port_scan

Posted November 6th, 2007 by hector

Description:

This module is provided in order to give network administrators further knowledge about the systems that are part of their network, providing information about changes that computers connected to the network have suffered.

How does it work?

It grabs some allowed IPs from the OpenNAC database (more precisely from the systems table), and passes them to nmap, which is going to perform a scan. The results of this scan are saved to an XML file which is then parsed and these results are used to populate some tables which form part of the OpenNAC inventory system. The module logs to syslog if there are discrepancies between the current scan and information stored in the database. If there are differences it logs what has changed and makes the necessary corrections to the database. The tables used by port_scan are:

  • nac_hostscanned
  • nac_openports
  • protocols
  • services
  • subnets

The tables protocols and services are lookup tables. They contain descriptions of protocols and services related to a certain port.
The table subnets contains definitions of subnetworks that port_scan is allowed to scan.
The table nac_hostscanned contains general information (IP address, hostname, OS) of scanned systems.
The table nac_openports contains information of the services present on each host which is in the nac_hostscanned table.

Dependencies:

OpenNAC
Nmap 4.11 or later

Modes of operation:

This script has 3 modes of operation:

  1. When it is called with no arguments, it grabs IPs from the systems table and compares them against the networks defined in the subnets table. The final decision on what to scan is made through the LastSeen time threshold. With this, you say to scan only the hosts that were seen on the network within the lapse of 1 day, 1 month, 30 minutes, whatever.
  2. When it is called with the "--scannow" parameter, it grabs IPs from the systems table, no matter if they are allowed or not, as long as in the systems table the flag "scannow" has the value "1". Then it checks these IPs against what you have specified in the subnets table.
  3. IPs from the command line. You can call the script with something like port_scan x1.y1.z1.w1 ... xn.yn.zn.wn. In this way, the script will get the IPs from the command line and only those IPs which fall within the criteria specified in the subnets table will be scanned.

This script also has the switch "--verbose" to activate debugging. Please note that debugging of this script will be redirected to syslog.

About the subnets table and its use with port_scan:

Only those computers which fall within the criteria specified in the subnets table will become a strong candidate to be scanned. As said before, this table contains definitions of subnetworks that port_scan is allowed to scan. This was done so because maybe you have lots of subnets in your network, and some of them are behind a firewall, so they can't be accessed and scanning them would be a waste of time and resources. That's why, you need to specify in this table one register per subnet you want to take into account.

Files and directories required:

/opt/nac/bin/port_scan
/opt/nac/etc/port_scan.inc
/opt/nac/funcs.inc
/opt/nac/scan/

 

How to run it:

Important: You need to specify first in the subnets table the networks you want to scan.

  • To scan all devices that are in the systems table, just type:
    	 /opt/nac/bin/port_scan &
  • To scan all devices in the systems table that have the flag scannow=1, do:
    	 /opt/nac/bin/port_scan --scannow

    With the GUI you can set the flag for devices you want to scan now.

    If you prefer do it by hand, then

    	update systems set scannow=1 where ...;
  • To scan a list of IP addresses, do 
    	/opt/nac/bin/port_scan 192.168.0.1 192.168.0.2 192.168.0.3 ... 192.168.0.254

 

Features related to this module

Since Dec. 22 2008 the EndDevice class contains a new method called "PostScan". What this method does is to set the scannow flag of the system requesting access if and only if this system has not been scanned in the last 7 days.

In a proper configured system, port_scan in scannow mode will run every five minutes. Thus, every five minutes a port_scan will be run and the information about open ports will be up-to-date. 

Note that this method was planned to be used by postconnect. For an example of how to use it, please have a look at policy 11

Bugs:

Please report them in our Development forum:
http://www.freenac.net/phpBB2/viewforum.php?f=2

 

 

‹ ping_switch.phpuppurge_not_seens.php ›