Using Nmap to Perform a TCP Connect Scan
The first scan we will look at is called the TCP connect scan.This scan is often sonsidered the most basic ansd stable of all the port scans because Nmap attempts to complete the three-way handshake on each port specified in the Nmap command.Because this scan actually complete the three-way handshake and their tear down the connection gracefully,there is little chance that you will flood the target system and cause it to crash.
If you do not specify port range,Nmap will scan the 1000 most common ports .Unless you are in a great hurry,it is always recommenede to scan all ports,not just the 1000 most common.The person is that often times crafty administratos will attempts to obscure a service by running it on a nonstandard port.You can scan all the ports specifying "-p" when running Nmap.Using the " -pn" switch with every Nmap to disable host discovery and force the tool to scan every system as if it were live.This is were live.This is extremely useful for discovering additional systems and ports that otherwise may be missed.
To run a TCP connect,we issue the following command from a terminal :
nmap -sT -P -Pn 192.168.18.132
Take a moment to review this command.The first word "nmap" causes the Nmap port scanner to start.The second command "-sT" tells Nmap to run a TCP connect scan.Specially to break this switch down even further the "-s" is used to tell Nmap what kind of scan we want to run.The " -T" in the " -sT" is used to run a scan type of TCP connect.We use the " -p" to tell Nmap to scan all the ports not just the default 1000.We use the " -Pn" switch to skip the host discovery phase and scan all the addesses as if the system were alive and responding to ping requests.Finally we specify the target IP address; obviously, your target IP address will be different from the one shown in the screenshot show the TCP Connect Nmap and the output that was received when run against the Metasploitable target.
Often time,we need to run our scans against an entire subnet,or range of IP addresses.when this is the case,we can instruct Nmap to sacn a continous range of IPs by simply appending the last octet of the ending IP address onto the scan like so :
nmap -sT -p -Pn 192.168.18.1-254
Issuing this command will cause Nmap to port scan all the host beween the IP addesses 192.168.18.1 and 192.168.18.254 just like ping sweeps this is a very powerful technique that can greatly improve the productivity of your scanning life !
If you need to scan a series of hosts that are not in sequential order,you can create a text file and list each host IP address on a single line.Then add the " -iL path_to_the_text_file" switch to your Nmap command.Doing this allows you to scan all your target hosts from a single command.Whenever possible tools we discuss have a switch or mechanism for loading this text file.Having a list saves the effort or retyping,but some importantly reduces the number of time you will type each IP address and therefore diminishes the chance that you will fat -finger the IP address and scan the wrong target.
Using Nmap to perform an SYN Scan
Aside from the fact that the SYN scan is the default choice,it is also popular because it is faster than the TCP connect scan and yet remains quite safe,with little chance of Do's or crashing the target system..SYN scans are faster because rather than completing the entire three-way handshake,it only completes te first two steps of the process.
In a SYN scan, the scanning machine sends an SYN packet to the target and the target responds with an SYN/ACK(assuming the port is in use and not filtered) just like it did when we ran a TCP connect scan.However at this point rather than sending the traditional ACK packets tells,the scanning machine sends an RST(reset) packet to the target.The reset packets tells the target machine to disrefard any previous packets and close the connection between the two machines.If we consider the example of comparing the three-way handshake to a phone call, SYN scans would be like calling someone up, having the receiver pick up the phone and saying “Hello?”, and then simply hanging up on the person without a single word.
Advantage to the SYN scan
- it provides a level of obscurity or stealth. Because of this feature, the SYN scan is often referred to as the “Stealth Scan”. The stealth portion of this scan comes from the fact that because the three-way handshake is never fully completed.
- The SYN scan is arguably the most popular Nmap port scan.There are many reason for its popularity,including the fact that it happen to be the default Nmap scan.If yor run the Nmap command without specifying a scan type(using the -s switch), Nmap will use the SYN scan by default.
- the speed advantage of the SYN scan over the TCP connect scan comes from the fact that there are fewer packets sent between the host when using the SYN scan rather than the TCP connect scan.Althrough a few packets may not sound like a big advantage,it can add up quickly when scanning multiple hosts.
The official connection was never 100% established. There are applications and log files that require the completion of the three-way handshake before they begin recording activity. As a result, if a log file only records completed connections and the SYN scan never officially completes a single connection, this scan may be undetected by some applications. Please note that this is the exception and not the rule. All modern firewalls and intrusion detection systems in use today will detect and report an SYN scan! Because the SYN scan is the default Nmap scan, we do not technically need to specify the scan type with the “–s” switch.
To run an SYN scan, you can open a terminal window and issue the following command:
nmap –sS -p22,25,110 scanme.nmap.org
Using Nmap to Perform an Xmas Scan
In the computer world, a request for comments (RFC) is a document that contains either notes or the technical specifications covering a given technology or standard. RFCs can provide us with a tremendous amount of detail about the inner workings of a particular system. Because RFCs describe the technical details of how a system should work, attackers and hackers will often review RFCs looking for potential weaknesses or loopholes described in the documentation. Xmas tree scans and null scans exploit just such a loophole.
Assuming the operating system of the target fully complies with the TCP RFC, Nmap is able to determine the port state without completing or even initiating a connection on the target system. The word “assuming” was used because not every operating system on the market today is fully RFC compliant. In general, the Xmas tree and null scans work against Unix and Linux machines but not Windows. As a result, Xmas tree and null scans are rather ineffective against Microsoft targets. To execute an Xmas tree scan, we simply replace the “–sU” switch from our last example with an “–sX”. To run the full scan in the terminal, we would enter :
nmap –sX -p- -Pn 192.168.56.115
Figure shows the command and output of a Xmas tree scan against our Linux target.
Using Nmap to Perform Null Scans
Null scans, like Xmas tree scans, are probes made with packets that violate traditional TCP communication. In many ways, the null scan is the exact opposite of a Xmas tree scan because the null scan utilizes packets that are devoid of any flags (completely empty).
Target systems will respond to null scans in the exact same way they respond to Xmas tree scans. Specifically, an open port on the target system will send no response back to Nmap, whereas a closed port will respond with an RST packet. It is important to remember that these scans are only reliable for operating systems that comply 100% with the TCP RFC.
One of the main advantages of running Xmas tree and null scans is that in some cases, you are able to bypass simple filters and access control lists. Some of these primitive filters work by blocking inbound SYN packets. The thought with this type of filter is that by preventing the SYN packet from entering the system, it is not possible for the three-way handshake to occur. If the three-way handshake does not occur, there can be no TCP communication streams between the systems, or more precisely, no TCP communications can be originated from outside of the filter.It is important to understand that neither the Xmas tree nor the null scans seekto establish any type of communication channel. The whole goal of these scans is to determine if a port is open or closed.
With the previous two paragraphs in mind, consider the following example. Assume that our Network Admin Ben Owned puts a simple firewall in front of his system to prevent anyone outside of his network from connecting to the system. The firewall works by simply dropping any external communications that begin with an SYN packet. Ben hires his buddy, the ethical hacker, to scan his system. The ethical hacker’s initial TCP Connect scans show nothing. However, being a seasoned penetration tester, the ethical hacker follows up his initial scan with UDP, Xmas tree, and null scans. The ethical hacker smiles when he discovers that both his Xmas tree scans and null scans reveal open ports on Ben’s system.
This scenario is possible because Nmap creates packets without the SYN flag set. Because the filter is only dropping incoming packets with the SYN flag, the Xmas tree and null packets are allowed through. To run a null scan, we issue thefollowing command in a terminal:
nmap –sN -p- -Pn 192.168.18.132