5 Basic NMAP Scans
In this two part series on NMap we will explore a basic understanding of the tool and the benefit of scanning techniques. We will use the GUI to provide easier to follow examples. In this first article we will discuss the following scans:
- Xmas Tree
The second article in this series will discuss the following NMap techniques:
- Source Spoofing
NMap or Network Mapper written by Fyodor, is a widely popular port scanning tool. NMap is a GNU GPL open source utility for probing at networks and hosts. NMap was originally written for UNIX but now supports multiple platforms to include Windows. NMap leverages specially crafted IP packets for collecting host information on the network. NMap is helpful in identifying ports (services) being offered, operating system and even version. NMap also helps identify packet filter types being used by the firewalls.
First we will discuss a SYN scan (sS option). The unique benefit of an sS scan is the idea or attempt to go undetected by an IDS. When a TCP handshake is initiated, the client sends a SYN packet to the server or target host. The Target receives the SYN packet and acknowledges with its own SYN packet accompanied by an ACK response. To evade detection the client immediately sends a RST packet to tear down the connection. The IDS otherwise would log the open TCP handshake and alert an analyst to the suspicious activity.
Next up is the Connect scan (sT option) this is an attempt to test a normal TCP connection to the server or target. This will determine if the target is listening on specific ports. If the connect () does not succeed the port isn’t reachable or is not listening. This is an easily detected attempt by the target because the server logs the fact that the accepted connection was opened just to be terminated.
Often a SYN scan is not feasible and an alternative approach is necessary because packet filtering components such as firewalls are configured. The FIN scan (sF), Xmas tree scan (sX), or Null scan (sN) options can be configured in NMap to evade these controls. These unique scan attempts flips the tables so to speak because NMap keeps a register of the scanned ports responding with a RST (reset). The RST response indicates the port is closed, concluding an inverse response, or the lack of a RST response indicates the port is open. NMap achieves this by exploiting the TCP handshake protocol by sending the target otherwise illogical packets with either the FIN (sF), or FIN, URG and PUSH (sX) flags, or even no flags at all (sN). These scan attempts are useful because as security professionals we cannot block what you must allow, meaning these flags are essential for TCP connection housekeeping in the event of normal mishaps during network communications.
Here is an example of a FIN scan (sF).