Sunday, October 9, 2011

Complete guide to port scanning with Nmap

Hello friends. I am back with the next series of port scanning tutorial that. In case you have missed the tutorial then do read it, it is a must read for beginners - Understanding Port Scanning in detail.
Lets quickly move on. I would apologize that I have not used too many real time screen shots in this tutorial as I am a bit busy these days to give a detailed explanation but still the tutorial is friendly and you can easily grasp the concepts and implement them. In case you have any doubt you can comment here.

 Here I will mostly be using command line, you can either use GUI or command line depending upon your feasibility. IN this post I will discuss some of the common scanning techniques that can be implemented using Nmap. But in the next tutorial I will discuss some very advance concepts that can help you perform completely stealth scan.
Let us discuss the scanning tevhniques using Nmap.

Note- The terms in square bracket are used to show the command to be passed along with IP address to perform a particular scan type.

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS]. These two types are explained in detail below.

TCP connect() Scan [-sT]

These scans are so called because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was made. If it fails, the connection could not be made (the remote system is offline, the port is closed, or some other error occurred
along the way). This allows a basic type of port scan, which attempts to connect to every port in turn, and notes whether or not the connection succeeded. Once the scan is completed, ports to which a connection could be established are listed as open, the rest are said to be closed. This method of scanning is very effective, and provides a clear picture of the ports you can and cannot access.

If a connect() scan lists a port as open, you can definitely connect to it - that is what the scanning computer just did! There
is, however, a major drawback to this kind of scan; it is very easy to detect on the system being scanned. If a firewall or intrusion detection system is running on the victim, attempts to connect() to every port on the system will almost always trigger a warning. Indeed, with modern firewalls, an attempt to connect
to a single port which has been blocked or has not been specifically ”opened” will usually result in the connection attempt being logged.

SYN Stealth Scan [-sS]

I’ll begin this section with an overview of the TCP connection process. Those familiar with TCP/IP can skip the first few paragraphs. When a TCP connection is made between two systems, a process known as a
three way handshake” occurs. This involves the exchange of three packets, and synchronises the systems with each other (necessary for the error correction built into TCP. Refer to a good TCP/IP book for more details. The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is. Here, I will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets
include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection
is to be reset (closed immediately).

 To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an
RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states - open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions,
and closed to others.

FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]

With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these type of scans is that a closed port should respond with an RST upon receiving packets, whereas an
open port should just drop them (it’s listening for packets with SYN set). This way, you never make even part of a connection, and never send a SYN packet; which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on. These scan types will work against any system where the TCP/IP implementation
follows RFC 793. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are
you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)
The sample below shows a SYN scan and a FIN scan, performed against a Linux system. The results are, predictably, the same, but the FIN scan is less likely to show up in a logging system.

Ping Scan [-sP]

This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping. The first method sends an ICMP ECHO REQUEST (ping request) packet to
the destination system.

 If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a ”TCP Ping”, to determine whether ICMP is blocked, or if the host is really not online.

UDP Scan [-sU]

Scanning for open UDP ports is done with the -sU option. With this scan type, Nmap sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed, otherwise it is assumed open. One major problem with this technique is that, when a firewall blocks outgoing ICMP Port Unreachable messages, the port will appear open. These falsepositives
are hard to distinguish from real open ports.
Another disadvantage with UDP scanning is the speed at which it can be performed. Most operating systems limit the number of ICMP Port Unreachable messages which can be generated in a certain time period, thus slowing the speed of a UDP scan.

Idle Scanning [-sI]

Idle scanning is an advanced, highly stealthed technique, where no packets are sent to the target which can be identified to originate from the scanning machine. A zombie host (and optionally port) must be specified for this scan type. The zombie host must satisfy certain criteria essential to the workings of this scan.
This scan type works by exploiting ”predictable IP fragmentation ID” sequence generation on the zombie host, to determine open ports on the target.The scan checks the IPID on the zombie, then spoofs a connection request to the target machine, making it appear to come from the zombie. If the target port is
open, a SYN/ACK session acknowledgement will be sent from the target machine back to the zombie, which will RST the connection since it has no record of having opened such a connection. If the port on the target is closed, an RST will be sent to the zombie, and no further packets will be sent. The attacker then checks the IPID on the zombie again. If it has incremented by 2 (or changed by two
steps in its sequence), this corresponds to the packet received from the target, plus the RST from the zombie, which equates to an open port on the target. If the IPID has changed by one step, an RST was received from the target and no further packets were sent.

Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be critical in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection, as well as any other advanced features which may be added in future releases.

Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list, or the nmap-hackers mailing list for the full list of susceptible OS’).
RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service, and if so, which program, and version numbers are running on it. Decoys are not supported with RPC scans.

OS Fingerprinting

The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP Sequence Number generation (useful for planning Idle scans).

These are some of the most basic scanning techniques that you can implement using Nmap. But these scans can be detected if some firewall or IDS has been setup. So the big question now arises that how we can increase the stealth level of our scan. This will require an entire post to discuss it so I am leaving it for the next post. Hope you liked this post and learned some new concepts related to hacking.