Day 044 #FromZeroToHacker – Nmap Advanced Port Scans

We have just covered Nmap Basic Port Scans, including TCP flags and TCP 3-way handshake. Time for Nmap Advanced Port Scans 🙂

Let’s scan what we can learn today in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Nmap Advanced scans

We have just covered Nmap Basic Port Scans, including TCP flags and TCP 3-way handshake. If we remember, to initiate a connection TCP requires the first packet to have the SYN flag set. This way we can tell if a TCP port is open or closed based on its response.

An ACK flag is set when we want to ACKnowledge received data, and an ACK scan tries to acknowledge data that was neither sent nor received. It is like somebody coming out of nowhere and telling you “Yes, please, continue!” when you haven’t said a word.

Some scans are useful in one context while meaningless in others. Let’s see advanced types of scans and scan options. We are going to see the following types of port scans:

  • Null Scan
  • FIN Scan
  • Xmas Scan
  • Maimon Scan
  • ACK Scan
  • Window Scan
  • Custom Scan

And also:

  • Spoofing IP
  • Spoofing MAC
  • Decoy Scan
  • Fragmented Packets
  • Idle/Zombie Scan

In this lesson we will learn about:

  • TCP connect port scan
  • TCP SYN port scan
  • UDP port scan

This is the third of the four Nmap lessons:

  1. Nmap Live Host Discovery
  2. Nmap Basic Port Scans
  3. Nmap Advanced Port Scans
  4. Nmap Post Port Scans

What I have learnt today?

TCP Null Scan, FIN Scan and Xmas Scan

Let’s start with the following types of scans:

  • Null Scan
  • FIN Scan
  • Xmas Scan

Null Scan

The null scan, as its name claims, does not set any flag: All six flag bits are set to zero. A TCP packet with no flags set will not trigger any response when it reaches an open port, while an RST packet means that the target’s port is closed. A lack of reply then, indicates that either the port is open or a firewall is blocking the packet.

Nmap sn scan steps open
Nmap sn scan steps closed

We can select this option with the flag -sN:

Nmap sn scan

Because we get either an RST if it is closed or no answer if it is open or filtered, we have no idea if the port is available or behind a firewall.

Many Nmap options require root privileges, being -sN one of them, hence the sudo.

FIN Scan

Like the Null Scan, a FIN scan sends a FIN flag set, and either gets no response if the port is open or blocked by a firewall, or a RST if the port is closed.

Nmap sf scan steps open
Nmap sf scan steps closed

We can make this type of scan with the -sF option, getting a similar result when using the Null Scan option:

Nmap sf scan

Xmas Scan

Xmas Scan, named after Christmas tree lights, sets the FIN, PSH and URG flags at the same time. Like the Null and FIN scans, an RST packet received means that the port is closed, and if it is open or blocked by a firewall, gets reported as open|filtered.

Nmap sx scan steps open
Nmap sx scan steps closed

We can make this type of scan with the -sX option, getting a similar result to that of the null and FIN scans:

Nmap sx scan

Remember when we said that an ACK scan would be like somebody telling you “Please, continue!” when no conversation was started?

These three scan types are the scans we should be using when scanning a target behind a stateless firewall. A stateless firewall checks if the incoming packet has the SYN flag to set a connection attempt, but by using one of these three flags lets you (sometimes…) fool the firewall and reach the system behind it.

A stateful firewall will block these scans, though, rendering this kind of scan worthless.

TCP Maimon Scan

In this scan, FIN and ACK bits are set, and the target should send an RST packet as a response. This scan won’t work on most modern networks. The RST packet sent back to us will be sent regardless of whether the TCP port is open or not.

Nmap sm scan steps open
Nmap sm scan

This scan nowadays is almost worthless but it is important to know, as it may come in handy sometimes. To use it, use the -sM flag.

TCP ACK, Window and Custom Scan

TCP ACK Scan

As the name implies, an ACK flag will be set, and the target will respond with an RST regardless of the state of the port. This happens because a TCP packet with an ACK flag is sent in response to a received TCP packet to acknowledge some data.

Nmap sa scan steps open

Using the -sA option, we scanned the target and as usual we can’t learn which ports are open:

Nmap sa scan

Useless without firewalls, this could help us to learn which ports are not blocked by the firewall, helping us to discover its firewall rulesets and configuration.

Now, let’s try the same scan but now the target is behind a firewall:

Nmap sa scan firewall

Now we know that there are three ports that aren’t blocked by the firewall.

Window Scan

TCP Window scan is almost like the ACK scan, but examining the RST packet returned, as this sometimes may reveal that the port is open.

Nmap sw scan steps

Launching a TCP window scan against a target without a firewall doesn’t yield too much information, like the ACK scan:

Nmap sw scan

Let’s see what happens against a server behind a firewall:

Nmap sw scan firewall

We get the same result as the ACK scan (but here, instead, the ports are shown as closed instead of unfiltered). The firewall isn’t blocking them.

Custom Scan

If you want to experiment with new TCP flag combinations, you can do so. Use --scanflags. For example, to set SYN, RST and FIN flags at the same time, use --scanflags RSTSYNFIN.

On a final note, ACK and Window scan are efficient at helping us map the firewall rules, but just because a firewall is not blocking a specific port doesn’t mean that there is a service listening on that port.

Spoofing and Decoys

If we can capture the response, we can use a spoofed IP and even a spoofed MAC address. The command to do so is nmap -S <SPOOFED_IP> <TARGET_IP>. Nmap then, will craft all the packets using the provided spoofed IP as the destination of the result of the scan.

nmap spoofed IP

As you see in the image, the attacker sends a packet with a spoofed IP to the target machine, which will reply, sending the result to the spoofed IP address as the destination. The attacker has de capture the replies arriving at the spoofed IP machine.

If we are on the same subnet as the target machine, we can spoof our MAC address with the --spoof-mac <SPOOFED_MAC>. Both attacker and target have to be on the same network or WiFi.

If we want to be extra cheeky, we can use decoys: Extra destinations to fool the target defenses, making it harder to pinpoint who is the attacker:

nmap decoy

To perform this attack, we use the command nmap -D <DECOY_1>,<DECOY_2>,ME <TARGET_IP>. We use ME to indicate our own IP address in the third order in this case. If that wasn’t enough, we can be even more cheeky with nmap -D <DECOY_1>,<DECOY_2>,ME,RND,RND <TARGET_IP>. Each RND will create a random IP address each time we run this command.

Fragmented packets

Firewall

A firewall either blocks all traffic with exceptions or allows all traffic with exceptions. A traditional firewall inspects the IP header and the transport layer header, while a more modern firewall examines also the data carried.

IDS

An Intrusion Detection System (IDS) inspects network packets for select behavioural patterns or specific content signatures, raising an alert when a malicious rule is met. An IDS inspects the IP header, the transport layer header and the data contents in the transport layer.

How can we dodge both firewalls and IDS? Good question. Sometimes, sending smaller packets in your Nmap scans helps.

Fragmented packets

We can fragment packets with the option -f to divide the IP data into 8 bytes or less, and the -ff option divides the data into 16-byte fragments instead of 8.

To understand how this works, look at the IP header:

IP Header

Look how the data row comprises 4 bytes. By using -f or -ff, we can make the packets smaller.

Idle/Zombie scan

Spoofing the source IP can be a great approach, but it only works if you can monitor the traffic.

Idle or zombie scan requires an idle system connected to the same network, and Nmap will pretend to be performing a scan from the idle system with nmap -sI <ZOMBIE_IP> <TARGET_IP>.

Let’s probe an idle machine, for example, a printer:

Idle probing

After setting a connection, the packet will use the idle host IP address as the source.

Getting more information

By adding the --reason option, Nmap will provide more details (check the extra column Reason):

reason scan

If we want a more detailed output in a general sense, we can use -v for verbose output, or -vv for even more verbosity.

verbose option

We can also use -d for debugging details, or -dd for even more details.

Summary

In this lesson, we have covered the following:

  • TCP Null scan, FIN scan and Xmas scan.
  • TCP Maimon scan.
  • TCP ACK, Window and Custom scan.
  • How to spoof IP and MAC addresses.
  • Using decoys.
  • How to fragment packets to dodge firewall rules.
  • Idle scans.
  • How to get more details in our scans.

Stats

From 101.667th to 98.761th. Now in the top 100.000!

Here is also the Skill Matrix:

Skills matrix

Resources

Module: Nmap

TryHackMe: Nmap Advanced Port Scans

Other resources

Nmap Live Host Discovery

Nmap Basic Port Scans