NMAP Scanner

NMAP Scanner

Overview

Port scanning can aid us in the foot-printing process, the task of accumulating data regarding a specific network environment. This is usually performed for the purpose of revealing system vulnerabilities and improving the ease with which they can be exploited. By port scanning a pen-tester can find out information about what services are running, what users own these services, whether anonymous logins are supported, and whether certain network services require authentication.

Scanning Methods

TCP Connect Scan

The most rudimentary of scans is the TCP connect scan. Should the port be vulnerable, or listening, then a TCP connect scan will succeed, otherwise the port isn’t reachable. (Stevens, 1999) In the example below, if a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection, otherwise an error code is returned.

root@bt:~# nmap -sT 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 19:34 EST

Nmap scan report for 192.168.1.106

Host is up (0.048s latency).

Not shown: 988 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1027/tcp open  IIS

1028/tcp open  unknown

1029/tcp open  ms-lsa

1095/tcp open  nicelink

5357/tcp open  wsdapi

5800/tcp open  vnc-http

5900/tcp open  vnc

This scan mode is advantageous in that the user does not require special privileges, and its’ ease of use. Its downside is the speed of execution, that it easily detected, and yields poor results.

SYN Scan

SYN scanning, also known as half-open scanning is the default and most popular scan. This is due to the fact that a SYN network scan does not make TCP connections, can be executed quickly, and scans in a fairly covert manner.

root@bt:~# nmap -sS 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 19:32 EST

Nmap scan report for 192.168.1.106

Host is up (0.0074s latency).

Not shown: 988 filtered ports

PORT     STATE SERVICE

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1027/tcp open  IIS

1028/tcp open  unknown

1029/tcp open  ms-lsa

1095/tcp open  nicelink

5357/tcp open  wsdapi

5800/tcp open  vnc-http

5900/tcp open  vnc

The key disadvantage of SYN scanning is the requirement to access raw socket, which requires administrative privileges, and may not be possible on some operating systems.

FIN Scan

Reminiscent of the SYN scan is the FIN scanner, which sends a FIN packet that will attempt to close a connection that is open. If a port is closed, then it will reply to a FIN packet with a RST. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port. Nonetheless, though this type of scan may pass through devices that filter incoming TCP packets with the FIN and ACK flag combination, this isn’t an effective scan as packets can be dropped or blocked by firewalls.

UDP Scan

It might seem as if performing UDP scans would not provide reliable results, as a UDP port scan considers a port open if there is no response. However, if there is a screening router in front of the target, and it is configured to send ICMP unreachable responses, which is fairly standard practice, the scanner is able to report that the port is filtered. By this method an attacker can deduce that the unreachable response is coming from a different IP address than that of the target.

root@bt:~# nmap -sU 192.168.1.106

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-16 21:35 EST

Nmap scan report for 192.168.1.106

Not shown: 990 open|filtered ports

PORT      STATE    SERVICE

111/udp   filtered rpcbind

123/udp   filtered ntp

137/udp   filtered netbios-ns

161/udp   filtered snmp

520/udp   filtered route

626/udp   filtered serialnumberd

1812/udp  filtered radius

2049/udp  filtered nfs

5353/udp  filtered zeroconf

10080/udp filtered amanda

 Inverse Mapping

Another surreptitious scanning technique is inverse mapping, which utilizes destination unreachable (type 3) messages. The destination unreachable type has 15 subtypes (codes), which is used to discern the causal relationship. Our intrusion detection devices can report a port as unreachable, or it may issue a vendor specific output, this would allow someone who knew those error codes to be able to figure out that the packets were blocked by a specific device.

XMAS Scan

Aptly named because all of its options are set for whatever protocol is in use. This scan uses a series of uniquely configured TCP packets, a sequence number of 0, the Urgent (URG), Push (PSH), and FIN flags. This type of scan may circumvent basic firewalls and boundary routers that filter on incoming TCP packets with standard flag settings as XMAS scan packets do not have the SYN flag turned on.

root@bt:~# nmap -sX 192.168.1.105

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-17 21:47 EST

Nmap scan report for 192.168.1.105

Host is up (0.00014s latency).

All 1000 scanned ports on 192.168.1.105 are closed

If the target device's TCP port is closed, the target device sends a TCP Reset (RST) packet as a reply. If the target device's TCP port is open, the target discards the TCP XMAS scan, sending no reply. Due to the fact that XMAS scan packets are not commonly present on the network, this will be highly indicative of network surveillance attempts.