The Nmap aka Network Mapper is an open source and a very versatile tool for Linux system/network administrators. Nmap is used for exploring networks, perform security scans, network audit and finding open ports on remote machine. It scans for Live hosts, Operating systems, packet filters and open ports running on remote hosts.
Understanding Open, Closed and Filtered
Nmap has a variety of scan types, understanding how the default and most common
SYN scan works is a good place to start to examine how the scan works and interpreting the results.
The 3 way TCP handshake
First a bit of background, during communication with a TCP service, a single connection is established with the TCP 3 way handshake. This involves a
SYN sent to an TCP open port that has a service bound to it, typical examples are HTTP (port 80), SMTP (port 25), POP3 (port 110) or SSH (port 22).
The server side will see the
SYN and respond with
SYN ACK, with the client answering the
SYN ACK with an
ACK. This completes the set up and the data of the service protocol can now be communicated.
In this example the firewall passes the traffic to the web server (HTTP -> 80) and the web server responds with the acknowledgement.
In all these examples a firewall could be a separate hardware device, or it could be a local software firewall on the host computer.
Filtered ports or when the Firewall drops a packet
The job of a firewall is to protect a system from unwanted packets that could harm the system. In this simple example the port scan is conducted against port 81, there is no service running on this port using a firewall to block access to it is best practice.
In the case of a
filtered port result from Nmap it indicates that the port has not responded at all the
SYN packet has simply been dropped by the firewall.
Closed ports or when the Firewall fails
In this case the closed ports most commonly indicate that there is no service running on the port but the firewall has allowed the connection to go through to the server. It can also mean there is no firewall at all present.
Note that while we are discussing the most common scenarios here it is possible to configure a firewall to reject packets rather than drop. This would mean packets hitting the firewall would be seen as closed (the firewall is responding with
Pictured below is a case where a firewall rule allows the packet on port 81 through even though there is no service listening on the port. This is most likely due to the fact that the firewall is poorly configured.
An Open Port (service) is found
Open Ports are usually what you are looking for when kicking off Nmap scans. The open service could be a publicly accessible service that is by its nature supposed to be accessible. It could also be a back-end service that does not need to be publicly accessible and therefore should be blocked by a firewall.
An interesting thing to notice in the wireshark capture is the
RST packet sent after accepting the
SYN ACK from the web server. The
RST is sent by Nmap as the state of the port (open) has been determined by the
SYN ACK if we were looking for further information such as the HTTP service version or to get the page, the RST would not be sent. A full connection would be established.
# yum install nmap [on Red Hat based systems] $ sudo apt-get install nmap [on Debian based systems]
You may find different exploitation frameworks, web application tools, and otherYou may find different exploitation frameworks, web application tools, and otherpreferences, but nmap is a staple tool for many forms of assessment. Now, this is not tosay that there are no other tools that can be executed with similar capabilities; it’s just thatthey are not as capable. This includes tools such as AngryIP, HPing, FPing, NetScan,Unicorn scan, and others. From all of these tools, only two stand out as significantlydifferent, and they are HPing and Unicorn scan.
Executing the different scan types:
The four scans you primarily use are the TCP connection scan (also known as the full-The four scans you primarily use are the TCP connection scan (also known as the full-connection scan), the SYN scan (also known as the half-open or stealth scan), the ACKscan, and the UDP scan.
1)Executing TCP full connection scans:
-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the
connectsystem call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
The TCP connect scan may provide the most accurate results, but automatic shunningThe TCP connect scan may provide the most accurate results, but automatic shunningmechanisms often block the source of the scan at the Internet Service Provider (ISP). Toexecute a TCP scan, all you have to do is indicate the associated scan type with -sT , asseen here:
sudo nmap -sT -vvv -p 80 192.168.43.0/24
Note:I have assessed many an organization, which could be scanned with full connection scansonly, as they would immediately shun the connection if an SYN scan was executed. Thetrick is to know your target and how advanced their environment is. Much of this can bedetermined during the pre-engagement phases.
2)Executing SYN scans:
-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the
This technique is often referred to as half-open scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection
sudo nmap -sS -vvv -p 80 192.168.43.0/24
3)Executing ACK scans:
-sA (TCP ACK scan)
ACK scans are the rarest of the three TCP scan types, and they may not be as directlyACK scans are the rarest of the three TCP scan types, and they may not be as directlyuseful as you think. Let’s see when you would use an ACK scan. It is a slow scan, so youwould use it if an SYN or TCP scan does not provide you with the results you needed.Nmap is pretty smart today; you usually don’t need to perform the different types of scansto validate the type of target you are hitting. So, you would be trying to identify a resourcethat a full connection scan does not work on. This means that you may not be able toconnect to the host for further attacks, because you were unable to complete a three-wayhandshake.So where are ACK scans useful? People often ask this, and the answer is, “Firewalls.”ACK scans are great for mapping firewall rule sets. Some systems react very strangely toACK scans and provide additional data in return, so make sure you have tcpdump runningon either an inline tap or on your system when you execute the ACK scan. The followingis an example of how to execute an ACK scan. Run the command as follows:
sudo nmap -sA -vvv -p 80 192.168.43.0/24
4)Executing UDP scans:
-sU (UDP scans)
You will see tons of blog posts and books and come across several training events thatYou will see tons of blog posts and books and come across several training events thathighlight the fact that UDP is a protocol that is often overlooked. In future chapters, wewill highlight how dangerous this really is to an organization. UDP scans are extremelyslow, and since there are just as many ports for UDP as TCP, it will take a substantialamount of time to scan for them. Additionally, UDP scans—for lack of a better term—lie.They will often report things as filtered/open, which basically means that it does not know.This can be infuriating in very large environments. It also does not have the full capabilityto grab most of the UDP port service information. The most common ports have speciallypackaged scan data, which allows nmap to determine whether the port is really open andwhat service is there, because services are not always on the default port. When servicesare moved to UDP ports, there is an impact on the default scan data returned by nmap, asopposed to TCP scans, for which the impact is not so much.To execute a UDP scan, all that is needed is the flag for the scan set to -sU , as shown here:
sudo nmap -sU -vvv -p 80 192.168.43.0/24
5)Executing combined UDP and TCP scans
you can combine the scanning of resources by targeting ports for both types of scans. Be smart about you can combine the scanning of resources by targeting ports for both types of scans. Be smart about this,however; if you use a lot of ports in this scan, it will take forever to complete.
To execute a combined scan, all that is needed is to flag the two types of scans you want touse and itemize the ports you want to scan for each protocol. This is done by providing the-p option, followed by U: for the UPD ports and the T: for the TCP ports. See thefollowing example, which highlights only a few ports for the sake of brevity:
sudo nmap -sS -sU -vvv -p U:161,139 T8080,21 192.168.43.0/24
For more example:-