NMAP Scanning Options

NMAP

Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org ! it was "eatured in the Matri# $eloaded mo%ie.

EC-Council

&'N &canning

&yn scanning! a techni(ue that is widely across the Internet today. )he syn scan! also called the *hal" open* scan! is the ability to determine a ports state without ma+ing a "ull connection to the host. Many systems do not log the attempt! and discard it as a communications error. 'ou must "irst learn ,-way handsha+e to understand the &yn scan.

EC-Council

)CP Communication Flags

&tandard )CP communications are controlled by "lags in the )CP pac+et header. )he "lags are as "ollows: . Synchronize - also called *&'N/
0 1sed to initiate a connection between hosts.

. Acknowledgement - also called *AC2/

0 1sed in establishing a connection between hosts

. Push - *P&3/
0 Instructs recei%ing system to send all bu""ered data immediately

. Urgent - *1$4/
0 &tates that the data contained in the pac+et should be processed immediately

Finish - also called *FIN* 0 )ells remote system that there will be no more 0 Also used to reset a connection.

transmissions

. Reset - also called *$&)/

EC-Council

)hree 5ay 3andsha+e

Computer A Computer B

192.168.1.2:2342 ------------syn---------->192.168.1.3:80 192.168.1.2:2342 <--------syn/ack----------192.168.1.3:80 192.168.1.2:2342-------------ack---------->192.168.1.3:80 Connection Established

)he Computer A ( 678.69:.6.8 initiates a connection to the ser%er ( 678.69:.6., %ia a pac+et with only the SYN "lag set. )he ser%er replies with a pac+et with both the SYN and the A ! "lag set.

For the "inal step! the client responds bac+ the ser%er with a single A ! pac+et. EC-Council

&tealth &can
Computer A Computer B

192.168.1.2:2342 ------------syn---------->192.168.1.3:80 192.168.1.2:2342 <--------syn/ack----------192.168.1.3:80 192.168.1.2:2342-------------RST---------->192.168.1.3:80

Client sends a single SYN pac+et to the ser%er on the appropriate port. I" the port is open then the ser%er responds with a SYN"A ! pac+et. I" the ser%er responds with an RS# pac+et! then the remote port is in state *closed/ )he client sends RS# pac+et to close the initiation be"ore a connection can e%er be established. )his scan also +nown as ;hal"-open/ scan.

EC-Council

<mas &can
omputer A omputer $

Xmas scan directed at open port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23

Xmas scan directed at closed port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23

Note: <MA& scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, <mas &can will not wor+ against any current %ersion o" Microso"t 5indows. <mas scans directed at any Microso"t system will show all ports on the host as being closed.

EC-Council

FIN &can
omputer A
FIN scan directed at open port: 192.5.5.92:4031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23

omputer $

FIN scan directed at cl sed ! rt: 192.5.5.92:4031 -------------FIN------------------192.5.5.110:23 192.5.5.92:4031<-------------RS"#$%&--------------192.5.5.110:23

Note: FIN scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, FIN &can will not wor+ against any current %ersion o" Microso"t 5indows. FIN scans directed at any Microso"t system will show all ports on the host as being closed.

EC-Council

N1@@ &can
omputer A
NULL scan directed at open port: 192.5.5.92:4031 -----------NO F'$(S SE"---------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23

omputer $

N)'' scan directed at cl sed ! rt: 192.5.5.92:4031 -------------NO F'$(S SE"---------192.5.5.110:23 192.5.5.92:4031<-------------RS"#$%&--------------192.5.5.110:23

Note: N1@@ scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, N1@@ &can will not wor+ against any current %ersion o" Microso"t 5indows. N1@@ scans directed at any Microso"t system will show all ports on the host as being closed.

EC-Council

IA@B &can

Almost "our years ago! security researcher AntireC posted an inno%ati%e new )CP port scanning techni(ue. Idlescan! as it has become +nown! allows "or completely blind port scanning. Attac+ers can actually scan a target without sending a single pac+et to the target "rom their own IP address.

EC-Council

IA@B &can: Dasics

Most networ+ ser%ers listen on )CP ports! such as web ser%ers on port :E and mail ser%ers on port 8F. A port is considered *open* i" an application is listening on the port! otherwise it is closed. =ne way to determine whether a port is open is to send a *&'N* (session establishment pac+et to the port. )he target machine will send bac+ a *&'NGAC2* (session re(uest ac+nowledgment pac+et i" the port is open! and a *$&)* ($eset pac+et i" the port is closed. A machine which recei%es an unsolicited &'NGAC2 pac+et will respond with a $&). An unsolicited $&) will be ignored. B%ery IP pac+et on the Internet has a *"ragment identi"ication* number. Many operating systems simply increment this number "or e%ery pac+et they send. &o probing "or this number can tell an attac+er how many pac+ets ha%e been sent since the last probe.

EC-Council

IA@B &can: &tep 6

Choose a *Combie* and proble "or its current IPIA number

EC-Council

IA@B &can: &tep 8

&end "orged pac+et *"rom* Hombie to target.

EC-Council

IA@B &can: &tep ,

Probe Hombie IPIA again

EC-Council

Fragmentation scanning

Instead o" Iust sending the probe pac+et! you brea+ it into a couple o" small IP "ragments. 'ou are splitting up the )CP header o%er se%eral pac+ets to ma+e it harder "or pac+et "ilters and so "orth to detect what you are doing. )he -" switch instructs the speci"ied &'N or FIN scan to use tiny "ragmented pac+ets.

EC-Council

ICMP echo scanning

)his isn>t really port scanning! since ICMP doesn>t ha%e a port abstraction. Dut it is sometimes use"ul to determine what hosts in a networ+ are up by pinging them all. nmap -P cert.org/8J 6F8.6J:.E.E/69

EC-Council

&can =ptions

EC-Council

%s# ()cpConnect %sS &&'N scan %sF (Fin &can %s' (<mas &can %sN (Null &can %sP (Ping &can %sU (1AP scans %sO (Protocol &can %s( (Idle &can %sA (Ac+ &can %s) (5indow &can %sR ($PC scan %s* (@ist/Ans &can

Ping Aetection

%P+ (donKt ping %P# ()CP ping %PS (&'N ping %P( (ICMP ping %P$ (L P) M PI %PP (ICMP timestamp -PM (ICMP netmas+

EC-Council

=utput Format

%oN(ormal %o'(ml %o,(repable %oA(ll

EC-Council

)iming

EC-Council

%# Paranoid - serial scan N ,EE sec wait %# Sneaky % serialiCe scans N 6F sec wait %# Polite % serialiCe scans N E.J sec wait %# Normal - parallel scan %# Aggressi.e% parallel scan N ,EE sec timeout N 6.8F sec/probe %# (nsane % parallel scan N ?F sec timeout N E., sec/probe %%host/timeout %%ma0/rtt/timeout (de"ault - 7EEE %%min/rtt/timeout %%initial/rtt/timeout (de"ault 0 9EEE %%ma0/parallelism %%scan/delay (between probes

%%resume (scan %%append/output %i* 1targets_filename2 %p 1port ranges2 %F &Fast scan mode %3 <decoy1 [,decoy2][,ME],> %S <SRC_I _!ddress> %e <interface> %g <portn"m#er> %%data/length <n"m#er> %%randomize/hosts %O (=& "ingerprinting -( (dentscan %4 ("ragmentation %. (%erbose -h (help %n (no re%erse loo+up %R (do re%erse loo+up %r (dont randomiCe port scan %5 14tp relay host2 (F)P bounce

EC-Council