DISCLAIMER: PORT SCANNING AND ANY OTHER TYPE OF NETWORK RECONNAISSANCE WITHOUT PROPER AUTHORIZATION IS ILLEGAL! Obtain proper authorization before conducting any form of port scanning or reconnaisance.
Nmap is a powerful, lightweight, and robust tool that offers a comprehensive selection of tools that enables you to scan a network landscape for open ports, identifying vulnerabilities and services. By utilizing Nmap, we can identify valuable information about the configuration of networked devices.
One of Nmap's strengths is it's extensive range of customization options that allow users to specify specific scanning parameters such as scan types (TCP, UDP, SYN), port ranges, target specifications and more. More documentation on Nmap can be found on the man page here.
When a computer operates a network service it uses a logical port to receive incoming connections. They are necessary to enable multiple network requests and handle multiple services simultaneously. For example, a web server might constantly listen on port 443 for web traffic.
Network connections are established between two ports, an open port on the server that listens for incoming connections, and a randomly selected port on your local computer.
Nmap Switches
Nmap is typically used from the terminal however for users that prefer a graphical user interface, Nmap offers a tool called Zenmap that enables users to utilize Nmap's scanning capabilities through an interface, eliminating the need to construct complex command-line arguments.
When port scanning ith Nmap, there are six standard scan types. These are:
TCP Connect Scans (-sT)
SYN Scans (-sS)
UDP Scans (-sU)
TCP NULL Scans (-sN)
TCP FIN Scans (-sF)
TCP XMAS Scans (-sX)
More detailed information on how these scans work can be found below.
Some other useful Nmap switches are listed below:
Other Useful Switches
-O: Specifies what operating system the target is running on.
-sV: Specifies what operating system the target is running on.
-v: Increases verbosity of output. Utilize -vv to increase verbosity level to two.
-A: Enables aggressive mode, activates service dection, operating system detection. This is loud.
-T[N]: Nmap offers five levels of timing, they can be used to increase the speed of your scans. higher speeds are noiser. Available options are 1-5.
-p-: Scan all ports.
-p 80: Scan port 80 specifically.
-p 1000-15000: Scan ports 1000-15000.
Command line arguments will be identical whether you are using Windows or Linux. More help on nmap can be accessed by typing nmap -h. Command line arguments can be executed by typing nmap -[handle]
In-Depth Guide on Scans
I - TCP Connect Scans
Before diving into TCP connect scans, it is important to understand how a three-way handshake in the context of TCP works.
The three-way handshake is a process that establishes a reliable connection between two devices over a TCP/IP network. It serves as the foundation for initiating communication and validating communication between two devices.
There are three steps involved in a TCP three-way handshake:
1. SYN: The initiating device, called the client, sends a TCP packet with the SYN flag to the destination device, called the target. This packet tells the target the client's intention to establish a connection.
2. SYN-ACK: The target responds with a TCP packet that has the SYN and ACK flags set. This packet confirms that the target is ready to establish a connection and acknowledges the client's SYN request.
3. ACK: The client sends a final TCP packet with the ACK flag set. This packet acknowledges the target's repsonse, indicating that the connection has been established.
Completion of this three-way handshake signifies the establishment of a TCP connection between the client and the target. This process can be simplified to SYN-SYN/ACK-ACK
TCP Connect Scans work by performing the three-way handshake with each port.
If Nmap sends a TCP request with the SYN flag to a closed port, then the target will return with the RST flag.
If Nmap sends a TCP request with the SYN flag to an open port, then the target will return with the SYN/ACK flag.
As a result, we know that if the target responds with SYN/ACK, then the port is open. If the target responds with RST, then the port is closed. If the target responds with nothing, then the port is most likely configured to drop incoming packets.
Below is an example of an nmap TCP connect scan against my home file server.
┌──(root㉿kali)-[/home/kali]
└─# nmap -sT 192.168.1.191
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-26 18:38 EDT
Nmap scan report for 192.168.1.191
Host is up (0.0033s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
873/tcp open rsync
8080/tcp open http-proxy
8081/tcp open blackice-icecap
49152/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds
──(root㉿kali)-[/home/kali]
└─#
II - SYN Scans
SYN scans share similarities with TCP, but they different in the sense that they do not complete the entire three-way handshake with the target device. SYN scans are identical to TCP scans except the client does not set the final ACK TCP packet to acknowledge the target's response, instead they send an RST TCP packet.
By not completing the handshake, SYN acheives its objective of identifying open ports faster. This is because the client does not need to wait for each connection to complete before preceeding to the next port. Furthermore, the incomplete handshake avoids detection for systems and programs that look for a full three-way handshake with the target.
The process generally looks like this:
1. SYN: The initiating device, called the client, sends a TCP packet with the SYN flag to the destination device, called the target. This packet tells the target the client's intention to establish a connection.
2. SYN-ACK: The target responds with a TCP packet that has the SYN and ACK flags set. This packet confirms that the target is ready to establish a connection and acknowledges the client's SYN request.
3. RST: The client either sends a final TCP packet with the RST flag set or leaves the connection hanging.
If Nmap sends a TCP request with the SYN flag to a close port, then the target will return the RST flag.
If Nmap sends a TCP request with the SYN flag to an open, port then the target will return with the SYN/ACK flag.
The only difference is that Nmap will either send an RST packet or leave the connection hanging instead of sending a final ACK like TCP Scans.
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.1.191
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-26 18:41 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.35% done; ETC: 18:41 (0:00:03 remaining)
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 53.75% done; ETC: 18:41 (0:00:03 remaining)
Nmap scan report for 192.168.1.191
Host is up (0.0016s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
873/tcp open rsync
8080/tcp open http-proxy
8081/tcp open blackice-icecap
49152/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
III - UDP Scans
UDP Scans simplly working by sending UDP packets to a target port.
When a packet is sent to an open UDP port, there should be no response. Nmap then refers to this port as being open.
When a packet is sent to a closed UDP port, the target should respond with an ICMP message that the port is unreachable.
IV - TCP NULL Scans
During a TCP NULL scan, Nmap sends TCP packets with no TCP control flags or "NULL" controls flags. This type of scan is used because according to TCP/IP protocol, an RST packet should be sent as a response to a TCP packet that has no control flags.
The TCP NULL scan assumes that if no response is received, that the port is likely open; while a response with the RST packet indicates that the port is closed.
V - TCP FIN Scans
During a TCP FIN scan, Nmap sends TCP packets with only the FIN flag enabled.
DUring this scan, Nmap makes the assumption that an open port will ignore or discard the FIN packet, while a closed port will respond with a TCP RST packet.
By examining the response from the target, Nmap can infer the status of the ports.
VI - TCP XMAS Scans
During a TCP XMAS scan, Nmap sends TCP packets with FIN, URG, and PSH flags all set and analyzes the response from the target system. Nmap then uses this information to infer whether or not the port is open.
If no response is received from a specific port, it is likely to be open since most systems do not send any response to packets with these flags.
If a TCP RST packet is received, it typically indicates that the port is closed.
Scanning IP Ranges
Scanning IP ranges with Nmap allows for the comprehensive exploration of multiple hosts in a network. Nmap provides a variety of techniques to efficiently scan IP ranges.
To scan IP ranges with Nmap, you can use the following syntax. For example:
nmap -sS [ip-range]
This command executes a TCP SYN scan on all ports of the specified IP range.
Target Specification
Scan a single IP: nmap 192.168.1.1
Scan specific IPs: nmap 192.168.1.1,192.168.2.1
Scan a range of IPs: nmap 192.168.1-254
Scan using CIDR notation: nmap 192.168.1.0/24
A comprehensive list of syntax and descriptions can be found here.
