The following abbreviations that appear in the description and/or the drawing figures are defined as follows:
FW firewall
HTTP hypertext transfer protocol
IT information technology
LANA internet assigned numbers authority
IP internet protocol
NMAP network mapper
OS operating system
RMIS remote managed infrastructure services
TCP transport control protocol
UDP user datagram protocol
A “port” may be considered as a logical connection point for a computer system or program. When considered in the context of TCP/IP a port can be considered to represent the doorway by which a client program may interact with or exchange information with a particular server program on a computer in a network. In this case the client program is said to use the server program's port number N. Certain applications that use TCP/IP, such as HTTP, have ports with pre-assigned numbers. The entire computing community accepts these ports as a standard and agrees not to use them for private purposes. These are generally referred to as “well-known ports”, and have been pre-assigned by the IANA. Other application processes can be dynamically assigned port numbers for each connection. When a service initially is started, it is said to bind to its designated port number. Reference with regard to port numbers can be made to, for example, RFC 768 and RFC 793
The port numbers are divided into three ranges: the well known ports, registered ports, and dynamic and/or private ports. The well known ports are those from 0 through 1023, the registered ports are those from 1024 through 49151, and the dynamic and/or private ports are those from 49152 through 65535. For HTTP service port 80 is defined as a default port number.
In IP specifications the term “host” generally implies a computer that has bi-directional access to other computers on the Internet. A host has a specific host number that, together with the network number, forms its unique IP address. In some contexts a host may be considered to be a node on a network.
Network mapping is used to determine computers or servers, or more generally hosts that are running on a network, and the programs running on the hosts. There are a number of different network mapping tools and programs that are in use.
On example of a network mapping tool is NMAP. NMAP is an open source tool for network exploration and security auditing. NMAP is capable of scanning large networks as well as single hosts. NMAP uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what OSs (and OS versions) the hosts are running, what type of packet filters/FWs are in use, and many other network characteristics. While NMAP is commonly used for security audits it is also useful for other tasks such as network inventory, managing service upgrade schedules and monitoring host or service uptime.
By default, NMAP scans items listed in a command line as IP addresses or range of IP addresses on a predefined range of port numbers and attempts to identify the OS, applications (if given a “-sV” option) and services on the active ports.
NMAP OS fingerprinting operates by sending up to 16 TCP, UDP, and ICMP probes to known open and closed ports of the target machine. These probes are specially designed to exploit various ambiguities in the standard protocol RFCs. NMAP then listens for responses to these probes. Dozens of attributes in the responses are analyzed and combined to generate a fingerprint. Every probe packet is tracked and re-sent at least once if there is no response. All of the packets are IPv4 with a random IP ID value. Probes to an open TCP port are skipped if no such port has been found. For closed TCP or UDP ports, NMAP first checks if such a port has been found. If not, NMAP will select a port at random.
However, the approach taken by the conventional use of NMAP proves to be error prone in cases when parallel scanning is involved, which is important for response time performance when the NMAP results are used interactivity. Successive parallel scans on the same host can lead to the “discovery” of different OSs, since NMAP is not always able to take a clear fingerprint of the OS. Referring to, for example, an on-line NMAP book: Chapter 8: Remote OS Detection: Dealing with Misidentified and Unidentified Hosts, one suggestion made for improving results is to scan all ports (using a -p-option in the command line).
As can be appreciated, a need exists to improve the accuracy and repeatability of network scanning tools.