In part 1 of this series, we looked at Nmap installation, setup and a few debug options. We'll be using -d throughout the series to make more sense of the output. In this post, we'll look at basic scanning workflow, the effect of sudo and understanding the output. With no further ado, let's get right into it!
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Scanning a single target
nikhilh@ubuntu:~$ nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 10:40 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 91.70 seconds
So, what exactly does the above scan mean?
- A total of 1000 ports were scanned. Nmap scans the top 1000 commonly used ports when used with default options.
- Nmap deemed four ports as open and the rest as filtered. There are a total of six possible port states:
- Open: A port that actively responds to an incoming connection.
- Closed: A port that actively responds to a probe but has (or appears to have) no service running on it.
- Filtered: A port that is protected by firewall preventing nmap from determining its state.
- Unfiltered: A port that nmap can access but is unable to determine its state.
- Open | Filtered: A port that nmap believes to be open or filtered but cannot say for sure.
- Closed | Filtered: A port that nmap believes to be closed or filtered but cannot say for sure.
- Since most of us use consumer broadband internet connections, we can fall victim to Man-In-The-Middle (MITM) filtering. This means that someone/something (hint: ISP) other than you and the target system is messing around which skews Nmap's output.
- The hint to this is the presence of a third port state.
- In the above scan, there are two port states: open and filtered.
- If a third port state such as closed were present, that would suggest MITM filtering by the broadband provider.
Now that we have a basic idea of what to derive from a scan result, let us look deeper into it using the debug option.
nikhilh@ubuntu:~$ nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:06 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 11:06
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 11:06, 0.08s elapsed (1 total hosts)
Overall sending rates: 24.33 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 11:06
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 11:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:06
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 11:06, 16.66s elapsed (1000 total ports)
Overall sending rates: 120.12 packets / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.083s latency).
Scanned at 2018-08-18 11:06:12 PDT for 17s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
31337/tcp open Elite syn-ack
Final times for host: srtt: 82512 rttvar: 15951 to: 146316
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 16.79 seconds
What more can we learn from the above debug information?
- Nmap is scanning all 1000 ports using TCP probes.
- Parameters like parallelism, minimum packet rate, maximum packet rate and host timeout options are set according to the network connection. They are not explicitly set by the user and thus their values are 0 in the nmap output.
- Nmap pings the target and carries out DNS resolution in parallel. Nmap pings the target to ensure that the host is alive before scanning it.
- If the target does not reply, Nmap assumes the target host is down and WILL NOT scan it.
- In many cases, either the firewall blocks ICMP or ICMP itself is disabled on the target system. Nmap understands this and by default also pings TCP ports 80 and 443.
- For systems which do not respond to pings (most likely protected by a firewall), use the -Pn or Don't Ping option.
- Nmap executes a TCP Connect scan to determine port states.
- In TCP Connect scan, Nmap completes the three-way handshake.
- In other words, Nmap tries to connect with a port by sending a SYN packet and waits to receive a SYN-ACK packet from the port. If it receives a SYN-ACK, it means the port is alive and Nmap sends an ACK packet to complete the connection. It then sends a RST packet to close the connection.
- Nmap sent 120.12 packets per second. This is the packet rate. Custom packet rates can be set but having a very high packet rate can cause drops either at your local system NIC or at the target system or anywhere in the middle.
The effect of root
In the above output, we know that TCP Connect scan was used to determine port states. Let's see if there's any difference when Nmap is run as root.
nikhilh@ubuntu:~$ sudo nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 18:08 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 18:08
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 18:08, 0.00s elapsed (1 total hosts)
Overall sending rates: 1529.64 packets / s, 58126.20 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 18:08
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 18:08, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:08
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed SYN Stealth Scan at 18:08, 20.98s elapsed (1000 total ports)
Overall sending rates: 95.62 packets / s, 4205.39 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.027s latency).
Scanned at 2018-08-20 18:08:04 PDT for 21s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
9929/tcp open nping-echo syn-ack ttl 128
31337/tcp open Elite syn-ack ttl 128
Final times for host: srtt: 27498 rttvar: 40558 to: 189730
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.04 seconds
Raw packets sent: 2010 (88.376KB) | Rcvd: 1440 (57.604KB)
There are two differences to note:
- TCP ping was used by default instead of ICMP ping.
- TCP Stealth scan was used by default instead of TCP Connect scan.
- In this type of scan, Nmap doesn't complete the three-way handshake. In other words, Nmap never sends the ACK packet to the target port's SYN-ACK packet. It instead sends a RST packet.
- TCP Connect scan can be easily detected by firewalls. TCP Stealth scan isn't so easy to detect. However, there are defensive software which have the capability to do so.
- In this type of scan, Nmap doesn't complete the three-way handshake. In other words, Nmap never sends the ACK packet to the target port's SYN-ACK packet. It instead sends a RST packet.
- TCP Connect scan can be easily detected by firewalls. TCP Stealth scan isn't so easy to detect. However, there are defensive software which have the capability to do so.
Scanning multiple targets
nikhilh@ubuntu:~$ nmap scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:21 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.081s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
631/tcp open ipp
Nmap done: 2 IP addresses (2 hosts up) scanned in 32.25 seconds
When scanning multiple targets, nmap provides summaries for each host separately as seen above. The local host is a VM and looks like an Internet Printing Protocol (IPP) is running on port 631, which in my case is unnecessary. My laptop has no plans of becoming a print server right now, so the best practice would be to shut it down.
nikhilh@ubuntu:~$ sudo /etc/init.d/cups stop
[....] Stopping cups (via systemctl): cups.serviceWarning: Stopping cups.service, but it can still be activated by:
cups.socket
. ok
nikhilh@ubuntu:/etc$ nmap 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:28 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000045s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Variants of hostname arguments
Previously, we have seen hostnames provided as an IP address and as a name, which requires DNS resolution. When scanning multiple systems, host names can also be provided as a:
- CIDR notation such as 192.168.10.1/24
- Range such as 192.168.10.1-100
nikhilh@ubuntu:~$ cat host-name-list.txt
scanme.nmap.org
127.0.0.1
nikhilh@ubuntu:~$ nmap -iL host-name-list.txt
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:39 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed
Nmap done: 2 IP addresses (2 hosts up) scanned in 86.05 seconds
It is also possible to exclude certain hosts from being scanned using the --exclude or --excludefile options
Examples:
nmap 192.168.10.1/24 --exclude 192.168.10.2
nmap 192.168.10.1/24 --exclude 192.168.10.2-6
nmap 192.168.10.1/24 --excludefile exclude-host-list.txt
exclude-host-list.txt has the same format as host-name-list.txt as described before.
That's it for part 2! I hope everything was simple to understand and if you have any questions, feel free to leave them in the comments below. In this post, we saw that Nmap first pings the host before scanning it.
In part 3, we'll look at different types of such pings (ICMP and TCP ping are just two types) or host discovery as it is formally called.
That's it for part 2! I hope everything was simple to understand and if you have any questions, feel free to leave them in the comments below. In this post, we saw that Nmap first pings the host before scanning it.
In part 3, we'll look at different types of such pings (ICMP and TCP ping are just two types) or host discovery as it is formally called.
No comments:
Post a Comment