Earlier we’ve discussed target specification in detail. But it is almost as import to choose your method to scan the target host. Nmap can scan in various algorithms, we should choose wisely considering the network, operating system and firewalls. Even though we usually don’t know what network architecture or operating system the target is affiliated to, these methods are also useful for determining such information.
To understand the background of scanning, we should know some basic thing about the “three-way handshake” that occurs during a network connection. The three-way handshake is another way of describing the SYN/ACK method. When a computer sends a “Hello” signal to a target machine, it actually sends a SYN packet. After receiving this packet, if the target is listening, it will normally respond with a SYN/ACK packet. When the first computer receives this SYN/ACK packet, it will respond back to the target machine with an ACK packet. This way, the three-way handshake is accomplished.
The SYN/ACK handshake is analogously described by talking on the phone (back on the old days when there weren’t caller id’s!). When we dial some number, we basically send a SYN signal, when the target answers the phone saying “Hello?”, it actually is a SYN/ACK packet, meaning “I’m listening?”, after that when we introduce ourselves as in “Hi, I’m calling from VeriTeknik”, then we’re sending the last ACK packet.
Now since we understand what SYN, SYN/ACK and ACK means, we can start digging around with nmap and see what it uses these information for.
By the way, for what it’s worth, SYN stands for synchronize and ACK stands for acknowledge.
The TCP Scan
Like we’ve discussed earlier in our target specification post, nmap executes a TCP scan with the -sT option. A TCP scan is accomplished with the full three-way handshake, meaning that when we ask nmap to execute a TCP scan on a port on some target, it will send a SYN, wait for the SYN/ACK and send back the ACK, after these, it will tell us that the port is open (or closed). Since we’re going all the way through with the three-way handshake in this method, even though it seems the most reliable one on standard targets (not behind firewall etc.) it has the slightest possibility to flood the target.
Here’s is the basic command to perform one.
$ nmap -sT 10.20.30.40
The SYN Scan
This is the most popular scan type of nmap. In fact, it is also the default option on nmap, meaning if you don’t specify any scan type, nmap will use the default SYN scan method.
The SYN scan is popular because it is faster. This comes from the fact that it doesn’t complete the three-way handshake. It only goes through the two steps of the handshake, first sending the SYN packet, waiting for a SYN/ACK packet, after this, instead of sending an ACK packet, it sends an RST (reset) packet, which tells the target to disregard any previous packets and close the connection between the two machines. The advantage of this is that the RST packet is much smaller than the ACK packet. Even though it may sound like one tiny packet won’t change much, when you add up hundreds (or thousands) of ports on multiple hosts, tiny packets do matter! Also, sending less information to the target always means less possibility to flood it.
$ nmap -sS 10.20.30.40
$ nmap 10.20.30.40
The UDP Scan
Overlooking the UDP scanning technique is a common rookie mistake. Even though most services use the TCP ports today, UDP ports are still essential and cause security vulnerabilities. Also, UDP ports are as useful as TCP ports for getting information on the system.
Note that both TCP and SYN scanning use the TCP method of connection. There are basically two methods for computers to communicate, either the TCP (Transmission Control Protocol) or the UDP (User Datagram Protocol). TCP ensures that the packets sent from one computer to another arrive at the receiver intact and in the order they were sent. But, UDP has no such mechanism, it just sends the data and we never know whether it arrived to the target or not. There are many advantages and disadvantages between the two technologies including speed, reliability, error checking etc. The important thing is to know which one to use under your case.
Comparing the UDP scan to our analogous example of the phone call, it is often described with a mailing system. It is like when we write a mail (not an e-mail, the regular ones!), put a stamp on it, no return address and put it in the mailbox. Maybe sometime the post officer will pick it up, deliver it to the address. You’ll never know if the mail reached its destination or not, and the receiver might not know the origin.
$ nmap -sU 10.20.30.40
Don’t forget that even though people tend to think that services run on TCP ports, a lot of them still stick with the UDP ones, such as DNS, DHCP, SNMP, or TFTP.
The Xmas Scan
This scan method is based on the technical descriptions on the RFC 793 (page 65) of TCP. If the target operating system is bound to the RFC, then when dealing with TCP connections it should obey the following two rules.
* If a closed port receives a packet that doesn’t have a SYN, ACK or RST flag, the port should respond with an RST packet of its own.
* If an open port receieves a packet that doesn’t have a SYN, ACK or RST flag, the packet should be ignored.
So, according to these rules, if a send a packet that doesn’t contain any one of SYN, ACK and RST, and if the relevant port does not answer back, that port should be open. So when we tell Nmap to perform a Xmas scan on a target, it simply sends FIN, PSH and URG packet flags on. The name Xmas comes from the fact that it has so many flags set to “on” as if it lights like a Christmas tree!
The problem with this scan type is that we assume the target operating system fully complies with the RFC standard of the TCP. Linux and Unix operating systems do, but Microsoft operating systems don’t. Ironically this makes Linux systems vulnerable to this scan type.
$ nmap -sX -p- -PN 10.20.30.40
This type of scanning is almost the same with the Xmas scanning method. Instead of switching some of the flags “on”, with the Null scan, Nmap switches everything “off”. This way, the closed ports will respond with a RST flag. (if the operating system complies with the RFC standards)
These type of scans are important when scanning a system behind firewalls. Some firewalls block communication establishment by filtering SYN packets. Since our scanning packets with the Xmas and Null scans don’t have a SYN packet, the firewall won’t filter it. Well, bear in mind that since we don’t have a SYN packet, it is not possible to establish a connection, but the point is scanning for ports, and that is possible without a SYN packet!
$ nmap -sN -p- -PN 10.20.30.40
This is also almost the same with Xmas and Null scans, this time, nmap only sends the packet with the FIN flag “on”.
$ nmap -sF -p- -PN 10.20.30.40
This scan type does not directly look for open ports. Instead it tests whether our ACK packets reach the ports or not. By default, it only has the ACK flag set. An unfiltered (ex. no firewall) system would return with RST packets when an ACK packet reaches it, regardless of the port state being open or closed. If a port doesn’t respond, or it responds with ICMP error messages, nmap will label it as filtered, if the port responds with an RST packet, it will be labeled as “reachable”. Detecting if reachable ports are open or not, is not checked by this scan. This type of scan is very useful to check the security of a target.
$ nmap -sA -p- -PN 10.20.30.40
This one is similar to the ACK scan, but categorizes the port filtered or unfiltered depending on the value the returning package’s RST flag is. On some systems open ports have a positive window size, but the closed ports have a window size equal to zero. So when a port replies RST, instead of labeling it as unfiltered (like it does in ACK scan), nmap will read the TCP Window value of the RST package. If the value is zero, the port is filtered, if it has a positive value, it is labeled as unfiltered. This type of scan does not work on most of the systems. In fact, if most of the ports you scan from 1000 ports are open, and only a few are closed, it is possible that the values are incorrect, the few closed ones might be the open ports and the open labeled ones might be the closed ones.
So, things can get the other-way around, use the feedback with caution!
$ nmap -sW -p- -PN 10.20.30.40
Additional Options for Detailed Information
Lastly, there are a few options to remember that can give us great detail about the target system.
Version detection : The -sV switch tries to determine what version of a service is running on a detected open port. This is great when scanning either UDP ports or unusual ports. If you find an unusual port number to be open, a version scan might tell you whether it is an SSH service running or an HTTP.
Operating System detection : The -O switch is for determining the operating system of the target. This does not 100% work but it does give some clues. It also tries to determine the kernel version, if it fails to get the kernel version, it sometimes reports possibilities in percentages.
Another option for Operating System and Version detection is the -A switch. This does not provide as much detail as the -O option but is still useful.
The Speed : You can choose the speed of each scan with the -T switch. The timing switch ranges on a numeric scale from 0 to 5, with 0 being the slowest scan.
It is important to know the backgrounds of a scan when executing it. Otherwise the results would seem meaningless to the scanner. Go ahead and try scanning your own systems. Don’t forget that if you have multiple servers, nmap also has a nice way of dealing with target specification.