NMAP Scanning Options

1
NMAP Scanning Options
2
NMAP

• Nmap is the most popular scanning tool used on
  the Internet.
• Cretead by Fyodar (http//www.insecure.org) , it
  was featured in the Matrix Reloaded movie.

3
SYN Scanning

• Syn scanning, a technique that is widely across
  the Internet today.
• The syn scan, also called the "half open" scan,
  is the ability to determine
  a ports state without making a full connection to
  the host.
• Many systems do not log the attempt, and discard
  it as a communications error.
• You must first learn 3-way handshake to
  understand the Syn scan.

4
TCP Communication Flags

• Standard TCP communications are controlled by
  flags in the TCP packet header.
• The flags are as follows
• Synchronize - also called "SYN
• Used to initiate a connection between hosts.
• Acknowledgement - also called "ACK
• Used in establishing a connection between hosts
• Push - "PSH
• Instructs receiving system to send all buffered
  data immediately
• Urgent - "URG
• States that the data contained in the packet
  should be processed immediately
• Finish - also called "FIN"
  
• Tells remote system that there will be no more
  transmissions
• Reset - also called "RST
• Also used to reset a connection.

5
Three Way Handshake

• Computer A Computer B
• 192.168.1.22342 ------------syn-----------gt192.16
  8.1.380
• 192.168.1.22342 lt---------syn/ack----------192.16
  8.1.380
• 192.168.1.22342-------------ack-----------gt192.16
  8.1.380
• Connection Established
• The Computer A ( 192.168.1.2 ) initiates a
  connection to the server ( 192.168.1.3 ) via a
  packet with only the SYN flag set.
• The server replies with a packet with both the
  SYN and the ACK flag set.
• For the final step, the client responds back the
  server with a single ACK packet.
• If these three steps are completed without
  complication, then a TCP connection has been
  established between the client and server.

6
Stealth Scan

• Computer A Computer B
• 192.168.1.22342 ------------syn-----------gt192.16
  8.1.380
• 192.168.1.22342 lt---------syn/ack----------192.16
  8.1.380
• 192.168.1.22342-------------RST-----------gt192.16
  8.1.380
• Client sends a single SYN packet to the server on
  the appropriate port.
• If the port is open then the server responds with
  a SYN/ACK packet.
• If the server responds with an RST packet, then
  the remote port is in state "closed
• The client sends RST packet to close the
  initiation before a connection can ever be
  established.
• This scan also known as half-open scan.

7
Xmas Scan

• Computer A Computer B
• Xmas scan directed at open port
• 192.5.5.924031 -----------FIN/URG/PSH-----------gt
  192.5.5.11023
• 192.5.5.924031 lt----------NO RESPONSE------------
  192.5.5.11023
• Xmas scan directed at closed port
• 192.5.5.924031 -----------FIN/URG/PSH-----------gt
  192.5.5.11023
• 192.5.5.924031lt-------------RST/ACK--------------
  192.5.5.11023
• Note XMAS scan only works OS system's TCP/IP
  implementation is developed according to RFC 793
• Xmas Scan will not work against any current
  version of Microsoft Windows.
• Xmas scans directed at any Microsoft system will
  show all ports on the host as being closed.

8
FIN Scan

• Computer A Computer B
• FIN scan directed at open port
• 192.5.5.924031 -----------FIN-------------------gt
  192.5.5.11023
• 192.5.5.924031 lt----------NO RESPONSE------------
  192.5.5.11023
• FIN scan directed at closed port
• 192.5.5.924031 -------------FIN------------------
  192.5.5.11023
• 192.5.5.924031lt-------------RST/ACK--------------
  192.5.5.11023
• Note FIN scan only works OS system's TCP/IP
  implementation is developed according to RFC 793
• FIN Scan will not work against any current
  version of Microsoft Windows.
• FIN scans directed at any Microsoft system will
  show all ports on the host as being closed.

9
NULL Scan

• Computer A Computer B
• NULL scan directed at open port
• 192.5.5.924031 -----------NO FLAGS
  SET----------gt192.5.5.11023
• 192.5.5.924031 lt----------NO RESPONSE------------
  192.5.5.11023
• NULL scan directed at closed port
• 192.5.5.924031 -------------NO FLAGS
  SET---------192.5.5.11023
• 192.5.5.924031lt-------------RST/ACK--------------
  192.5.5.11023
• Note NULL scan only works OS system's TCP/IP
  implementation is developed according to RFC 793
• NULL Scan will not work against any current
  version of Microsoft Windows.
• NULL scans directed at any Microsoft system will
  show all ports on the host as being closed.

10
IDLE Scan

• Almost four years ago, security researcher
  Antirez posted an innovative new TCP port
  scanning technique.
• Idlescan, as it has become known, allows for
  completely blind port scanning.
• Attackers can actually scan a target without
  sending a single packet to the target from their
  own IP address.

11
IDLE Scan Basics

• Most network servers listen on TCP ports, such as
  web servers on port 80 and mail servers on port
  25.
• A port is considered "open" if an application is
  listening on the port, otherwise it is closed.
• One way to determine whether a port is open is to
  send a "SYN" (session establishment) packet to
  the port.
• The target machine will send back a "SYNACK"
  (session request acknowledgment) packet if the
  port is open, and a "RST" (Reset) packet if the
  port is closed.
• A machine which receives an unsolicited SYNACK
  packet will respond with a RST. An unsolicited
  RST will be ignored.
• Every IP packet on the Internet has a "fragment
  identification" number.
• Many operating systems simply increment this
  number for every packet they send.
• So probing for this number can tell an attacker
  how many packets have been sent since the last
  probe.

12
IDLE Scan Step 1

• Choose a "zombie" and proble for its current IPID
  number

13
IDLE Scan Step 2

• Send forged packet "from" Zombie to target.

14
IDLE Scan Step 3

• Probe Zombie IPID again

15
Fragmentation scanning

• Instead of just sending the probe packet, you
  break it into a couple of small IP fragments.
• You are splitting up the TCP header over several
  packets to make it harder for packet filters and
  so forth to detect what you are doing.
• The -f switch instructs the specified SYN or FIN
  scan to use tiny fragmented packets.

16
ICMP echo scanning

• This isn't really port scanning, since ICMP
  doesn't have a port abstraction.
• But it is sometimes useful to determine what
  hosts in a network are up by pinging them all.
• nmap -P cert.org/24 152.148.0.0/16

17
Scan Options

• -sT (TcpConnect)
• -sS (SYN scan)
• -sF (Fin Scan)
• -sX (Xmas Scan)
• -sN (Null Scan)
• -sP (Ping Scan)
• -sU (UDP scans)
• -sO (Protocol Scan)
• -sI (Idle Scan)
• -sA (Ack Scan)
• -sW (Window Scan)
• -sR (RPC scan)
• -sL (List/Dns Scan)

18
Ping Detection

• -P0 (dont ping)
• -PT (TCP ping)
• -PS (SYN ping)
• -PI (ICMP ping)
• -PB ( PT PI)
• -PP (ICMP timestamp)
• -PM (ICMP netmask)

19
Output Format

• -oN(ormal)
• -oX(ml)
• -oG(repable)
• -oA(ll)

20
Timing

• -T Paranoid serial scan 300 sec wait
• -T Sneaky - serialize scans 15 sec wait
• -T Polite - serialize scans 0.4 sec wait
• -T Normal parallel scan
• -T Aggressive- parallel scan 300 sec timeout
  1.25 sec/probe
• -T Insane - parallel scan 75 sec timeout 0.3
  sec/probe
• --host_timeout --max_rtt_timeout (default -
  9000)
• --min_rtt_timeout --initial_rtt_timeout (default
  6000)
• --max_parallelism --scan_delay (between probes)

21

• --resume (scan) --append_output
• -iL lttargets_filenamegt -p ltport rangesgt
• -F (Fast scan mode) -D ltdecoy1 ,decoy2,ME,gt
• -S ltSRC_IP_Addressgt -e ltinterfacegt
• -g ltportnumbergt --data_length ltnumbergt
• --randomize_hosts -O (OS fingerprinting) -I
  (dent-scan)
• -f (fragmentation) -v (verbose) -h (help)
• -n (no reverse lookup) -R (do reverse lookup)
• -r (dont randomize port scan) -b ltftp relay hostgt
  (FTP bounce)