Zenmap is trying to emulate saving to a file as much as possible. In other words, you can open the inventory from "myinv/", run some scans, and then save the inventory back to "myinv/".

You can append any saved scan to the inventory by selecting "Append scan" from the "Scans" tab. Also, you can remove a scan from the inventory by selecting the scan and clicking on "Remove scan".

These changes are now a part of the main Zenmap branch, so if you want to give them a shot before the next Nmap version is released, fire up your svn:

svn co --username guest --password "" svn://svn.insecure.org/zenmap

cd zenmap
./zenmap &

Have fun!

No comments: