NMAP BASIC PORT SCANS

 This post will be discussing using Nmap to check ports are open and listening and which ports are closed. This room explains:

  • TCP connect port scan.
  • TCP SYN port scan.
  • UDP port scan.

TCP and UDP Ports
In the same way an IP address specifies a host on a network, a UDP or TCP port is used to identify a network service running on that host. A server providing a network service adheres to a specific network protocol, for example responding to DNS queries or serving web pages. A service usually uses a default port number, for example an HTTP would bind to TCP port 80, however it can be configured to run on a different port. No more that one service can listen on any TCP or UDP port on the same IP address.

There are six states we need to consider when scanning for ports with Nmap:
  1. Open: Live service listening on this port.
  2. Closed: No service is listening on the port, although port is accessible (port is reachable and is not blocked by firewall or other security appliances/programmes).
  3. Filtered: Means Nmap cannot determine if the port is open or closed because port is not accessible. This is usually due to a firewall. Sometimes Nmap's packets are blocked from reaching the port, sometimes the responses are blocked from reaching Nmap's host.
  4. Unfiltered: Nmap cannot determine if the port is open or closed, although port is accessible. This state is encountered when using ACK scan -sA .
  5. Open | Filtered: Nmap cannot determine whether the port is open or filtered.
  6. Closer | Filtered: Nmap cannot decide whether a port is closed or filtered. 

TCP Flags
In order to properly understand the different types of TCP port scan Nmap supports, we need to review the TCP header. The TCP header is the first 24 bytes of a TCP segment (see RFC 793 for more information). In the figure below, the first row is the source TCP port and destination port number. The port number is allocates 16 bits (2 bytes). In the second and third row we have the sequence number and the acknowledgement number. Each row has 32 bits (4 bytes) allocated, with 6 rows, making up 24 bytes.


In particular, we are focusing on the flags that Nmap can set or unset (flags are highlighted in red in the above figure). Setting a flag bit means setting its value to 1. The TCP header flags are:

  • URG: Indicates that the pointer field is urgent. A TCP segment with an urgent flag will be processed immediately without consideration of having to wait for previously sent TCP segments,
  • ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of TCP segment.
  • PSH: Push flag asking TCP to pass the data to the application promptly.
  • RST: Reset flag used to reset the connection. A firewall may use this flag to tear a TCP connection. This flag is also used when there is no service on the receiving end to an answer.
  • FIN: The sender has no more data to send.

TCP Connect Scan
TCP connect scan works by completing the 3-way TCP handshake as per the image below:


We are interested in learning whether the TCP port is open, not establishing a TCP connection. Hence the connection is torn as soon as possible with RST/ACK. A TCP connect scan can be run using -sT


NOTE: A non-privileged user only has the option to perform a TCP connect scan to discover open TCP ports. 

In the below Wireshark packet capture we can see Nmap sending TCP packets with SYN flag set to various ports. A closed port will respond to a SYN packet with RST/ACK to indicate the port is not open. This pattern will repeat for all the closed ports as we attempt to initiate a TCP 3-way handshake with them. 


Port 143 is open and has replied with SYN/ACK and Nmap has completed the 3 way handshake by sending an ACK. The figure below shows all the packets exchanged between Nmap and the target's port 143. The first 3 packets are the TCP 3-way handshake and the fourth is a RST/ACK packet to tear the connection.



TCP SYN Scan
Unprivileged users are limited to connect scan. However, the default scan mode is a SYN scan which requires a privileged user to run it. SYN scan does not to complete the TCP 3-way handshake and instead it tears the connection down once it receives a response from the server. Because we didn't establish a TCP connection, this type of scan can be more difficult to detect. To use a SYN scan, use the -sS option. 

See below for a SYN scan:


UDP Scan
UDP does not require a handshake to establish a connection, so we cannot guarantee that a service listening on a UDP port would respond to our packets. However, if a UDP packet is sent to a closed port, an ICMP unreachable error (type 3, code 3) is returned. A UDP scan can be selected using the -sU option. 

If the port is open:

If the port is closed:




Comments

Post a Comment

Popular posts from this blog

STARTUP

Image
  Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test. I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty. ' I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.  Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage, I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future.
Read more

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more