Towards Improving Productivity in NMap Security Audits

Authors

  • Jose Manuel Redondo Redondo Computational Reflection Research Group, Department of Computer Science, University of Oviedo, Science Faculty, Office 240, C/Federico Garcia Lorca S/N, 33007, Oviedo, Spain
  • Daniel Cuesta Computer Network Attack (CNA), S2Grupo, Valencia, Spain

DOI:

https://doi.org/10.13052/jwe1540-9589.1871

Keywords:

nmap, web GUI, advanced features, productivity, Domain Specific Language, static type checking

Abstract

Maintaining an adequate security level in computer infrastructures, like Internet-facing web servers, requires periodic assessment of their vulnerabilities with specialized security tools. nmap is arguably the most popular one, due to its versatility, powerful features, and low resource usage. However, this versatility can turn its usage difficult and error-prone, as it implements a lot of features and reports errors at runtime. This can lead to suboptimal results while designing auditing tasks. This research aims to decrease this complexity by developing a web GUI that favors experimentation, on-demand scans, and provides solutions to several shortcomings detected in the official one. We complemented it with a Domain Specific Language that implements early detection and reporting of syntax, type, and semantic errors when creating audit tasks. Both expand nmap possibilities, creating robust, schedulable, distributable, and portable auditing tasks able to find anomalies analyzing their output. Our initial release shows that the web GUI has been well received by several security related media and professionals. The language can detect and report a wide range of potential errors, substantially increasing the robustness of the created tasks. Therefore, Domain Specific Languages with early detection of type errors turned to be suitable to lower the complexity and expand the usage possibilities of complex tools like nmap.

Downloads

Download data is not yet available.

Author Biographies

Jose Manuel Redondo Redondo, Computational Reflection Research Group, Department of Computer Science, University of Oviedo, Science Faculty, Office 240, C/Federico Garcia Lorca S/N, 33007, Oviedo, Spain

Jose Manuel Redondo is an Assistant Professor in the University of Oviedo, Spain since November 2003. Received his B.Sc., M.Sc., and Ph.D. degrees in computer engineering from the same university in 2000, 2002, and 2007, respectively. He participated in various research projects funded by Microsoft Research and the Spanish Department of Science and Innovation. He has authored three books and over 20 articles. His research interests include dynamic languages, computational reflection, and computer security.

Daniel Cuesta, Computer Network Attack (CNA), S2Grupo, Valencia, Spain

Daniel Cuesta is a Computer Network Attack (CNA) consultant in S2Grupo (Valencia, Spain). He has worked as a security consultant in CapGemini Spain and is also a SecurityArtWork Collaborator. We will receive his B.Sc. in computer engineering from the University of Oviedo (Spain) in 2020. His main research interests focus in vulnerability discovery and assessment, along with other projects related with computer security.

References

D. Harley, L. Myers, S. Cobb, and C. Gutierrez. Cybersecurity trends 2019: Privacy and intrusion in the global village. Technical report, ESET, 2018. (Dec 10, 2018).

A. Bendovschi. Cyber-attacks trends, patterns and security counter-measures. Procedia Economics and Finance, 28:24–31, 2015. 7th INTERNATIONAL CONFERENCE ON FINANCIAL CRIMINOLOGY 2015, 7th ICFC 2015, 13–14 April 2015, Wadham College, Oxford University, United Kingdom.

Y. Gilad and A. Herzberg. Off-path tcp injection attacks. ACM Trans. Inf. Syst. Secur., 16(4):13:1–13:32, April 2014.

P. M. Vidhya. Cyber security: Threats and challenges. Int.l J. of Computer Science and Mobile Computing, 3:586–590, 02 2014.

R. Shay, S. Komanduri, A. L. Durity, P. Huh, M. L. Mazurek, Sean M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor. Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur., 18(4):13:1–13:34, May 2016.

T. Matthews. What DDoS attacks really cost businesses. Technical report, Imperva Incapsula, 2016. (Dec 10, 2018).

N. A. S. Lima and M. P. Fernandez. Towards an efficient DDoS detection scheme for software-defined networks. IEEE Latin America Transactions, 16(8):2296–2301, Aug 2018.

J. Cheng, J. Zhou, Q. Liu, X. Tang, and Y. Guo. A ddos detection method for socially aware networking based on forecasting fusion feature sequence. The Computer Journal, 61(7):959–970, 2018.

S. Hsiao and D. Kao. The static analysis of WannaCry ransomware. In 2018 20th International Conference on Advanced Communication Technology (ICACT), pages 1–1, Feb 2018.

S. Eskandari, A. Leoutsarakos, T. Mursch, and J. Clark. A first look at browser-based cryptojacking. In 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS PW), pages 58–66, April 2018.

D. Kaur and P. Kaur. Empirical analysis of web attacks. Procedia Computer Science, 78:298 – 306, 2016. 1st International Conference on Information Security & Privacy 2015.

G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Nmap Project, 2009.

Linux Journal. Editors’ choice awards. https://www.linuxjournal.com/article/5525, 2001. (Jul 29, 2019).

OWASP. OWASP Pentesting Guide v4. Open Web Application Security Project, 2014.

AlienVault. Alienvalut: Threat detection, incident response product. https://www.alienvault.com/, 2018. (Jan 30, 2019).

A. Toxboe. User Interface Design Patterns Card Deck: UI Patterns. UI Patterns Education. Anders Toxboe, 2016.

J. M. Redondo and F. Ortin. A comprehensive evaluation of common python implementations. IEEE Software, 32(4):76–84, July 2015.

Google. Google safe browsing. https://safebrowsing.google.com/, 2018. (Jan 30, 2019).

J. M. Redondo and F. Ortin. Efficient support of dynamic inheritance for class- and prototype-based languages. Journal of Systems and Software, 86(2):278 – 301, 2013.

F. Ortin, B. G. Perez-Schofield, and J. M. Redondo. Towards a static type checker for python. In European Conference on Object-Oriented Programming (ECOOP), Scripts to Programs Workshop, STOP, volume 15, pages 1–2, Prague, Czech Republic, July 2015. ECOOP.

I. Lagartos, J. M. Redondo, and F. Ortin. Towards a java library to support runtime metaprogramming. In Ernesto Damiani, George Spanoudakis, and Leszek Maciaszek, editors, Evaluation of Novel Approaches to Software Engineering, pages 224–242, Cham, July 2018. Springer International Publishing.

I. Lagartos, J. M. Redondo, and F. Ortin. Efficient runtime metapro-gramming services for java. Journal of Systems and Software, 2019.

IETF7. Internet message format. https://tools.ietf.org/html/rfc2822, 2001. (Apr, 2001).

T. Parr. Antlr (another tool for language recognition). http://www.antlr.org/, 2018. (Jan 30, 2019).

Penetration Testing: Security Training Share. NMapGUI: Advanced Graphical User Interface for Nmap. https://securityonline.info/nmapgui-advanced-graphical-user-interface-nmap/, 2017. (Jan 30, 2019).

Div Security. NMapGUI: Interfaz gráfica de usuario para Nmap. http://security.divdesign.mx/nmapgui-interfaz-grafica-de-usuario-para-nmap/, 2017. (Jan 30, 2019).

Homputer Security. Découvrez NMapGUI la version graphique de Nmap. http://homputersecurity.com/2017/10/26/decouvrez-nmapgui-la-version-graphique-de-nmap/, 2017. (Jan 30, 2019).

1024Megas. NMapGUI - Graphical User Interface. http://www.1024megas.com/2017/09/nmapgui.html, 2017. (Jan 30, 2019).

StackTrender. Nmap GUI Java/Web Front End for Nmap – YouTube. https://stacktrender.com/post/st/nmap-gui-java-web-front-end-for-nmap-youtube, 2017. (Jan 30, 2019).

S. De Luz. NMapGUI: Conoce esta interfaz grafica de Nmap basada en Java. https://www.redeszone.net/2017/09/03/nmapgui-conoce-esta-interfaz-grafica-de-Nmap-basada-en-java/, 2017. (Jan 30, 2019).

A. Zanni. Rawsec’s cybersecurity inventory: An inventory of tools and resources about cybersecurity. http://inventory.rawsec.ml/tools.html, 2018. (Jan 30, 2019).

J. M. Redondo and L. del Valle. Filesync and era literaria: Realistic open sourcewebs to develop web security skills. Journal of Web Engineering, 17(5):1–22, 2018.

I. Llaneza, J. M. Redondo, and L. Vinuesa. Towards lightweight mobile pentesting tools to quickly assess machine security levels. IEEE Latin America Transactions, pp, 2019.

U. de Oviedo. Escuela de ingeniería informática. https://ingenieriainformatica.uniovi.es/infoacademica/grado/, 2018. (Jan 30, 2019).

J. M. Redondo. Improving student assessment of a server administration course promoting flexibility and competitiveness. IEEE Trans. on Ed., 62(1):19–26, 2018.

J. M. Redondo. Introducción Práctica a la Administración Segura de Servidores Apache Bajo Linux. Servicio de Publicaciones, Universidad de Oviedo, 2019.

C. Wohlin, P. Runeson, M. Hst, M. C. Ohlsson, B. Regnell, and A. Wessln. Experimentation in software engineering. Springer Science & Business Media, 2012.

Web Accessibility Initiative. Wai: Strategies, standards, resources to make the web accessible to people with disabilities. https://www.w3.org/WAI/, 2019. (Apr 30, 2019).

W. Remes, A. Dulaunoy, and P. Moreels. A tool to perform local searches for known vulnerabilities. https://github.com/cve-search/cve-search/, 2018. (Jan 30, 2019).

P. Moreels. Cve scan. https://github.com/NorthernSec/CVE-Scan/, 2018. (Jan 30, 2019).

T. Stubblebine. Regular Expression Pocket Reference, 2nd Edition. O’Reilly Media, Inc., 2007.

O. Morten. Nmap gui. https://sourceforge.net/projects/nmapgui/, 2016. (Jan 30, 2019).

G. F. Lyon and J. Vogt. Nmapwin. https://sourceforge.net/p/nmapwin/wiki/Home/, 2002. (Jan 30, 2019).

F. Cecconi. Nmapsi4. https://github.com/nmapsi4/nmapsi4, 2015. (Jan 30, 2019).

Syhunt. Nmapw: Free port scanner for analyzing network security or internet exploration. http://nmapw.software.informer.com/, 2018. (Jan 30, 2019).

E. Suarez. Wmap. https://github.com/ericsuarez/wmap, 2017. (Jan 30, 2019).

R. Savon. Nmap-webgui. https://github.com/savon-noir/nmap-webgui, 2013. (Jan 30, 2019).

J. Delange. nmap-cgi project. http://nmap-cgi.tuxfamily.org/, 2006. (Jan 30, 2019).

Rev3rse Security. Webmap: Nmap dashboard and reporting. https://github.com/Rev3rseSecurity/WebMap, 2019. (Jan 30, 2019).

F. Dominguez. Nmap-gui. https://github.com/FernandoDoming/nmap-gui, 2017. (Jan 30, 2019).

IDroid.us. Cydia tweak nmap gui. https://web.archive.org/web/20121030090623/https://idroid.us/cydia-tweak-nmap-gui-0-93.html, 2012. (Jan 30, 2019).

OpenVAS. Openvas open source vulnerability scanner and manager. http://www.openvas.org/, 2018. (Jan 30, 2019).

Rapid7. Metasploit: The world’s most used penetration testing framework. https://www.metasploit.com/, 2018. (Jan 30, 2019).

P. Lalet. Ivre official web page. https://ivre.rocks/, 2018. (Jan 30, 2019).

Downloads

Published

2019-11-05

Issue

Section

Articles