In part 3 of this tutorial series, we looked at various host discovery options that Nmap provides. Nmap first pings the target, checks its status and will proceed to scan it only if the host is alive (if -Pn option is not used). In this part, we'll look at the various scanning options that Nmap provides.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
When the fast scan option is used, Nmap only scans the top 100 most commonly used ports rather than the top 1000.
nikhilh@ubuntu:~$ nmap -F -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 05:43 PDT
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 05:43
...
...
In part 2, I mentioned TCP Stealth scan. TCP SYN scan is the official name for TCP Stealth scan. This requires root access to execute and is the default scanning technique when Nmap is run as root as well.
We already know that TCP Connect scan is the default scanning technique when Nmap is run with regular user privileges.
In this type of scan, Nmap generates TCP ACK packets and sends them to the target host. This type of scan is useful when you want to check if a system is protected by a firewall.
Null scan is a type of scan where all the TCP flags (SYN, ACK, FIN, RST, URG, PSH, ECE and CWR) are set to NULL. Many systems do not respond to such flags but a badly configured one, will.
Like TCP NULL scan, not all systems respond to TCP FIN scan. In this type of scan, the FIN flag in the TCP header is set.
In this type of scan, TCP flags - URG, FIN and PSH are set. It is called the XMAS scan because so many TCP flags have been set that the header looked like it was "lit up like a Christmas tree". Not all systems respond to this type of scan.
On systems, there are ports (DHCP ports 67 and 68, for example) that specifically use UDP rather than TCP. States of such ports will be missed if you use only TCP scanning techniques.
This type of scan is useful in determining what protocols are supported on the target system. You can use this information to decide which types of scan to use (UDP scan, TCP SYN scan, etc).
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Fast Scan
When the fast scan option is used, Nmap only scans the top 100 most commonly used ports rather than the top 1000.
nikhilh@ubuntu:~$ nmap -F -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 05:43 PDT
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 05:43
...
...
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Final times for host: srtt: 81393 rttvar: 34707 to: 220221
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 3.01 seconds
TCP SYN Scan
In part 2, I mentioned TCP Stealth scan. TCP SYN scan is the official name for TCP Stealth scan. This requires root access to execute and is the default scanning technique when Nmap is run as root as well.
nikhilh@ubuntu:~$ sudo nmap -sS -d scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 05:53 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
...
...
...
Initiating SYN Stealth Scan at 05:53
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed SYN Stealth Scan at 05:53, 31.55s elapsed (1000 total ports)
...
...
...
Nmap done: 1 IP address (1 host up) scanned in 31.61 seconds
Raw packets sent: 2018 (88.700KB) | Rcvd: 1032 (41.280KB)
TCP Connect Scan
We already know that TCP Connect scan is the default scanning technique when Nmap is run with regular user privileges.
nikhilh@ubuntu:~$ nmap -d -sT scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 06:02 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Initiating Connect Scan at 06:02
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 06:02 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Initiating Connect Scan at 06:02
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 50.72 seconds
TCP Connect scan is less reliable than TCP SYN scan because Connect scan uses the localhost's TCP/IP stack. It does not generate its own raw packets.
TCP ACK Scan
In this type of scan, Nmap generates TCP ACK packets and sends them to the target host. This type of scan is useful when you want to check if a system is protected by a firewall.
- If the system is protected, Nmap would receive no responses and the ports are marked filtered.
- If unprotected, Nmap would receive RST packets and mark the ports as unfiltered as in the case below.
nikhilh@ubuntu:~$ sudo nmap -d -sA scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 06:15 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Initiating ACK Scan at 06:15
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed ACK Scan at 06:15, 0.03s elapsed (1000 total ports)
Overall sending rates: 34491.08 packets / s, 1379643.36 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.000025s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are unfiltered because of 1000 resets
Final times for host: srtt: 25 rttvar: 7 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Raw packets sent: 1004 (40.152KB) | Rcvd: 1001 (40.040KB)
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
Initiating ACK Scan at 06:15
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed ACK Scan at 06:15, 0.03s elapsed (1000 total ports)
Overall sending rates: 34491.08 packets / s, 1379643.36 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.000025s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are unfiltered because of 1000 resets
Final times for host: srtt: 25 rttvar: 7 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Raw packets sent: 1004 (40.152KB) | Rcvd: 1001 (40.040KB)
TCP Null Scan
Null scan is a type of scan where all the TCP flags (SYN, ACK, FIN, RST, URG, PSH, ECE and CWR) are set to NULL. Many systems do not respond to such flags but a badly configured one, will.
- If a port is open, it will not understand what to do with such packets and it will discard it.
- If a port is closed, Nmap will receive a RST response.
nikhilh@ubuntu:~$ sudo nmap -d -sN scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 06:40 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
...
...
...
Initiating NULL Scan at 06:40
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed NULL Scan at 06:40, 4.03s elapsed (1000 total ports)
Overall sending rates: 496.45 packets / s, 19858.06 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.00039s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are open|filtered because of 1000 no-responses
Final times for host: srtt: 389 rttvar: 2213 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
Raw packets sent: 2007 (80.272KB) | Rcvd: 5 (188B)
TCP FIN Scan
Like TCP NULL scan, not all systems respond to TCP FIN scan. In this type of scan, the FIN flag in the TCP header is set.
- If a port is open, the packet will be discarded silently and there will be no response.
- If a port is closed, it will generate an error message.
nikhilh@ubuntu:~$ sudo nmap -d -sF scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 08:48 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
...
...
...
Initiating FIN Scan at 08:48
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed FIN Scan at 08:48, 4.03s elapsed (1000 total ports)
Overall sending rates: 497.08 packets / s, 19883.05 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.00044s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are open|filtered because of 1000 no-responses
Final times for host: srtt: 444 rttvar: 2246 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds
Raw packets sent: 2007 (80.272KB) | Rcvd: 5 (188B)
XMAS Scan
In this type of scan, TCP flags - URG, FIN and PSH are set. It is called the XMAS scan because so many TCP flags have been set that the header looked like it was "lit up like a Christmas tree". Not all systems respond to this type of scan.
Systems that conform to RFC 793 are especially at risk.
- Ports that do not respond to such packets are deemed open.
- If the port replies with a RST, it is deemed closed.
nikhilh@ubuntu:~$ sudo nmap -d -sX scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 08:56 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
...
...
...
Initiating XMAS Scan at 08:56
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed XMAS Scan at 08:56, 4.04s elapsed (1000 total ports)
Overall sending rates: 495.34 packets / s, 19813.80 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.00029s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are open|filtered because of 1000 no-responses
Final times for host: srtt: 290 rttvar: 2164 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
Raw packets sent: 2007 (80.272KB) | Rcvd: 5 (188B)
UDP Scan
On systems, there are ports (DHCP ports 67 and 68, for example) that specifically use UDP rather than TCP. States of such ports will be missed if you use only TCP scanning techniques.
- If a port is open/filtered/allocated, Nmap receives no response.
- If a port is closed, Nmap receives a Type 3 ICMP response - Port Unreachable. Many systems employ rate limiting which increases the time required to solicit a response from the target.
nikhilh@ubuntu:~$ sudo nmap -sU -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 09:04 PDT
PORTS: Using top 1000 ports found open (TCP:0, UDP:1000, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
...
...
...
Initiating UDP Scan at 09:04
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed UDP Scan at 09:04, 4.04s elapsed (1000 total ports)
Overall sending rates: 496.33 packets / s, 14365.54 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.00036s latency).
All 1000 scanned ports on scanme.nmap.org (45.33.32.156) are open|filtered because of 1000 no-responses
Final times for host: srtt: 360 rttvar: 2245 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 4.09 seconds
Raw packets sent: 2007 (58.126KB) | Rcvd: 5 (188B)
IP Protocol Scan
This type of scan is useful in determining what protocols are supported on the target system. You can use this information to decide which types of scan to use (UDP scan, TCP SYN scan, etc).
nikhilh@ubuntu:~$ sudo nmap -sO -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 09:14 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
...
...
...
Initiating IPProto Scan at 09:14
Scanning scanme.nmap.org (45.33.32.156) [256 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or (src host 45.33.32.156))
Discovered open port 6/ip on 45.33.32.156
Discovered open port 1/ip on 45.33.32.156
Completed IPProto Scan at 09:14, 1.21s elapsed (256 total ports)
Overall sending rates: 212.82 packets / s, 4325.74 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.010s latency).
Scanned at 2018-08-22 09:14:47 PDT for 1s
Not shown: 252 filtered protocols
Reason: 252 proto-unreaches
PROTOCOL STATE SERVICE REASON
1 open icmp echo-reply ttl 128
6 open tcp proto-response ttl 128
17 open|filtered udp no-response
47 open|filtered gre no-response
Final times for host: srtt: 10311 rttvar: 20137 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-protocols.
Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds
Raw packets sent: 262 (5.396KB) | Rcvd: 256 (12.272KB)
That's it for part 4! This post, I feel had fairly straight forward content and probably wouldn't have caused a lot of stress while learning. If you have any questions, leave them in the comments below and I'll get back to you as soon as I can!
In the next post, we'll look specifically at port scanning options. For example: which ports to scan, which protocols to use while scanning said ports and more.
In the next post, we'll look specifically at port scanning options. For example: which ports to scan, which protocols to use while scanning said ports and more.
No comments:
Post a Comment