Day 043 #FromZeroToHacker – Nmap Basic Port Scans

After discovering live hosts with Nmap, now is the time to go deeper by scanning their ports.

Let’s arrive at a good port when scanning with our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Nmap

In the previous room, we focused on discovering online systems. The natural next step would be testing which ports are open and listening, and which are closed.

In this lesson we will learn about:

  • TCP connect port scan
  • TCP SYN port scan
  • UDP port scan
Nmap steps

This is the second of the four Nmap lessons:

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

What I have learnt today?

TCP and UDP ports

As an IP address specifies a host on a network, a port identifies a network service running on that host. Each port is linked to a service using that port number (80 for HTTP, 443 for HTTPS, etc). Each port has one and only one service.

An open port indicates that there is a service listening on that port, while a closed one indicates that there is no service working right now.

That is a bit of simplification. Nmap on the other hand, considers six states:

  1. Open: A service is listening on the specified port.
  2. Closed: No service is listening on the specific port but it is accessible (reachable).
  3. Filtered: Inaccessible (Nmap doesn’t know if it is open or closed, or if Nmap is blocked by a firewall).
  4. Unfiltered: Nmap doesn’t know if it is open or closed, but it is accessible.
  5. Open|Filtered: Nmap cannot determine if the port is open or filtered.
  6. Closed|Filtered: Nmap cannot determine if the port is closed or filtered.

TCP flags

Nmap supports different types of TCP port scans, by setting flags:

  • URG: URGent flag. The incoming data is urgent and is processed immediately without consideration of having to wait for previously sent TCP segments.
  • ACK: ACKnowledge the receipt of a TCP segment.
  • PSH: PuSH flag asks TCP to pass the data to the application promptly.
  • RST: ReSeT flag resets the connection. Usually sent by firewalls to tear a TCP connection, or when data is sent to a host without a service available.
  • SYN: SYNchronize flag is used to initiate a 3-way handshake and synchronize numbers with the other host.
  • FIN: The sender has no more data to send.

These flags are sent in the TCP header, the first 24 bytes of a TCP segment:

TCP headers

The first row has the source TCP port number and the destination port number. The second and third rows have the sequence and acknowledge number.

TCP Connect scan

TCP Connect scan works by completing the TCP 3-way handshake: The client sends an SYN flag, the server responds with an SYN/ACK if the port is open, and the client finally completes the process by sending an ACK flag.

TCP 3-way Handshake

We don’t want to establish a connection but to learn if the TCP port is open, so the client closes the connection by sending an RST/ACK instead with the -sT option.

Nmap ST scan steps

If you are not a privileged user, a TCP Connect scan is the only way to discover open TCP ports.

Nmap ST scan

TCP SYN scan

Users with no privileges are limited to TCP Connect scan. SYN scan does not need to complete the TCP 3-way handshake, as it just tears down the connection once it receives a response from the server, decreasing the chances of the scan being logged.

Nmap SS scan steps
Nmap SS scan

UDP scan

UDP is a connectionless protocol, not requiring any handshake. When a UDP packet is sent to a closed port, an ICMP port unreachable error is returned.

Nmap SU scan open
Nmap SU scan closed
Nmap SU scan

Fine-Tuning Scope and Performance

Nmap normally scans by default 1000 ports, but we can specify which ones we want to scan:

  • Port list: -p22,80,443 to scan ports 22, 80 and 443
  • Port range: -p1-1023 will scan all ports between 1 and 1023, included.

We can also scan all ports (-p-) to scan all 65535 ports, the most common 100 ports (-F) or the ten most common ports (--top-ports 10).

We can control the scan timing, being -T0 the slowest (and more sneaky) and -T5 being the fasts and louder. Use slower scans to avoid IDS (Intrusion Detection Systems). By default, Nmap uses -T3, and normally -T4 is used in CTF or practise targets. -T1 is used on real engagements where stealth and accuracy is important.

We can control the packet rate using --min-rate <NUMBER>, with NUMBER being the number of packets per second sent.

Summary

In this lesson, we have learnt:

  • The six port states according to Nmap.
  • TCP flags.
  • TCP connection scans, TCP SYN scans and UDP scans
  • How to fine-tune our scans
  • More Nmap commands:

TCP Connect Scan

sudo nmap -sT -<TARGET_IP>


TCP SYN Scan

sudo nmap -sS -<TARGET_IP>


UDP Scan

sudo nmap -sU -<TARGET_IP>

Scan all ports -p-
Scan ports 1 to 1023 -p1-1023
Scan 100 most common ports -F
Scan ports in consecutive order -r
Set the scan speed -T<NUMBER>
Set packets max rate to 50 --max-rate 50
Set packets min rate to 10 --min-rate 10

Stats

From 108.791th to 104.610th. Sitting right now in the Top 5%.

Here is also the Skill Matrix:

Resources

Module: Nmap

TryHackMe: Nmap Basic Port Scans

Other resources

Nmap Live Host Discovery