In part 5, we learned of the various types of port-specific scanning techniques. In this post, we'll understand OS and version detection along with timing options that Nmap provides.
The process of OS detection is also known as TCP/IP fingerprinting. It is performed using a set of fingerprints that Nmap has collected for a particular OS. This set of fingerprints includes the type of responses that specific OSes have towards certain packets.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Using this option, Nmap attempts to detect the OS running on the target machine.
On the off-chance that Nmap is unable to determine the OS, it has the ability to guess the OS using the information that it has.
(In the below example, --osscan-guess has not been utilized because Nmap couldn't find an unknown OS while scanning the host. The example below is just for demonstration purposes.)
nikhilh@ubuntu:~$ sudo nmap -d -O --osscan-guess scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 06:38 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:38
...
...
Overall sending rates: 75.94 packets / s, 3339.26 bytes / s.
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or (tcp and (src host 45.33.32.156)))
Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156)
OS detection timingRatio() == (1535031531.632 - 1535031531.128) * 1000 / 500 == 1.006
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.060s latency).
...
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/23%OT=22%CT=%CU=%PV=N%G=N%TM=5B7EB8ED%P=x86_64-unkno
OS:wn-linux-gnu)SEQ(SP=106%GCD=1%ISR=104%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O
OS:4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FA
OS:F0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%DF=N%TG=80%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=
OS:)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=7FF
OS:F%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=S)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Final times for host: srtt: 59841 rttvar: 45038 to: 239993
Read from /usr/local/bin/../share/nmap: nmap-os-db nmap-payloads nmap-services.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
Raw packets sent: 2054 (92.594KB) | Rcvd: 1042 (42.470KB)
When Nmap encounters slow hosts, it waits for a specific interval of time before timing out. Using this option, we can set the time interval that Nmap waits for. Setting the timeout too low will interrupt the scanning process and lead to early termination.
nikhilh@ubuntu:~$ nmap -d --host-timeout 50s scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:16 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 50000
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 20.69 seconds
The process of OS detection is also known as TCP/IP fingerprinting. It is performed using a set of fingerprints that Nmap has collected for a particular OS. This set of fingerprints includes the type of responses that specific OSes have towards certain packets.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Operating System Detection
Using this option, Nmap attempts to detect the OS running on the target machine.
nikhilh@ubuntu:~$ sudo nmap -O 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 16:52 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
631/tcp open ipp
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.14
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
For OS detection to work accurately, Nmap requires at least 1 open and 1 closed port. When scanning multiple systems, it is advisable to use --osscan-limit to not OS scan hosts which do not meet this criteria.
nikhilh@ubuntu:~$ sudo nmap -d -O --osscan-limit 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 16:57 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
...
Skipping OS Scan against localhost (127.0.0.1) due to absence of open (or perhaps closed) ports
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.0000020s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed because of 1000 resets
Final times for host: srtt: 2 rttvar: 0 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-os-db nmap-payloads nmap-services.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2000 (84.000KB)
To limit the maximum number of tries for Nmap to determine the OS, use the --max-os-tries <number> option.
Determine the Service Version
Using this option, Nmap attempts to detect the version of the service running on any open ports. By itself, this option will skip ports 9100 - 9107. These ports are usually associated with network printers which respond with garbage values when Nmap probes them for service version detection.
nikhilh@ubuntu:~$ sudo nmap -d -sV 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 06:53 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 43 scripts for scanning.
mass_rdns: Using DNS server 127.0.1.1
Initiating SYN Stealth Scan at 06:53
...
...
...
Initiating Service scan at 06:53
Scanning 1 service on localhost (127.0.0.1)
Completed Service scan at 06:53, 6.02s elapsed (1 service on 1 host)
NSE: Script scanning 127.0.0.1.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 06:53
NSE: Starting hnap-info against 127.0.0.1:631.
NSE: Starting vmware-version against 127.0.0.1:631.
NSE: Starting http-server-header against 127.0.0.1:631.
NSE: Starting http-trane-info against 127.0.0.1:631.
NSE: [hnap-info 127.0.0.1:631] HTTP: Host returns proper 404 result.
NSE: [vmware-version 127.0.0.1:631] Couldn't download file: /sdk
NSE: Finished vmware-version against 127.0.0.1:631.
NSE: [http-trane-info 127.0.0.1:631] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against 127.0.0.1:631.
NSE: Finished http-server-header against 127.0.0.1:631.
NSE: Finished http-trane-info against 127.0.0.1:631.
Completed NSE at 06:53, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 06:53
Completed NSE at 06:53, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
...
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2001 (84.044KB)
- To prevent Nmap from skipping 9100-9107 ports, use the --all-ports option.
- To probe the host more intensely for service versions, use the --version-intensity <intensity-number [0-9]>.
- Using a lower intensity could possibly lead Nmap to miss detecting versions which it could have with a higher intensity.
Guessing an OS
On the off-chance that Nmap is unable to determine the OS, it has the ability to guess the OS using the information that it has.
(In the below example, --osscan-guess has not been utilized because Nmap couldn't find an unknown OS while scanning the host. The example below is just for demonstration purposes.)
nikhilh@ubuntu:~$ sudo nmap -d -O --osscan-guess scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 06:38 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 06:38
...
...
Overall sending rates: 75.94 packets / s, 3339.26 bytes / s.
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or (tcp and (src host 45.33.32.156)))
Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156)
OS detection timingRatio() == (1535031531.632 - 1535031531.128) * 1000 / 500 == 1.006
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.060s latency).
...
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/23%OT=22%CT=%CU=%PV=N%G=N%TM=5B7EB8ED%P=x86_64-unkno
OS:wn-linux-gnu)SEQ(SP=106%GCD=1%ISR=104%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O
OS:4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FA
OS:F0)ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)T1(R=Y%DF=N%TG=80%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=
OS:)T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=N%TG=80%W=7FF
OS:F%S=A%A=Z%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=N%TG=80%CD=S)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Final times for host: srtt: 59841 rttvar: 45038 to: 239993
Read from /usr/local/bin/../share/nmap: nmap-os-db nmap-payloads nmap-services.
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.34 seconds
Raw packets sent: 2054 (92.594KB) | Rcvd: 1042 (42.470KB)
The TCP/IP fingerprint generated in the output can be submitted to Nmap to help improve the accuracy of Nmap's OS detection feature.
Now, we'll start looking at the timing options. With these options you can manipulate the time between probes on a host, time between hosts and more.
Now, we'll start looking at the timing options. With these options you can manipulate the time between probes on a host, time between hosts and more.
Using Timing Templates
The easiest way to manipulate the timing options, albeit as a whole, is to use timing templates. They vary from 0-5 with 0 being the most slow and 5 being the fastest.
- T0: Paranoid
- T1: Sneaky
- T2: Polite
- T3: Normal (default timing template)
- T4: Aggressive
- T5: Insane
The more aggressive the scan, the more noticeable it is on the target system. In general, one would use slow scanning when trying to evade firewalls and fast scanning on speedy networks.
Below, I've used the fastest timing template:
nikhilh@ubuntu:~$ nmap -d -T5 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:15 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
max-scan-delay: TCP 5, UDP 1000, SCTP 5
parallelism: min 0, max 0
max-retries: 2, host-timeout: 900000
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:15
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
...
...
Final times for host: srtt: 77087 rttvar: 15669 to: 139763
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
Below, I've used the fastest timing template:
nikhilh@ubuntu:~$ nmap -d -T5 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:15 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
max-scan-delay: TCP 5, UDP 1000, SCTP 5
parallelism: min 0, max 0
max-retries: 2, host-timeout: 900000
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:15
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
...
...
Final times for host: srtt: 77087 rttvar: 15669 to: 139763
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
When using the default timing template, I expect the time taken to scan to be more than 6.7s
nikhilh@ubuntu:~$ nmap -d -T3 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:14 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:14
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 13:14, 0.08s elapsed (1 total hosts)
...
...
Reason: 996 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9929/tcp open nping-echo syn-ack
31337/tcp open Elite syn-ack
Final times for host: srtt: 80227 rttvar: 15726 to: 143131
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
Set the Minimum/Maximum Number of Parallel Probes
These options specify the minimum and the maximum number of parallel port scanning that can take place when scanning the target system. In general, these values are set by Nmap based on the network speed and quality.
It is important to note that setting these values too high may lead to inaccurate results.
nikhilh@ubuntu:~$ nmap -d --min-parallelism 5 --max-parallelism 10 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:19 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 5, max 10
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Set the Minimum/Maximum Hosts to Scan in Parallel
These options specify the number of hosts that can be scanned in parallel. Setting them too high may lead to inaccurate results.
nikhilh@ubuntu:~$ nmap -d --min-hostgroup 2 --max-hostgroup 3 scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 2, max 3
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 2 IP addresses (2 hosts up) scanned in 21.75 seconds
Set the Minimum/Maximum Packet Rate
Nmap adjusts the packet rate based on network speed and stability. Using these options, the minimum and maximum packet rate can be set. It is important to note that having the minimum packet rate too high may lead to unreliable results.
nikhilh@ubuntu:~$ nmap -d --min-rate 700 --max-rate 1200 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:06 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 700, max-rate: 1200
---------------------------------------------
...
...
Final times for host: srtt: 76122 rttvar: 44945 to: 255902
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds
Set the Minimum/Maximum Scan Delay
Using these options, we can set the time interval between probes. While this can increase scan time, it will also help in avoiding detection.
nikhilh@ubuntu:~$ nmap -d --scan-delay 10ms --max-scan-delay 100ms scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:12 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 100, UDP 100, SCTP 100
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 35.99 seconds
Set the Round Trip Timeout (RTT) - Minimum, Initial and Maximum
Nmap waits for a certain time interval for probe responses. If this timeout expires, it re-transmits packets. As per the default timing template, Nmap sets an initial RTT of 1000ms. Nmap dynamically adjusts the RTT based on network performance. The minimum and maximum RTT options set the range for this adjustment.
It is important to note that having a very low RTT may end up slowing scans. In such situations, Nmap will wait for too less time for the packet response and re-transmit packets more often.
nikhilh@ubuntu:~$ nmap -d --initial-rtt-timeout 900ms --max-rtt-timeout 1500ms --min-rtt-timeout 800ms scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:46 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 900, min 800, max 1500
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 49.77 seconds
Setting the Maximum Number of Probe Retries
As I said before, Nmap re-transmits packets if it doesn't receive a response the first time. This option set the maximum number of such retries.
nikhilh@ubuntu:~$ nmap -d --max-retries 3 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 13:53 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 3, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Final times for host: srtt: 80692 rttvar: 13467 to: 134560
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds
Set Host Timeout
When Nmap encounters slow hosts, it waits for a specific interval of time before timing out. Using this option, we can set the time interval that Nmap waits for. Setting the timeout too low will interrupt the scanning process and lead to early termination.
nikhilh@ubuntu:~$ nmap -d --host-timeout 50s scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:16 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 50000
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 20.69 seconds
Set the Packet Time-To-Live (TTL)
In situations where the target system is present on a slow network, packets sent to it may time out because their TTL value is too low. Using this option, we can manipulate that value.
nikhilh@ubuntu:~$ nmap -d --ttl 20s scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:21 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds
Although the TTL value is specified in seconds, it is equivalent to hop count which decreases by 1 every hop.
Defeat Reset Rate Limits
We know that rate limiting is applied to Type 3 ICMP Port Unreachable messages on UDP ports. If similar rate limiting is present on RST packets, this option can be used. It is important to note that this option works only with TCP SYN scan that we studied before in Part 4.
nikhilh@ubuntu:~$ sudo nmap -d --defeat-rst-ratelimit -sS scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-23 14:26 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:26
...
...
...
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
9929/tcp open nping-echo syn-ack ttl 128
10012/tcp closed unknown reset ttl 128
31337/tcp open Elite syn-ack ttl 128
Final times for host: srtt: 113005 rttvar: 214217 to: 969873
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 24.05 seconds
Raw packets sent: 2012 (88.456KB) | Rcvd: 1703 (68.124KB)
That's it for part 6! This post has a lot of information that you must remember, especially because these options will be helpful in evading and avoiding detection by IDS and firewalls. If you have any questions, leave them in the comments below and I'll get back to you as soon as I can!
In the next post, we'll take a look at the various firewall and IDS evasion techniques that are built into Nmap.
In the next post, we'll take a look at the various firewall and IDS evasion techniques that are built into Nmap.