Deep Dive Into Nmap Scan Techniques

Original text by PenTest-duck

Disclaimer: I won’t be covering “every” scan type (e.g. -sY, -sM), but I’ll cover the scan types that I think will be used more often.
A More Serious Disclaimer: using Nmap against a target or network without explicit permission is illegal and should therefore not be attempted.

Introduction

Image for post

nmap -h SCAN TECHNIQUES output

So if you’re like me and have done man nmap or nmap -h to see what Nmap has to offer, you’ll notice it prints lines and lines of output. In this blog post, I’ll try and demystify many of the scan techniques it has to offer, including some uncommon ones that you may never have to use in your life.

TCP Connect Scan (-sT)

Syntax: nmap -sT <target-ip> [-p <ports>]
Let’s kick this off with one of the more common ones. Personally, I rarely ever use -sT unless -sS doesn’t work (but if -sS doesn’t work, I doubt that -sT is going to work, either). Nevertheless, it is good to know how a TCP Connect scan works and how Nmap can leverage TCP to reveal port status. Basically, TCP Connect scans utilise TCP’s connection-oriented nature to attempt to perform a full 3-way TCP handshake with each port and verify its state.

Image for post
TCP Connect Scan captured in Wireshark (23 = closed, 22 = open)

Nmap sends a SYN packet to initiate the 3-way TCP handshake. If the port is closed (look at top 2 packets), the port replies with a RST-ACK, to terminate the connection.

If the port is open (look at next 5 packets), the server replies with a SYN-ACK, and Nmap completes the 3-way handshake with an ACK packet. Then (after the port updates the window [search “TCP sliding window”]), Nmap immediately terminates the connection with a RST-ACK packet.

Pro: quite reliably scans TCP ports
Cons: less “stealthy” (connection attempts will be logged by the server), takes a longer time, sends more packets

TCP SYN (“Stealth”/“Half-Open”) Scan (-sS)

Syntax: nmap [-sS] <target-ip> [-p <ports>]
The SYN scan is the default scan of Nmap, and it goes by many names, the first referring to its sneaky nature of avoiding connnection attempts from being logged by the server (nowadays, the SYN scan is not so stealthy anymore). But how does it achieve this? The second name explains it — “Half Open” refers to SYN scan’s method of performing only 2 steps of the 3-way TCP handshake. We never send the third and last packet, and instead terminate the connection, therefore allowing Nmap to verify the port’s status without fully connecting to the port.

Image for post
TCP SYN Scan captured in Wireshark (23 = closed, 22 = open)

ust like the TCP Connect scan, Nmap sends a SYN packet to initate the handshake, and if the port is closed, receives a RST-ACK (packets 1, 3).

However, this time, if the port is open, after Nmap receives the SYN-ACK, it
immediately sends a RST packet to terminate the connection, as it has verified that the port is open due to it responding with a SYN-ACK (packets 4,5).

Pros: quicker and sends less packets
Con: with advancements in firewall and server defenses technology, it is not stealthy anymore

UDP Scan (-sU)

Syntax: nmap -sU <target-ip> [-p <ports>]
UDP Scanning utilises UDP and ICMP packets to discover the status of a port. Nmap sends an empty UDP packet and either receives no reply or an ICMP Port Unreachable packet. But due to UDP’s connectionless nature, the output can be unreliable at times.

Image for post
UDP Scan captured with Wireshark (88 = open, 89 = closed)

Nmap sends an empty UDP packet for both ports (packets 1,2,4) and receives no reply from port 88 twice(open) and an ICMP Port Unreachable packet (packet 3) from port 89 (closed).

But Nmap returns this output:

Image for post
Nmap returns “open|filtered”

What’s up with the “open|filtered” instead of “open”?
Here’s the thing: when Nmap received no reply from port 88, one scenario could be that port 88 really is open, and is therefore not responding with any reply, however, another possible scenario is that a firewall is filtering out our traffic and thus the UDP packet never reaches the target and we receive no reply. Either way, we won’t know the difference — which results in Nmap displaying “open|filtered”.

Pros: allows the scanning of UDP ports
Cons: not always reliable

Null, FIN & Xmas Scans (-sN, -sF, -sX)

Syntax: nmap {-sN -sF -sX} <target-ip> [-p <ports>]
Now we get to the scan techniques that we will come across much less often. All of Null, FIN and Xmas scans are intended to stealthily sneak through stateless firewalls and packet filters, by turning on different TCP flags
Null scan: no flags set
FIN scan: FIN flag set
Xmas scan: FIN, PSH, URG flags set (packet lights up like a Christmas tree, hence the name)

Image for post
Null, FIN and Xmas scan captured in Wireshark (22 = open, 23 = closed)

For all of the scans, the underlying procedure is the same, except for the flags. If a port is closed, it replies with a RST-ACK and if it is open, it does not reply. However, this is not the case for all machines as not every machine follows RFC 793 and can send a RST packet even though the port is open. Additionally, since these scans rely on open ports not replying back (like UDP scan), it also suffers the issue of us not knowing if a firewall has filtered our packets or not (thus our output of “open|filtered”).

Pro: can sneak through some firewalls and packet filters
Cons: not all machines conform to RFC 793, not always reliable

ACK Scan (-sA)

Syntax: nmap -sA <target-ip> [-p <ports>]
Now, the ACK scan is a little bit different to what we’ve looked at so far. The ACK Scan isn’t meant to discover the open/closed status of ports. Instead, it helps us visualise the rulesets of intermediary firewalls. As the name suggests, Nmap sends TCP packets with only the ACK flag set, and if it receives a RST packet (both open and closed ports will respond with a RST), the port is marked as “unfiltered”, but if it receives no reply, or an ICMP error, the port is marked as “filtered”, and the firewall has filtered the packet.

Image for post
ACK Scan captured in Wireshark (22 = open, 23 = closed)

Port 22 is open, while port 23 is closed, but both reply with a RST packet when an ACK packet is sent. This shows that both ports are not filtered by any firewalls.

Pro: maps out firewall rulesets
Con: cannot determine if the port is open or closed

Idle Scan (-sI)

Syntax: nmap -sI <zombie-ip> <target-ip> [-p <ports>]
This is the most interesting — yet the most complex — scan of all. As you can see from the syntax, we require a “zombie” in order to perform an idle scan. In a nutshell, Nmap will attempt to leverage an idle host to indirectly launch a port scan, therefore hiding our IP address from the target. It does this using the difference in increments of the IP ID of the zombie.

To understand how Nmap achieves this in understandable detail, please look at figures 5.65.7 and 5.8 in https://nmap.org/book/idlescan.html.

Pro: masks our true IP address
Con: possibility of false positives (due to zombie host not being idle)

Further Digging:

If you want to know more about these scan types, and other scan types Nmap has to offer, take a look at:
https://nmap.org/book/man-port-scanning-techniques.html

Добавить комментарий

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.