Designing Nmapalyzer

Requirements prototype

The first prototype of our tool should be able to:

  • identify the scans done on the ports.
  • it should save this information in a light way format and
  • last but not least , it should be able to present the results visually.

This simplistic requirements list is just to get us started. As we advance, we should be able to build upon this list and create better defined features

Patterns

NMAP commands that target multiple ports are quite easy to identify. But what happens when the attacker uses one port to scan our networks? What kind of information found in the pcap files can help us identify them? The answer to this problem is the response message package sent by NMAP. NMAP sends a RCP package instead of an ACK when the target machine has responded. This indeed is not a 'normal' behavior when TCP connection has been requested.This off course is the case for certain NMAP commands like nmap -O <ipddress> but there are other responses we need to analyze such as

nmap –PN -P80 <ipddress>

P2NMAP :Python Passive Network Mapping

Building upon the knowledge of other researches is part of our research too. P2NMAP is one of a kind exploration on how to use Python for Passive Network Mapping purposes. The author, Chet Hosmer,wrote a very comprehensive guide, including source code , how to use Python to capture network traffic but also how to analyze the captured files. P2NMAP is the first research that treats this subject in a profound way and which serves us an excellent foundation to continue building a more sophisticated tool.

First Phase: Capture Network Traffic

The first phase into our investigation is to be able to capture network traffic. P2NMAP uses a Python script that can actually capture and parse the the captured Tcpdump pcap files. Another script serves us to analyze the captured files and adapt it to our needs. in this case, the script should be able to create specific logs when :

  1. One Ip address is scanning multiple ports
  2. RCT packages have been sent as a response instead of an expected ACK package

Tcpdump pcap file

The easiest way to capture network traffic is by using Tcdump instead of Wireshark , however this is only available to Linux/Unix OS. WinDump is the windows version of this tool and could be used for this OS in a later stadium. For now our focus is to create parse Tcdump pcap files.