Getting started with Nmap - Part 3

In part 2, we looked at the basic scanning workflow. We also understood that Nmap pings the host before scanning it. Choosing the correct ping type is important, because if Nmap doesn't receive a reply from the target, it will not scan it. In this post, we'll look at a variety of options that will help in discovering the state of the host.

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Traceroute


This option requires sudo access. Through this option, we can understand the route, i.e. the devices through which our packet is travelling on the Internet while trying to reach the target system.

nikhilh@ubuntu:~$ sudo nmap -d --traceroute scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:45 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:46
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 17:46, 0.00s elapsed (1 total hosts)
Overall sending rates: 1679.97 packets / s, 63838.72 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 17:46
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 17:46, 0.00s elapsed
..
...
Initiating SYN Stealth Scan at 17:46
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
...
...
Initiating Traceroute at 17:46
Completed Traceroute at 17:46, 0.02s elapsed
...
...
Not shown: 996 filtered ports
Reason: 996 no-responses
...
...
TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   0.15 ms 192.168.182.2
2   0.21 ms scanme.nmap.org (45.33.32.156)
Final times for host: srtt: 12335 rttvar: 22769  to: 103411

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.15 seconds
           Raw packets sent: 2021 (88.816KB) | Rcvd: 658 (26.352KB)

From this output we understand that the target host is just 2 hops away. The first address is the private address of my access point (a router) and the second is the target system's public address.

Disable Reverse DNS


As you must have observed in the previous output(s), nmap always conducts a parallel DNS scan along with the initial ping. It is not always necessary for a user to know the DNS information. DNS resolution slows down nmap and it is sometimes necessary to disable it to avoid detection.

nikhilh@ubuntu:~$ sudo nmap -d -n scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:48 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:48
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 17:48, 0.00s elapsed (1 total hosts)
Overall sending rates: 1536.69 packets / s, 58394.16 bytes / s.
Initiating SYN Stealth Scan at 17:48
...
...
Scanned at 2018-08-20 17:48:49 PDT for 7s
Not shown: 996 filtered ports
...
...

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds
           Raw packets sent: 2003 (88.096KB) | Rcvd: 9 (364B)

If you look closely at the log, you'll observe there is no DNS resolution in parallel with the initial ping.

Ping Only


This option allows only the host discovery part of the process to occur. Port scanning is skipped. By default, this uses an ICMP echo, TCP SYN to port 443, TCP ACK to port 80 and an ICMP Timestamp request.

nikhilh@ubuntu:~$ nmap -sn -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 05:37 PDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 05:37
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 05:37, 0.08s elapsed (1 total hosts)
Overall sending rates: 24.31 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 05:37
mass_rdns: 0.12s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 05:37, 0.12s elapsed
DNS resolution of 1 IPs took 0.12s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.082s latency).
Final times for host: srtt: 81927 rttvar: 81927  to: 409635
Read from /usr/local/bin/../share/nmap: nmap-payloads.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

Don't Ping


In part 2, we saw that Nmap first pings the host to confirm it is alive before scanning it. When using the "Don't Ping" options, nmap skips this initial ping.

nikhilh@ubuntu:~$ sudo nmap -Pn -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-21 13:14 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 13:14
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 13:14, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:14
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
...
...
22/tcp    open  ssh     syn-ack ttl 128
80/tcp    open  http    syn-ack ttl 128
31337/tcp open  Elite   syn-ack ttl 128
Final times for host: srtt: 81291 rttvar: 15399  to: 142887

 Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.89 seconds
           Raw packets sent: 2007 (88.308KB) | Rcvd: 866 (34.704KB)

TCP SYN or UDP Ping


By default, when Nmap is run with user privileges it uses ICMP echo when pinging hosts. In cases where ICMP ping does not help, you can use TCP SYN or UDP ping.

nikhilh@ubuntu:~$ nmap -PS -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:21 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:21
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Completed Ping Scan at 07:21, 0.08s elapsed (1 total hosts)
Overall sending rates: 11.88 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 07:21
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 07:21, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:21
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds
  1. When using TCP SYN ping, nmap sends a SYN packet to the target system. If it replies with a SYN-ACK, nmap considers the host to be alive and proceeds to scan it.
  2. If there is no response, nmap will not scan the target system. 
  3. The default port used by TCP SYN ping is 80.
Let's try pinging using UDP now.

nikhilh@ubuntu:~$ sudo nmap -PU -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:28 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:28
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 07:28, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 27.87 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.09 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
nikhilh@ubuntu:~$ 

By default, UDP ping uses port 40125. From the above output, we can see that
  1. UDP ping requires sudo privileges. This is because nmap accesses raw sockets when pinging using UDP.
  2. If the port were unallocated, it would have replied with a ICMP type 3 message - Port Unreachable which means that the target host is alive on the network.
  3. If the port were open and used, Nmap would receive no response.

TCP ACK Ping


nikhilh@ubuntu:~$ nmap -PA -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:41 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:41
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Completed Ping Scan at 07:41, 0.10s elapsed (1 total hosts)
Overall sending rates: 9.85 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 07:41
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 07:41, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:41
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 23.79 seconds

TCP ACK ping scans are useful when the target system is blocking TCP SYN and ICMP packets.
  1. If the port is alive, it'll reply with a RST packet since no TCP connection exists between your system and the target.
  2. If not, Nmap will receive no response.
TCP ACK uses port 80 by default.

ICMP Timestamp Ping


ICMP Timestamp (or ICMP Type 13 message) requests are usually used to synchronize system clocks on the network. These packets are rarely found on a network nowadays. A large number of these packets in the network is abnormal and is cause for suspicion.

nikhilh@ubuntu:~$ sudo nmap -PP -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 13:57 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:57
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 13:57, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 39.84 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.09 seconds
           Raw packets sent: 2 (80B) | Rcvd: 0 (0B)
  1. I expected the system to block ICMP Timestamp packets at the firewall and looks like they have. 
  2. If ICMP Timestamp were not blocked, we would have received an ICMP Timestamp reply.
  3. It is to be noted that sudo access is required for ICMP Timestamp pings.

ICMP Address Mask Ping


ICMP Address Mask (or ICMP type 17 messages) requests are used to determine the subnet mask used in a network. Again, these are uncommon nowadays.

nikhilh@ubuntu:~$ sudo nmap -PM -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 14:18 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:18
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 14:18, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 31.87 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.10 seconds
           Raw packets sent: 2 (64B) | Rcvd: 0 (0B)
  1. Again, ICMP Address Mask ping requires sudo access and is also blocked at the target system.
  2. If ICMP Address Mask were not blocked, we would have received an ICMP Address Mask reply.

IP Protocol Ping


In the IPv4 header, there is a field name called Protocol which highlights the protocol number used at the next level. An IP ping is used to communicate with the target system using a specific protocol. By default, protocol numbers 1 (ICMP), 2(IGMP) and 4 (IPv4 Encapsulation) are used.

nikhilh@ubuntu:~$ sudo nmap -d -PO1,17 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 15:55 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 15:55
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or (src host 45.33.32.156))
Completed Ping Scan at 15:55, 0.16s elapsed (1 total hosts)
Overall sending rates: 12.34 packets / s, 345.44 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 15:55
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 27.54 seconds
           Raw packets sent: 2007 (88.276KB) | Rcvd: 559 (22.400KB)
  1. In the above usage, I've used protocol numbers 1 (ICMP) and 17 (UDP) for communicating with the target host. 
  2. This again requires sudo privileges.
  3. Sometimes, if you use a protocol that is unsupported by the target system you can get a ICMP Port Unreachable (type 3 ICMP message - see below for example) which is a great hint that the target is alive. You can retry using a different protocol number.
  4. For a list of all protocol numbers, please refer to https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
nikhilh@ubuntu:~$ sudo nmap -d -PO88 scanme.nmap.org
[sudo] password for nikhilh: 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 14:31 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:31
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or (src host 45.33.32.156))
Got destination unreachable for 45.33.32.156
Completed Ping Scan at 14:31, 0.00s elapsed (1 total hosts)
Overall sending rates: 296.30 packets / s, 5925.93 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received proto-unreach]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.23 seconds
           Raw packets sent: 1 (20B) | Rcvd: 1 (48B)

ARP ping


Address Resolution Protocol (ARP) is a protocol used to map IP address to MAC addresses.
  1. This ping is based on the assumption that if a host is alive, it must reply to an ARP request packet which makes sense. 
  2. ARP packets are not filtered/blocked because every network requires their usage to determine MAC addresses of systems on the network. 
  3. It is important to note the following:
    1. ARP ping requires sudo access to work properly
    2. when using ARP ping, the target system must be on your LAN because ARP is non-routable, which means it cannot get outside the LAN. It only exists inside the LAN.
    3. When scanning a target on the LAN, nmap automatically uses ARP ping as the default discovery method and overrides all other discovery options.
    4. To disable automatic ARP ping, use the --disable-arp-ping option
When not as the sudo user:

nikhilh@ubuntu:~$ nmap -d -PR 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:30 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:30
Scanning 127.0.0.1 [0 ports]
Completed Ping Scan at 17:30, 0.00s elapsed (1 total hosts)
Overall sending rates: 0.00 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds

As a sudo user:

nikhilh@ubuntu:~$ sudo nmap -d -PR 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:30 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 127.0.1.1
Initiating SYN Stealth Scan at 17:30
Scanning localhost (127.0.0.1) [1000 ports]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 127.0.0.1)))
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan at 17:30, 0.01s elapsed (1000 total ports)
Overall sending rates: 131908.72 packets / s, 5803983.64 bytes / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.0000020s latency).
Scanned at 2018-08-20 17:30:30 PDT for 0s
Not shown: 999 closed ports
Reason: 999 resets
PORT    STATE SERVICE REASON
631/tcp open  ipp     syn-ack ttl 64
Final times for host: srtt: 2 rttvar: 0  to: 100000

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2001 (84.044KB)

 This concludes part 3 of this tutorial series! If you have any questions, leave them in the comments below and I'll get back to you as soon as I can.

 In the next part, we'll look at various scanning options that Nmap provides. 
By at No comments:
Labels: , , , , , , ,

Getting started with Nmap - Part 2

In part 1 of this series, we looked at Nmap installation, setup and a few debug options. We'll be using -d throughout the series to make more sense of the output. In this post, we'll look at basic scanning workflow, the effect of sudo and understanding the output. With no further ado, let's get right into it!


Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Scanning a single target


nikhilh@ubuntu:~$ nmap scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 10:40 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

 Nmap done: 1 IP address (1 host up) scanned in 91.70 seconds

 So, what exactly does the above scan mean?
  1. A total of 1000 ports were scanned. Nmap scans the top 1000 commonly used ports when used with default options.
  2. Nmap deemed four ports as open and the rest as filtered. There are a total of six possible port states:
    1. Open: A port that actively responds to an incoming connection.
    2. Closed: A port that actively responds to a probe but has (or appears to have) no service running on it.
    3. Filtered: A port that is protected by firewall preventing nmap from determining its state.
    4. Unfiltered: A port that nmap can access but is unable to determine its state.
    5. Open | Filtered: A port that nmap believes to be open or filtered but cannot say for sure.
    6. Closed | Filtered: A port that nmap believes to be closed or filtered but cannot say for sure.
  3. Since most of us use consumer broadband internet connections, we can fall victim to Man-In-The-Middle (MITM) filtering. This means that someone/something (hint: ISP) other than you and the target system is messing around which skews Nmap's output.
    1. The hint to this is the presence of a third port state.
    2. In the above scan, there are two port states: open and filtered.
    3. If a third port state such as closed were present, that would suggest MITM filtering by the broadband provider.
Now that we have a basic idea of what to derive from a scan result, let us look deeper into it using the debug option.

nikhilh@ubuntu:~$ nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:06 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 11:06
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 11:06, 0.08s elapsed (1 total hosts)
Overall sending rates: 24.33 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 11:06
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 11:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:06
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed Connect Scan at 11:06, 16.66s elapsed (1000 total ports)
Overall sending rates: 120.12 packets / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.083s latency).
Scanned at 2018-08-18 11:06:12 PDT for 17s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack
80/tcp    open  http    syn-ack
31337/tcp open  Elite   syn-ack
Final times for host: srtt: 82512 rttvar: 15951  to: 146316

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 16.79 seconds

What more can we learn from the above debug information?
  1. Nmap is scanning all 1000 ports using TCP probes.
  2. Parameters like parallelism, minimum packet rate, maximum packet rate and host timeout options are set according to the network connection. They are not explicitly set by the user and thus their values are 0 in the nmap output.
  3. Nmap pings the target and carries out DNS resolution in parallel. Nmap pings the target to ensure that the host is alive before scanning it. 
    1. If the target does not reply, Nmap assumes the target host is down and WILL NOT scan it.
  4. In many cases, either the firewall blocks ICMP or ICMP itself is disabled on the target system. Nmap understands this and by default also pings TCP ports 80 and 443.
  5. For systems which do not respond to pings (most likely protected by a firewall), use the -Pn or Don't Ping option.
  6. Nmap executes a TCP Connect scan to determine port states.
    1. In TCP Connect scan, Nmap completes the three-way handshake.
    2. In other words, Nmap tries to connect with a port by sending a SYN packet and waits to receive a SYN-ACK packet from the port. If it receives a SYN-ACK, it means the port is alive and Nmap sends an ACK packet to complete the connection. It then sends a RST packet to close the connection.
  7. Nmap sent 120.12 packets per second. This is the packet rate. Custom packet rates can be set but having a very high packet rate can cause drops either at your local system NIC or at the target system or anywhere in the middle.

The effect of root


In the above output, we know that TCP Connect scan was used to determine port states. Let's see if there's any difference when Nmap is run as root.

nikhilh@ubuntu:~$ sudo nmap -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 18:08 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 18:08
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 18:08, 0.00s elapsed (1 total hosts)
Overall sending rates: 1529.64 packets / s, 58126.20 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 18:08
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 18:08, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:08
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed SYN Stealth Scan at 18:08, 20.98s elapsed (1000 total ports)
Overall sending rates: 95.62 packets / s, 4205.39 bytes / s.
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received reset ttl 128 (0.027s latency).
Scanned at 2018-08-20 18:08:04 PDT for 21s
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 128
80/tcp    open  http       syn-ack ttl 128
9929/tcp  open  nping-echo syn-ack ttl 128
31337/tcp open  Elite      syn-ack ttl 128
Final times for host: srtt: 27498 rttvar: 40558  to: 189730

 Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.04 seconds
           Raw packets sent: 2010 (88.376KB) | Rcvd: 1440 (57.604KB)

There are two differences to note:
  1. TCP ping was used by default instead of ICMP ping.
  2. TCP Stealth scan was used by default instead of TCP Connect scan.
    1. In this type of scan, Nmap doesn't complete the three-way handshake. In other words, Nmap never sends the ACK packet to the target port's SYN-ACK packet. It instead sends a RST packet.
    2. TCP Connect scan can be easily detected by firewalls. TCP Stealth scan isn't so easy to detect. However, there are defensive software which have the capability to do so.

Scanning multiple targets


nikhilh@ubuntu:~$ nmap scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:21 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.081s latency).
Not shown: 996 filtered ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
9929/tcp  open  nping-echo
31337/tcp open  Elite

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
631/tcp open  ipp

Nmap done: 2 IP addresses (2 hosts up) scanned in 32.25 seconds

When scanning multiple targets, nmap provides summaries for each host separately as seen above. The local host is a VM and looks like an Internet Printing Protocol (IPP) is running on port 631, which in my case is unnecessary. My laptop has no plans of becoming a print server right now, so the best practice would be to shut it down.

nikhilh@ubuntu:~$ sudo /etc/init.d/cups stop
[....] Stopping cups (via systemctl): cups.serviceWarning: Stopping cups.service, but it can still be activated by:
  cups.socket
. ok 

nikhilh@ubuntu:/etc$ nmap 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:28 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000045s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Variants of hostname arguments


Previously, we have seen hostnames provided as an IP address and as a name, which requires DNS resolution. When scanning multiple systems, host names can also be provided as a:
  1. CIDR notation such as 192.168.10.1/24
  2. Range such as 192.168.10.1-100
Host names can also be provided from a file containing line, tab or space separated host names.

 nikhilh@ubuntu:~$ cat host-name-list.txt
scanme.nmap.org
127.0.0.1

nikhilh@ubuntu:~$ nmap -iL host-name-list.txt 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-18 11:39 PDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.082s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9929/tcp open  nping-echo

Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed

Nmap done: 2 IP addresses (2 hosts up) scanned in 86.05 seconds

It is also possible to exclude certain hosts from being scanned using the --exclude or --excludefile options

Examples:
nmap 192.168.10.1/24 --exclude 192.168.10.2
nmap 192.168.10.1/24 --exclude 192.168.10.2-6
nmap 192.168.10.1/24 --excludefile exclude-host-list.txt

exclude-host-list.txt has the same format as host-name-list.txt as described before.

That's it for part 2! I hope everything was simple to understand and if you have any questions, feel free to leave them in the comments below. In this post, we saw that Nmap first pings the host before scanning it.

 In part 3, we'll look at different types of such pings (ICMP and TCP ping are just two types) or host discovery as it is formally called.
By at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)

Popular posts