5 Basic NMap scans II
In this second part of the series on NMap, we will continue to expand on a basic understanding of the tool by exploring more scanning techniques. We will continue to use the GUI to provide easier to follow examples. In our first article we covered the following scans:
- Xmas Tree
This article will discuss the following techniques:
- Source Spoofing
To quickly recap, NMap leverages specially crafted IP packets for collecting host information on the network. NMap is helpful in identifying ports (services) being offered, operating system and even running version . NMap also helps identify packet filter types being used by the firewalls.
We will continue our discussion with a technique that although slow, remains important. It is easy to become complacent and decide to avoid scans that are slow, sometimes especially those taking over 18 hours to complete but complacency is exactly what adversaries hope for. UDP scan (sU option) in general are slow to respond, inherently due to ICMP error message rates dictated by the OS being scanned. Although slow to scan, UDP covers popular services such as DHCP, TFTP, SNMP and DNS and adversaries can also leverage these popular services to detect hosts on a network possibly awarding them a starting point for their attack.
Next we will discuss a blind TCP port scan technique. The Idle Scan (sI option) exploits a side-channel from an innocent zombie host. The IDS will detect this scan and identify the zombie host as the attacker. This technique permits a TCP port scan of our target without disclosing our scanner IP. Meanwhile our scanner is looking for the IP fragmentation ID and based on the response, NMap can determine if the port is open or closed. If the IPID sequence increments the port is open. Leveraging the information we discussed on SYN/ACK in the first article of this series, we understand an unsolicited SYN/ACK will receive a RST packet response. When our zombie receives this RST packet and does not have a SYN/ACK packet preceding it, then the RST packet will be dropped and it will not increment its IPID.
NMap uses this behavior by first learning what the zombie IPID is. NMap will send a packet to the target addressed as if it came from our zombie, the target will respond to the zombie. If the target port is open, the un-expecting zombie will receive a SYN/ACK packet from the target which will cause the zombie to send a RST packet and increase the IPID by +1. If the target port is closed, our un-expecting zombie will receive a RST packet which will simply be dropped. NMap will now send the un-expecting zombie another SYN/ACK packet and if the IPID in the packet has increased by +2 NMap can determine the target sent a SYN/ACK and the port is open on the target. If the zombie IPID increased by only +1, NMap knows the target responded with a RST signifying a closed port on the target host.
In the first article Xmas, FIN, and Null scan techniques were explained and illustrated filtering device discovery. The evolution of these scans in our assessment posture leads us to an ACK scan (sA option). An ACK scan is useful in determining firewall rulesets and help in determining stateful versus packet filtering policies. An ACK scan launches packets to the target with random ACK sequence numbers. If no RST response is received then the port is considered filtered.
A TCP Window Scan is not to be confused with the Operating System, but rather the TCP Window Size. A Window Scan (sW option) uses TCP Window Size to detect whether a port is open, unfiltered, or filtered. When NMap scans with this technique the TCP stack will sometimes return the TCP window size in the RST packet. A closed port sends an RST packet with a TCP Window Size of zero.
The protocol, Remote Procedure Call, or RPC was created by SUN but is used on many Operating Systems to provide a client server execution path. Under RPC each program has a hexadecimal assignment used to address RPC data to the appropriate application. The RPC scan (sR option) generates Null RPC commands on known open ports found using other scan techniques. If a port responds to these commands NMap attempts to determine what application and version is listening. It is also important to note that the RPC scan is included in the Version scan (sV option) which also detects version.
Spoof or Source Scan
Not all environments are what you expect when setting up for an engagement on a client’s network. There may come a time when NMap cannot determine the IP it is installed on. The Spoof or Source (-S option) is useful in this situation and will allow NMap to operate correctly. It may also be necessary to give a Spoofed IP address for NMap to disguise itself. Either way this is a valuable option to be familiar with just in case.
James Fraze is an IT Security Consultant with 20+ years in IT who contracts through Romack Inc and also writes IT related articles. James can be reached at http://digitalcrunch.com/contact.