We have just covered Nmap Basic Port Scans, including TCP flags and TCP 3-way handshake. Time for Nmap Advanced Port Scans 🙂
Let’s scan what we can learn today in our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to Nmap Advanced scans
We have just covered Nmap Basic Port Scans, including TCP flags and TCP 3-way handshake. If we remember, to initiate a connection TCP requires the first packet to have the SYN flag set. This way we can tell if a TCP port is open or closed based on its response.
An ACK flag is set when we want to ACKnowledge received data, and an ACK scan tries to acknowledge data that was neither sent nor received. It is like somebody coming out of nowhere and telling you “Yes, please, continue!” when you haven’t said a word.
Some scans are useful in one context while meaningless in others. Let’s see advanced types of scans and scan options. We are going to see the following types of port scans:
- Null Scan
- FIN Scan
- Xmas Scan
- Maimon Scan
- ACK Scan
- Window Scan
- Custom Scan
And also:
- Spoofing IP
- Spoofing MAC
- Decoy Scan
- Fragmented Packets
- Idle/Zombie Scan
In this lesson we will learn about:
- TCP connect port scan
- TCP SYN port scan
- UDP port scan
This is the third of the four Nmap lessons:
What I have learnt today?
TCP Null Scan, FIN Scan and Xmas Scan
Let’s start with the following types of scans:
- Null Scan
- FIN Scan
- Xmas Scan
Null Scan
The null scan, as its name claims, does not set any flag: All six flag bits are set to zero. A TCP packet with no flags set will not trigger any response when it reaches an open port, while an RST packet means that the target’s port is closed. A lack of reply then, indicates that either the port is open or a firewall is blocking the packet.
We can select this option with the flag -sN
:
Because we get either an RST if it is closed or no answer if it is open or filtered, we have no idea if the port is available or behind a firewall.
Many Nmap options require root privileges, being -sN
one of them, hence the sudo
.
FIN Scan
Like the Null Scan, a FIN scan sends a FIN flag set, and either gets no response if the port is open or blocked by a firewall, or a RST if the port is closed.
We can make this type of scan with the -sF
option, getting a similar result when using the Null Scan option:
Xmas Scan
Xmas Scan, named after Christmas tree lights, sets the FIN, PSH and URG flags at the same time. Like the Null and FIN scans, an RST packet received means that the port is closed, and if it is open or blocked by a firewall, gets reported as open|filtered.
We can make this type of scan with the -sX option, getting a similar result to that of the null and FIN scans:
Remember when we said that an ACK scan would be like somebody telling you “Please, continue!” when no conversation was started?
These three scan types are the scans we should be using when scanning a target behind a stateless firewall. A stateless firewall checks if the incoming packet has the SYN flag to set a connection attempt, but by using one of these three flags lets you (sometimes…) fool the firewall and reach the system behind it.
A stateful firewall will block these scans, though, rendering this kind of scan worthless.
TCP Maimon Scan
In this scan, FIN and ACK bits are set, and the target should send an RST packet as a response. This scan won’t work on most modern networks. The RST packet sent back to us will be sent regardless of whether the TCP port is open or not.
This scan nowadays is almost worthless but it is important to know, as it may come in handy sometimes. To use it, use the -sM
flag.
TCP ACK, Window and Custom Scan
TCP ACK Scan
As the name implies, an ACK flag will be set, and the target will respond with an RST regardless of the state of the port. This happens because a TCP packet with an ACK flag is sent in response to a received TCP packet to acknowledge some data.
Using the -sA
option, we scanned the target and as usual we can’t learn which ports are open:
Useless without firewalls, this could help us to learn which ports are not blocked by the firewall, helping us to discover its firewall rulesets and configuration.
Now, let’s try the same scan but now the target is behind a firewall:
Now we know that there are three ports that aren’t blocked by the firewall.
Window Scan
TCP Window scan is almost like the ACK scan, but examining the RST packet returned, as this sometimes may reveal that the port is open.
Launching a TCP window scan against a target without a firewall doesn’t yield too much information, like the ACK scan:
Let’s see what happens against a server behind a firewall:
We get the same result as the ACK scan (but here, instead, the ports are shown as closed instead of unfiltered). The firewall isn’t blocking them.
Custom Scan
If you want to experiment with new TCP flag combinations, you can do so. Use --scanflags
. For example, to set SYN, RST and FIN flags at the same time, use --scanflags RSTSYNFIN
.
On a final note, ACK and Window scan are efficient at helping us map the firewall rules, but just because a firewall is not blocking a specific port doesn’t mean that there is a service listening on that port.
Spoofing and Decoys
If we can capture the response, we can use a spoofed IP and even a spoofed MAC address. The command to do so is nmap -S <SPOOFED_IP> <TARGET_IP>
. Nmap then, will craft all the packets using the provided spoofed IP as the destination of the result of the scan.
As you see in the image, the attacker sends a packet with a spoofed IP to the target machine, which will reply, sending the result to the spoofed IP address as the destination. The attacker has de capture the replies arriving at the spoofed IP machine.
If we are on the same subnet as the target machine, we can spoof our MAC address with the --spoof-mac <SPOOFED_MAC>
. Both attacker and target have to be on the same network or WiFi.
If we want to be extra cheeky, we can use decoys: Extra destinations to fool the target defenses, making it harder to pinpoint who is the attacker:
To perform this attack, we use the command nmap -D <DECOY_1>,<DECOY_2>,ME <TARGET_IP>
. We use ME
to indicate our own IP address in the third order in this case. If that wasn’t enough, we can be even more cheeky with nmap -D <DECOY_1>,<DECOY_2>,ME,RND,RND <TARGET_IP>
. Each RND
will create a random IP address each time we run this command.
Fragmented packets
Firewall
A firewall either blocks all traffic with exceptions or allows all traffic with exceptions. A traditional firewall inspects the IP header and the transport layer header, while a more modern firewall examines also the data carried.
IDS
An Intrusion Detection System (IDS) inspects network packets for select behavioural patterns or specific content signatures, raising an alert when a malicious rule is met. An IDS inspects the IP header, the transport layer header and the data contents in the transport layer.
How can we dodge both firewalls and IDS? Good question. Sometimes, sending smaller packets in your Nmap scans helps.
Fragmented packets
We can fragment packets with the option -f
to divide the IP data into 8 bytes or less, and the -ff
option divides the data into 16-byte fragments instead of 8.
To understand how this works, look at the IP header:
Look how the data row comprises 4 bytes. By using -f
or -ff
, we can make the packets smaller.
Idle/Zombie scan
Spoofing the source IP can be a great approach, but it only works if you can monitor the traffic.
Idle or zombie scan requires an idle system connected to the same network, and Nmap will pretend to be performing a scan from the idle system with nmap -sI <ZOMBIE_IP> <TARGET_IP>
.
Let’s probe an idle machine, for example, a printer:
After setting a connection, the packet will use the idle host IP address as the source.
Getting more information
By adding the --reason
option, Nmap will provide more details (check the extra column Reason):
If we want a more detailed output in a general sense, we can use -v for verbose output, or -vv
for even more verbosity.
We can also use -d
for debugging details, or -dd
for even more details.
Summary
In this lesson, we have covered the following:
- TCP Null scan, FIN scan and Xmas scan.
- TCP Maimon scan.
- TCP ACK, Window and Custom scan.
- How to spoof IP and MAC addresses.
- Using decoys.
- How to fragment packets to dodge firewall rules.
- Idle scans.
- How to get more details in our scans.
Stats
From 101.667th to 98.761th. Now in the top 100.000!
Here is also the Skill Matrix:
Resources
Module: Nmap
TryHackMe: Nmap Advanced Port Scans