NMAP (https://nmap.org/) – Official Documentation: Click here
GoTo : Ports, Basic Knowledge, Summary-Tables
NMAP (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating
systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
Today, we’ll have a look at the quite famous port scanning tool „NMAP“ ( Network Mapper), that is commonly used by so called ethical hackers or pentesters (or just normal guys trying to solve online challenges like capture the flag
etc). And it’s probably used by the bad guys as well..
We’ll try to understand what a portscanner is and why it’s so useful. On top of that we’ll have a look on how to perform the most common (basic and advanced) port-scans in Linux.
What is a port?
The most basic question we’ll need to understand when talking about a portscanner is what ports are and why we sometimes need to scan for those ports.
In short and technically spoken:
„In computer networking, a port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for
each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol
(UDP). As port numbers are made of 16-bit unsigned integers, they can range from 0 to 65535.
To make this description more vivid i like to think of the computer / network environment as a large hotel building with up to 65535 rooms. In every room of that hotel we have another software / service running and waiting. (of course,
not in every hotel room. In fact most of them are just empty and won’t respond to your request / won’t open the door due to security reasons!!). While the general adress of the hotel would be its external IP-Adress, the port number
tells us where to look exactly for our target process inside of the hotel. Just like you have the fitting room number and know where to go.
At this point i should note, that the port numbers from 1-1024 are somewhat ‘reserved’ (
Click for the list of well known ports) as they are used on a broad range of main internet protocolls and services. For that reason they should not be used in any other way then the indended purpose. Wan’t an example for such
a portnumber? First of all the commonly known port number 80 that is used by the hypertext transfer protocol (http). If you type in an URL in your browser, the browser will send this request to the port number 80 on the destination
/ Server side. If your IP is right the server will process your Website request under the port number 80. That’s it.
However, the vast majority ( > 1024 ) of port numbers do not follow a logical system and are not carved inside stone. For those services / processes you either
a) use a software that is preconfigured and brings the utilized port numbers along, or
b) ask the service provider what port number is used for a certain service / program.
Otherwise you will reach the Server (in my analogy the hotel) but despite this you’ll most likely fail because you don’t know at which room your destination process is running.
In situations you cannot (or for whatever reasons don’t want) to ask which services on the destination machine are using which port numbers, NMAP comes in handy. As NMAP is able to return you a list of open port numbers for the target machine, it can give you hints on what applications are running on the server side and thereby it is giving you intel about possible attack vectors.
That is why NMAP belongs inside the toolbox of every Pentester or in general cyber-security oriented Person.
As we now know about Ports and why it is so useful to know about them, we can start to take a closer look at NMAP. (Please note: I try to cover a lot of details, but not everything about NMAP)
Basics:
The standard syntax for using nmap is:
$nmap [Scan Type(s)] [Options] {target specification}
- The most common scan-types are mentioned below.
- You can state multiple arguments for specifying your desired scanning type. More about those arguments is mentioned below. A full overwiev is given here: Overview
- The target can be specified by an hostname or as a direct IP-Adress or network adress etc.
NMAP comes with a variety of scanning types, every sinlge one with different characteristics and usecases. As a memory aid, port scan type options are of the form -s<C>, where <C> is a prominent character
in the scan name, usually the first.
To get a better understanding on what is happening on each of those Scanning types you should know how the basic TCP-Handshake works. The TCP-Connection requires a three-way-handshake.
1. First, the client sends a SYN-Package (Synchronizing) to the target which indicates you want to establish a common TCP-Connection.
2. The Server (Target) responds to the Client and sends back an ACK (Acknowledge) and SYN- Package.
3. The Client sends an ACK-Package back to the server. Now, the connection is established and data can be exchanged.
TCP SYN-Scan (-sS)
The SYN-Scan is the default and most basic Scan Type. It is able to scan thousands of ports per seconds on a fast network and thereby it is relatively stealthy, as it never establishes a full TCP-Connection. If you don’t specify
any scan type, NMAP will perform a SYN-Scan by default. But you’ll need root/adminstrator-rights for performing those scans as NMAP does send raw-packages out on the internet. If you don´t have root, nmap will fallback to TCP-Connect-Scans.
It is called SYN-Scan, as the client only sends the first SYN-Package to the Server. The Response you get from the server gives you intel on the Port.
-> If the Server responds with SYN/ACK you know that the port is open and there is something listening/waiting for connections.
-> If the server responds with RST (RESET) you can assume, that the port is a so called ‘non-listener’. The port itself is not filtered, but there is no service listening on this port. Keep those ports in mind (or block them if
you don’t use them as an administrator), maybe there is something listening from time to time.
-> If the server doesn’t respond you know that the targeted port is probably filtered. (A firewall is blocking your incoming package and thereby you don’t get any response.)
TCP-Connect-Scan (-sT)
Performs a full TCP- Three-Way-Handshake on every port. The default scan when the user does not have raw package privileges. In this case NMAP uses the standard ‘connect’ system call of the underlying operating system that is also
used by common webbrowsers and the most other network-enabled applications. As NMAP has less control over the handling of this system call, this type of scan is slower, requires more data-packages and – because of the completed handshake
– is more likely to be logged by the target systems.
UDP-Scan (-sU)
Performs an UDP (User Datagram Protocoll) scan on the targeted ports that is more difficult and therefore slower than the above mentioned TCP-Scans. The time requirement is the biggest issue when talking about UDP-scans. As the UDP-Protocoll
response rate is limited by some systems (f.e. certain Linux versions limit the response rate to 1 response per second for closed ICMP-Ports) and open ports are often timing out due to not sending response packages, a full 65.536
ports-scan can take more than 18 hours.
In regular the sent UDP-package is empty if the user doesn’t specify otherwise. For some ports (f.e. 53 [DNS] and 161[SNMP]) NMAP includes protocol-specific payload to increase response rate.
UDP scans can be combined with a TCP-scan-type such as SYN scan (-sS) to check both protocols during the same run.
TCP-ACK-Scan (-sA)
This scan type is different to the ones mentioned before, as it does not determine if a scanned port is open / filtered. Instead, this scan is often used to map out firewall rulesets , determining whether the firewall is stateful
or not and which ports are filtered.
The ACK scan-probe has only the ACK-flag set. If the probe gets through the firewall, open and closed ports will respond with a RST-Package. This indicates, that those ports are not filtered by the firewall. If there is no response to the probe (or certain ICMP-Error Messages), NMAP labels those ports as filtered by the firewall.
TCP-FIN-Scan (-sF)
Just sets the TCP FIN-bit (The FIN [Final] bit is used to signal the end / closing of an connection / transmission). The termination of the transmission is also done by a three way handshake. Instead of the SYN-Package, the Protocol uses the FIN-Flag.
For further info on this scan-type please check the original NMAP- and TCP-documentation)
NULL-Scan (-sN)
No bits are set. (TCP flag header is 0)
For further info on this scan-type please check the original NMAP- and TCP-documentation)
XMAS-Scan (-sX)
Sets the FIN, PSH, and URG flags. This is called XMAS-Scan as this is lighting the packet up like a Christmas tree.
For further info on this scan-type please check the original NMAP- and TCP-documentation)
IDLE-Scan (-sI <zombie host>[:<probeport>])
This advanced scan method allows for a truly blind TCP-port scan of the target. (With this scan-type no packets are sent to the target with your real IP-Adress!). The targeted system will display the scan as coming from the specified
zombie system as your scan-packages are bounced of the external zombie-system. The zombiesystems needs to be up and match certain requirements. Control over the zombie-system is not necessary.
Not just very useful if you really want to stay uncovered. This scan type allows you to perform port-scans from different zombie-machines (IP-adresses) and thereby is enabling you to test for IP- and trust-based Firewall rulesets you
may suspect.
This is only a rough description of the different possibilities you have with doing an IDLE-scan. If you are interested in this kind of scan, i strongly recommend you to read the documentation! (https://nmap.org/book/idlescan.html)
RPC / Version -Scan ( –script rpc-grind / -sV)
Another usefull part of NMAP can be the scan for active RPC’s (Remote Procedure Calls) or service Versions running at the Target. RPC’s are used to run functions on different/other systems and therefore they’re an integral part of
distributed computing and Server/Client Relationships. As some of those RPC services are known to bevulnerable to malicious intents it’s useful to know which if them are up and running. The same goes for outdated and maybe vulnerable
software Versions.
NMAP itself ships with an nmap-rpc database of almost 600 RPC-programs that can be used to enumerate RPC-Ports directly. As an alternative you can use the unix-command rpcinfo if the port 111 is up and running.
For further information on this topic you can consult:
Official documentation on RPC-scans
OVERVIEW OF THE MOST COMMON PORT SCANNING TECHNIQUES:
Usecase | Flag / Tag | Comment |
---|---|---|
TCP-SYN scan | -sS | nmap -sS [target] (default scan type) |
TCP-ACK scan | -sA | nmap -sA [target] |
TCP CONNECT scan | -sT | nmap -sT [target] |
UDP scan | -sU | nmap -sU [target] |
HOST DISCOVERY:
Usecase | Flag / Tag | Comment |
---|---|---|
Only port scan | -Pn | |
ARP-Discovery of local networks | -PR | |
Ping Scan, disable port scan | -sn | Only for host exploration. (f.e. nmap -sn 172.16.0.0/16) |
Disable DNS resolution | -n |
PORT SPECIFICATION AND SCAN ORDER:
Usecase | Flag / Tag | Comment |
---|---|---|
Specifying Port Range | -p | usage examples: -p22 ; -p1-65535; -p U:53,111,137 |
Exclude certain ports | –exclude-ports [portrange] | (does not scan excludet ports) |
Scan All Ports (0-65535) | -p- | |
Fast port scan | -F | (scans fewer ports than the default mode) |
Scan ports consecutively | -r | (scanning not randomized, easier to detect!) |
OS AND VERSION DETECTION:
Usecase | Flag / Tag | Comment |
---|---|---|
Detects the version of services running | -sV | |
Agressive Scan | -A | (Enables OS and Version detection, script scanning and traceroute) |
Detect Operation System of Target | -O |
FIREWALL/IDS (Intrusion Detection System) EVASION AND SPOOFING:
Usecase | Flag / Tag | Comment |
---|---|---|
Use given source port number | -g | (fe. nmap -g 22 targetIP) |
Cloak a Scan with Decoys | -D | |
Spoof Source Adress | -S | (f.e. nmap -S SpoofedIP targetIP) |
TIMING AND PERFORMANCE:
Different speeds can be set for the Scans. Ranges from really slow to insanely fast. The faster you scan, the higher is the probability to get detected by any IDS. Timing is a kind of IDS invasion.
Usecase | Flag / Tag | Comment |
---|---|---|
Paranoid Scan Speed | -T0 | Really Slow. |
Sneaky Scan Speed | -T1 | |
Polite Scan Speed | -T2 | |
Normal Scan Speed | -T3 | |
Agressive Scan Speed | -T4 | |
Insane Scan Speed | -T5 | Fast Scan, Beware of IDS! |
MISCELLANEOUS:
Usecase | Flag / Tag | Comment |
---|---|---|
Enable IPv6 scanning | -6 | use if your target has an IPv6 |
print help | -h | |
Default Script Scan | -sC | adresses NMAP Scripting Engine |
Scripts from category vulnerability | –script=vuln | Only uses vulnerability category of predefined scripts. |
Output:
Usecase | Flag / Tag | Comment |
---|---|---|
Save Output in 3 Formats at once | -oA | -oA <file> |
Save Output as normal | -oN | -oN <file> |
Save Output as XML | -oX | -oX <file> |
Save Output as Grepable Format | -oG | -oG <file> |
Increase verbosity (Lvl 1) | -v | verbosity level 1 |
Increase verbosity (Lvl 2) | -vv | verbosity level 2 (recommended) |
For more information about the NMAP Scripting Engine (NSE) go here: Link to further intel on NSE
No Responses