Hello and welcome again!
In today’s blog, we will be talking about Nmap, an industry-standard tool, that is used for a variety of tasks:
- Discovering hosts on a network
- Different Methods to Ping a Machine on a Network
- Scanning for Ports
- Techniques for Scanning Ports
Introduction
Nmap (network mapping) is a recon tool that allows us to check whether if there are machines online on a network, detect what ports a machine has open, closed, or filtered by a firewall, and find any vulnerabilities that lie on the machine itself. This tool is used by pretty much every pentester on the job, so it’s crucial for us to learn how to use it well. Their website is www.nmap.org to check out the full manual. NOTE: We will only be discussing Nmap with regards to IPv4 network addresses.
Discovering hosts on a network
Depending on the situation, whether you are doing a CTF or pentesting on the job, this is one of the first steps you would want to complete in the recon stage. The goal of this step is to take a huge set of IP ranges and only retain the ones that are active on the network. Host discovery (also called ping scan) goes well beyond the simple ICMP echo request associated with the ping tool.
When pinging a machine, Nmap’s default method is to send an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. Also by default, Nmap will check for host discovery and the machines that it finds online it will do a port scan against each of those online hosts.
After scanning, Nmap will then report the total number of IP addresses at the end. This can help ensure you are scanning the right network and not some other company’s network by accident (yikes).
Some of the most common tags used when scanning for hosts include:
Different Methods to Ping a Machine on a Network
- -sL – list scan – a form of scanning where it doesnt send any packets to the target hosts, but Nmap will still do a reverse-DNS resolution to get their names. (Reverse DNS is when the machine looks up the name that is associated with the IP given).
- -sn – no port scan – usually used when you don’t want to send to heavy of a load to the network to set off any firewalls
- -Pn – no ping – this option tells Nmap to skip the pinging step that checks if the host is online.
When Nmap pings targets, it uses this information to determine active machines so it can do heavier scanning (like scanning for open ports).
With this feature disabled, Nmap will then attempt to scan ports on every host of the IP range specified – this can take Nmap a very long time to run. Use this when you know the host is up, but the firewall is preventing you from pinging it. - -PS – port list for TCP SYN Pings – sends an empty TCP packet with the SYN flag set. The Remote machine will then acknowledge that you are trying to establish a connection and will send a SYN/ACK packet back.
Nmap will then break that packet down by responding with an RST (which the kernel of the system will send it). This is another method to check if the machine is up.
Note – you must specify the port you want to send the packet to the remote machine and there CANNOT be any space between the PS flag and port number. For example, -PS21-30 means I will ping it on ports 21-30 to get a response - –PA – port list – TCP ACK Ping – Very similar to -PS just uses the ACK flag instead of SYN flag
- -PU – port list – UDP Ping – sends UDP packet to given ports. If no ports are specified it will default to pinging port 40125.
You can also specify other ports with this using the same syntax as -PA and -PS discussed above.
Nmap uses a very uncommon port because when this packet hits a closed port on the target machine the UDP packet should create an ICMP port unreachable packet in return – signifying the machine is up.
The advantage of this method is that it bypasses firewalls and filters that only screen TCP. - -PO – protocol list – IP Protocol Ping – Sends IP packets with a protocol number set in the header.
If no protocol is set then it will default to sending multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
It looks for responses using the same protocol as a probe, or ICMP protocol unreachable messages – signifying the protocol is not supported – which also signifies the host is up.
Scanning for Ports
Each port represents a state that it is in. In total, Nmap recognizes six different states:
- open – Port is open and actively accepting TCP, UDP, or SCTOP connections. These are the ports you want to find when scanning a host/machine.
- closed – The port is still accessible but no service is using this port.
- filtered – Nmap can’t determine whether the port is open or not. Firewalls can filter the packets that are being sent the port that prevent us from knowing what state is in.
- unfiltered – Port is accessible but Nmap cannot determine if it is open or not.
- open|filtered – This occurs when open ports give no response – Nmap knows that it is either open or filtered.
- closed|filtered – Nmap is unable to verify if the port is closed or filtered.
By default, Nmap will only scan the first 1000 ports as they are the most common. In pentesting, it is always crucial to scan all the ports of the device to ensure you know every service running on it.
- -p [port ranges] – This flag allows you to specify which ports to scan. For example, I want to scan the first 10 ports: -p 1-10. To scan all ports, just use -p- this will scan all 65535 ports.
- -r – Nmap randomizes the port scan by default – setting this flag will force Nmap to scan in sequential order.
Techniques for Scanning Ports
It is crucial to understand the different techniques that are involved when scanning for ports. Choosing the correct one on a machine can give you important information on what services the port is running with, such as if it’s open or closed.
Remember this – you are a script kiddie if you just use the default scan on every machine you encounter. Because its the default scan and requires no knowledge, just a specified command tag, and the ‘enter’ button.
- –sS – TCP SYN Scan – default scan – performed quickly – not too obtrusive since it doesn’t complete TCP connections. This is also called a half-open scan because you don’t open a full TCP connection.
When sending an SYN packet, the port will be open if you get a response that is an SYN/ACK packet back. Also, the port is open if you get an SYN packet without an ACK packet in the response from the target machine
If no response after several resends then it’s marked as filtered. - -sT – TCP connects scan – This defaults when an SYN scan is not an option. This is used when the user does not have raw packet privileges (usually root privileges).
In this scan, Nmap uses the Berkely Sockets API (an API that utilizes the system call in the OS to establish a connection to another machine) as a method of sending packets to the target machine instead of raw packets. Anytime your machine is trying to send or receive raw packets, it usually requires root privileges. This is less efficient than an SYN scan. Also, this is more of a noisy scan (more packets being exchanged) and is more likely to be detected by an IDS.
- -sU – UDP Scans – This is generally more slower and difficult than TCP scanning – but there is treasure to be found in these types of scans. UDP services are extremely common and attacker’s never ignore this entire protocol (at least the experienced attackers).
This scan can also be combined with any TCP scan such as the -sS mentioned earlier.
The scan sends every targeted port a UDP packet – if an ICMP port unreachable error (type 3, code 3) is returned then the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) will mark the port as filtered.
If the service responds with a UDP packet then it is open. If no response is received even after several retransmissions then the port is open|filtered. A solution to this problem is to use the -sV (version detection) to differentiate if the port is open or filtered.
Since UDP scans are particularly slow, you can speed up the scan by scanning hosts in parallel, scan popular ports first, scan behind the firewall, use –host-timeout to skip slow hosts. - -sY – SCTP INIT scan – This is an alternative to TCP and UDP protocols. This is usually used for SS7/SIGTRAN rleated services and sometimes other applications as well.
The scan can be performed quickly – not being tampered with by firewalls and is quite stealthy. It adopts the TCP SYN scan by not completing full SCTP associations. It allows clear differentiation of the status of ports. - –sN; -sF; -sX – TCP NULL, FIN, and Xmas scans – Uses a loophole in the TCP RFC protocol to differentiate between open and closed ports.
sN – null scan – TCP header is 0
sF – FIN scan – only sets the TCP FIN bit
Xmas scan – sets the FIN, PSHm, and URG flags
If RST packet is received – port is closed, no response is open|filtered, and is filtered if ICMP unreachable error is received (type 3, code 0, 1, 2, 3, 9, 10, 13).
This type of scan is good at sneaking around non-stateful firewalls as well as packet filtering routers. These are even more stealthy than SYN scans. It may not be stealthy enough to get around modern IDS though so keep that in mind.
A big downfall is that not all systems follow the RFC 793 protocol (the protocol in which it uses the loophole to detect the ports). - -sA – TCP ACK scan – This scan does NOT determine open or open|filtered ports. This scan is designed to uncover the firewall rules – checking if they are stateful or not and what ports are being filtered – definitely a scan you want to know well to get around firewalls.
- -sW – TCP Window Scan – Observes the TCP Window Field of the RST packets retrieved. Long story short, if the TCP Window value in the reset is positive or zero then it is either open or closed.
Since it relies on the implementation detail of a small number of systems on the internet, it’s not the most trusted source. It will return that all ports are closed if the system does not support it. - –sM – TCP Maimon scan – same as the NULL, FIN, and Xmas scan but the probe is FIN/ACK.
- –scanflags – Custom TCP Scans – this is super advanced. You design your own scan through creating arbitrary TCP flags.
- -sZ – SCTP Cooke ECHO scan – advanced. Sicne SCTP drop packets that contain COOKIE ECHO chunks on open ports, it also sends an ABORT message if the port is closed.
Advantage is that its not an obvious scan – some firewalls aren’t blocking COOKIE ECHO chunks. But a good IDS will also be able to pick this up – also cannot differentiate between open|filtered so you are stuck with that. - -sI – Zombie host [:probeport] – Absolutely zero packets are sent from your actual IP address. It exploits a zombie host to fragment IP ID sequence. From the IDS side it will log the scans coming from the zombie host. This is super stealthy. Its optional to add a colon with a port number next to it of the zombie host you want to probe.
- –sO – IP protocol scan – helps you determine which protocols in the IP level the machine supports. This is not a port scan – yet it works similarly to a UDP scan.
Just know that if Nmap receives a response from the target host then it is considered open, as well as receiving an ICMP port unreachable error (type 3, code 0, 1, 9, 10, 13). An ICMP protocol unreachable error (type 3, code 2) shows that the port is closed.
Conclusion
In today’s blog, we took a deep dive into port scanning, pinging machines, and a variety of techniques used to determine the status of ports. All of this information is crucial to gather when doing recon on a machine or network. Finding open ports or running machines on a network is an open avenue for an attacker to gain access and pwn a machine. Learning these methodologies is crucial for the OSCP – and I am very grateful to be sharing this important information with you all today. Thanks again, and I will catch you all next week.
Peter
I give credit to most (if not all) the information I displayed in this blog to the documentation of Nmap. You can read the documentation here: https://nmap.org/docs.html