Question & Answer
Question
Cause
Answer
What tool does QRadar Vulnerability Manager use to complete port scans?
QRadar Vulnerability Manager uses Nmap in order to scan and discover hosts, ports, and operating systems. The Nmap tool is packaged with QRadar Vulnerability Manager by default and administrators can find the Nmap tool in the following directory: /opt/qvm/bin/initmap/nmap-full/bin/nmap-full.pl
Note: To check whether the Nmap tool is running while a QVM scan is in progress, administrators can type the following command:
ps -aef | grep -i nmap-full | grep init
What types of Nmap scans are available?
There are two main types of Nmap scans used for port scanning:
- TCP port scans: The Nmap tool functions by asking the Operating System to establish a connection with the host and port and issues a connect system call (TCP scan). TCP scans are activated by using the -sT option in Nmap.
- UDP port scans: The Nmap tool completes UDP scans by sending a UDP packet to every targeted port and waits for a response or timeout. UDP port scans are activated by using the -sU option in Nmap.
How do Scan Policies affect the duration of my scan?
For PCI compliance, specific TCP and UDP ports must be scanned. All of these ports are configured under Scan Policies screen in QVM. If a full ranged UDP port scan is configured in a Scan Policy, then this scan might take long time to complete due to the limitation of the Nmap tool. This is especially true when the target host being scanned has a number of closed UDP ports. As UDP is connectionless, so Nmap must retransmit the packet to verify it was not lost, and wait for a response that rarely occurs to make a decision if a UDP port is open, closed, or potentially filtered. The following three scans illustrate how scan policies impact the duration of a scan.
This example is a Scan Policy that includes a full TCP and UDP port range scan.
Scan Profile Configuration for a Default Discovery Scan:
Scan duration results for the three scan policies
This section shows the breakdown of the scan results sorted by their duration from the QVM database.
- Scan duration results of the Full Range UDP & TCP Port Scan
Result: Timeout received. Results might be inaccurate. When a scan reaches the timeout limit and is unable to complete, a 'Scan Interference' vulnerability is displayed:
The reason for generating a Scan Interference vulnerability is displayed on the Vulnerability Details window. In the example, our scan hit the timeout limit, however other network devices, such as IPS or IDS devices might block Nmap scan requests and cause the Scan Interference vulnerability to be displayed. The same example can be used for testing Full Scan Policy scans, which provide you more details about the vulnerabilities currently found in the targeted or scanned host. The Full Range UDP & TCP Port Scan proves that the UDP scan with a maximum port range is inefficient in detecting vulnerabilities. For example, when a timeout value of 30 minutes is configured Nmap tool scans less than 5% of the range before timing out. This behavior results in the pseudo-vulnerability being raised that states "Scan Interference Detected - Scan Potentially Incomplete" as displayed in the Scan Interference Vulnerability Description:
Full TCP and UDP Scan Policy Time:
- Scan duration results of the Fast UDP & TCP Port Scan
Result: No timeout received. Accurate results provided from scan.
Default Discovery Scan Time:
- Scan duration results of the Best Practice Scan (Fast UDP & TCP Port Scan & UDP PCI Compliance port)
Result: No timeout received. Accurate results.
Best Practice Server Discovery Scan Time:
How can I run the Nmap tool from the command line?
Using the time function
To check how long it takes for the Nmap tool to scan a host, you can use one of the following commands:
- UDP port scanning:
time /usr/bin/nmap -Pn -sU <host_IP>
- TCP port scanning:
time /usr/bin/nmap -Pn -sT <host_IP>
The case of the Fast scan option
Nmap tool works faster if the Fast option is selected. In this case, the -F option is used. The ports that are scanned are the ports inside /etc/services directory:
- UDP port scanning:
time /usr/bin/nmap -Pn -F -sU <host_IP>
The following command limits the tool to run a maximum of 30 minutes:time /usr/bin/nmap -Pn -sU --host-timeout=1800s <host_IP>
- TCP port scanning:
time /usr/bin/nmap -Pn -F -sT <host_IP>
Best practices scan policy
As discussed, the best practice scan policy for server discovery is to copy your default scan policy and include the following UDP ports on top of your Fast TCP and UDP scans configuration: 53,67,69,111,123,135,137,138,161,177,445,500,631,1434,1900,4500
In Nmap, to include UDP ports on top of your Fast UDP&TCP port scan, use the -p option and provide a list of comma-separated port values.
For example,
time /usr/bin/nmap -Pn -p '53,67,69,111,123,135,137,138,161,177,445,500,631,1434,1900,4500' -sU --host-timeout=1800s <host_IP>
These UDP ports relate to the following services:
- Authentication services such as RADIUS and Kerberos
- Backdoors and remote access applications
- Backup applications
- Database servers
- DNS (Domain Name System)
- NetBIOS and CIFS
- NFS (Network File System)
- NTP (Network Time Protocol)
- P2P (peer-to-peer) and chat applications
- Routing protocols, including RIP (Routing Information Protocol)
- RPC (Remote Procedure Call) and RPC endpoint mapping
- SNMP (Simple Network Management Protocol) and SNMP trap
- Syslog
- TFTP (Trivial File Transfer Protocol)
- VPNs (Virtual Private Networks), including ISAKMP, L2TP, and NAT-T
Related Information
Was this topic helpful?
Document Information
Modified date:
12 August 2022
UID
swg21981708