After discovering live hosts with Nmap, now is the time to go deeper by scanning their ports.
Let’s arrive at a good port when scanning with our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to Nmap
In the previous room, we focused on discovering online systems. The natural next step would be testing which ports are open and listening, and which are closed.
In this lesson we will learn about:
- TCP connect port scan
- TCP SYN port scan
- UDP port scan
This is the second of the four Nmap lessons:
What I have learnt today?
TCP and UDP ports
As an IP address specifies a host on a network, a port identifies a network service running on that host. Each port is linked to a service using that port number (80 for HTTP, 443 for HTTPS, etc). Each port has one and only one service.
An open port indicates that there is a service listening on that port, while a closed one indicates that there is no service working right now.
That is a bit of simplification. Nmap on the other hand, considers six states:
- Open: A service is listening on the specified port.
- Closed: No service is listening on the specific port but it is accessible (reachable).
- Filtered: Inaccessible (Nmap doesn’t know if it is open or closed, or if Nmap is blocked by a firewall).
- Unfiltered: Nmap doesn’t know if it is open or closed, but it is accessible.
- Open|Filtered: Nmap cannot determine if the port is open or filtered.
- Closed|Filtered: Nmap cannot determine if the port is closed or filtered.
TCP flags
Nmap supports different types of TCP port scans, by setting flags:
- URG: URGent flag. The incoming data is urgent and is processed immediately without consideration of having to wait for previously sent TCP segments.
- ACK: ACKnowledge the receipt of a TCP segment.
- PSH: PuSH flag asks TCP to pass the data to the application promptly.
- RST: ReSeT flag resets the connection. Usually sent by firewalls to tear a TCP connection, or when data is sent to a host without a service available.
- SYN: SYNchronize flag is used to initiate a 3-way handshake and synchronize numbers with the other host.
- FIN: The sender has no more data to send.
These flags are sent in the TCP header, the first 24 bytes of a TCP segment:
The first row has the source TCP port number and the destination port number. The second and third rows have the sequence and acknowledge number.
TCP Connect scan
TCP Connect scan works by completing the TCP 3-way handshake: The client sends an SYN flag, the server responds with an SYN/ACK if the port is open, and the client finally completes the process by sending an ACK flag.
We don’t want to establish a connection but to learn if the TCP port is open, so the client closes the connection by sending an RST/ACK instead with the -sT
option.
If you are not a privileged user, a TCP Connect scan is the only way to discover open TCP ports.
TCP SYN scan
Users with no privileges are limited to TCP Connect scan. SYN scan does not need to complete the TCP 3-way handshake, as it just tears down the connection once it receives a response from the server, decreasing the chances of the scan being logged.
UDP scan
UDP is a connectionless protocol, not requiring any handshake. When a UDP packet is sent to a closed port, an ICMP port unreachable error is returned.
Fine-Tuning Scope and Performance
Nmap normally scans by default 1000 ports, but we can specify which ones we want to scan:
- Port list:
-p22,80,443
to scan ports 22, 80 and 443 - Port range:
-p1-1023
will scan all ports between 1 and 1023, included.
We can also scan all ports (-p-
) to scan all 65535 ports, the most common 100 ports (-F
) or the ten most common ports (--top-ports 10
).
We can control the scan timing, being -T0
the slowest (and more sneaky) and -T5
being the fasts and louder. Use slower scans to avoid IDS (Intrusion Detection Systems). By default, Nmap uses -T3
, and normally -T4
is used in CTF or practise targets. -T1
is used on real engagements where stealth and accuracy is important.
We can control the packet rate using --min-rate <NUMBER>
, with NUMBER being the number of packets per second sent.
Summary
In this lesson, we have learnt:
- The six port states according to Nmap.
- TCP flags.
- TCP connection scans, TCP SYN scans and UDP scans
- How to fine-tune our scans
- More Nmap commands:
TCP Connect Scan
sudo nmap -sT -<TARGET_IP>
TCP SYN Scan
sudo nmap -sS -<TARGET_IP>
UDP Scan
sudo nmap -sU -<TARGET_IP>
Scan all ports -p-
Scan ports 1 to 1023 -p1-1023
Scan 100 most common ports -F
Scan ports in consecutive order -r
Set the scan speed -T<NUMBER>
Set packets max rate to 50 --max-rate 50
Set packets min rate to 10 --min-rate 10
Stats
From 108.791th to 104.610th. Sitting right now in the Top 5%.
Here is also the Skill Matrix:
Resources
Module: Nmap
TryHackMe: Nmap Basic Port Scans