Nmap Advanced Port Scans | TryHackMe (THM) (2023)

Lab Access: https://tryhackme.com/room/nmap03

Security researchers and hackers examined the TCP flags, illustrated in the image below and explained in the preceding room, and began experimenting.

They wanted to know what would happen if we sent a TCP packet with one or more flags set that was not part of any ongoing TCP connection.

A quick refresher of the prior room, one of the sections that taught about the “ACK Flag,” which we wish to “acknowledge” received data, and it is similar to attempting to acknowledge data that was never sent or received in the first place.

Similarly to someone approaching you out of nowhere and saying, “yeah, I hear you, please continue,” when you haven’t spoken anything.

[Question 1.1] Launch the AttackBox by using the Start AttackBox button and get ready to experiment with different types of Nmap scans against different virtual machines.

Answer: No answer is needed.

Null Scan — It does not set any flags; all six flag bits are set to zero.

• When a TCP packet arrives at an open port with no flags specified, no response is generated.
• A lack of response in a null scan suggests that either the port is open or a firewall is blocking the packet, according to Nmap.

Option to use: -sN

If the port is closed, we expect the target server to react with a RST response. As a result, we may use the lack of RST response to determine which ports are open or filtered.

An example of a null scan against a Linux server is shown below. The six open ports on the target system were successfully discovered by the null scan we performed.

Because the null scan depends on the lack of response to inferring that the port is not closed, it cannot guarantee that these ports are open; the ports may be not responding because of a firewall rule.

FIN Scan — It transmits a TCP packet with the flag “FIN.” However, no answer will be sent back if the TCP port is open, therefore Nmap cannot tell if the port is open or if a firewall is blocking TCP port communication.

Just like with “NULL Scan,” the target system will react with a “RST” if the port is closed, so that we can determine which port is closed and then utilize that information to determine which ports are open or filtered.

• It’s beneficial to understand that some firewalls will ‘quietly’ drop traffic without sending a RST.

Option to use: -sF

The outcome is very similar to what we received earlier utilizing a “NULL Scan.”

Xmas Scan — This scan appears to be named after Christmas tree lights. However, the primary goal of this scan is to simultaneously activate the FIN, PSH, and URG flags.

• If a RST packet is received, comparable to a “NULL” or “FIN” scan, it indicates that the port is closed; otherwise, it will be reported as “open|filtered.”

Option to use: -sX

The obtained results are very comparable to those of the “NULL” and “FIN” scans.

When scanning a target behind a stateless (non-stateful) firewall, these three scan modes can be very efficient.

1. To identify a connection attempt, a stateless firewall will examine the incoming packet for the SYN flag.
2. Using a flag combination that does not match the SYN packet allows you to fool the firewall and get access to the system behind it.
3. A stateful firewall, on the other hand, will effectively block all such designed packets, rendering this type of scan ineffective.

[Question 2.1] In a null scan, how many flags are set to 1?

Answer: 0

[Question 2.2] In a FIN scan, how many flags are set to 1?

Answer: 1

[Question 2.3] In a Xmas scan, how many flags are set to 1?

See Also

How to Use Nmap: Commands and Tutorial GuideNmap Live Host Discovery | TryHackMe (THM)Discovering network hosts with 'TCP SYN' and 'TCP ACK' ping scans in Nmap[Tutorial] | Packt Hub

Answer: 3

[Question 2.4] Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?

Answer: 7

[Question 2.5] Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?

Answer: 7

Maimon Scan — When the “FIN” and “ACK” bits are set, the target should respond with an RST packet. However, many BSD-derived systems delete the packet if it is an open port, exposing the open ports, although this scan will not function on most targets encountered owing to modern networks.

But keep in mind that this is only for educational purposes.

Option to use: -sM

Regardless of whether the TCP port is open, most target machines react with an RST response.

• We won’t be able to find the open ports in this instance.

The diagram below illustrates the expected behavior for both open and closed TCP ports.

[Question 3.1] In the Maimon scan, how many flags are set?

• Because “FIN/ACK” are being delivered to the target’s machine

Answer: 2

TCP ACK Scan — An ACK scan will transmit a TCP packet with the ACK flag set, and the target will respond to the ACK with RST regardless of the port’s state.

It happens because, unlike in our instance, a TCP packet with the ACK flag set should only be sent in response to a received TCP packet to acknowledge the receipt of certain data. As a result, in a simple arrangement, this scan will NOT inform us whether the target port is open.

Option to use: -sA

We were unable to determine which ports were open, as expected.

Even though the results are negative in general, this type of scan is useful if there is a firewall in front of the target since it will tell you which ports were not blocked by the firewall depending on which ACK packets resulted in answers.

• In other words, this form of scan is more suited for identifying firewall rule sets and setup.

We ran the ACK scan after configuring the target VM with a firewall. We got some interesting results this time. We have three ports that are not being blocked by the firewall, as shown in the console output below. This implies that the firewall is blocking all other ports save these three.

Which leads to the question, "why" are these three ports so valuable that they require a firewall to be blocked?

(Video) Nmap Advanced Port Scans | Tryhackme | Obscurehustle | Obscure

Window Scan — It is similar to the ACK scan, except that it analyzes the TCP Window field of the RST packets returned.

• This can indicate that the port is open on some systems.
• Regardless of whether the port is open or closed, we expect to receive an RST message in response to our “uninvited” ACK packets.

Similarly, launching a TCP window scan against a Linux system with no firewall will not provide much information.

As we can see in the console output below, the results of the window scan against a Linux server with no firewall didn’t give any extra information compared to the ACK scan executed earlier.

However, we might expect more pleasing findings if we run our TCP window scan against a server behind a firewall.

The TCP window scan indicated that three ports were detected as closed in the console output displayed below. (This differs from the ACK scan, which labeled the same three ports as unfiltered.)

Despite the fact that we know these three ports are not closed, we can see that they answered differently, demonstrating that the firewall does not block them.

Custom Scan — If you wish to try out a different TCP flag combination than the built-in TCP scan types, use — scanflags.

For example, if you wish to set SYN, RST, and FIN all at once, use — scanflags RSTSYNFIN. As indicated in the graphic below, if you design your custom scan, you must understand how the various ports will react in order to accurately interpret the results in various settings.

Finally, it is critical to highlight that the ACK scan and the Window scan were really useful in assisting us in mapping out the firewall rules. It is important to realize, however, that just because a firewall does not block a certain port does not necessarily mean that a service is listening on that port.

For example, the firewall rules might need to be modified to reflect current service modifications. As a result, ACK and window scans expose the firewall rules rather than the services.

[Question 4.1] In TCP Window scan, how many flags are set?

Answer: 1

[Question 4.2] You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags?

Answer: RST

[Question 4.3] The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?

Answer: 4

[Question 4.4] What is the new port number that appeared?

Answer: 443

[Questinon 4.5] Is there any service behind the newly discovered port number? (Y/N)

Answer: N

It’s worth noting that in some network configurations, we’ll be able to scan a target system using a spoofed IP address and even a spoofed MAC address.

• However, such a scan is only useful when it is possible to promise that the response will be captured.
• If we try to scan a target from a random network using a spoofed IP address, we are unlikely to receive a response, and the scan results may be inaccurate.

Option to use: -S
Example: nmap -S <spoof_if> <target>

Nmap will generate all packets with the specified source IP address SPOOFED_IP. The target machine will reply to incoming packets using the destination IP address SPOOFED_IP.

To make this scan operate and produce reliable findings, the attacker must monitor network traffic and evaluate the responses.

In brief, scanning with a spoofed IP address is three steps:1) Attacker sends a packet with a spoofed source IP address to the target machine.2) Target machine replies to the spoofed IP address as the destination.3) Attacker captures the replies to figure out open ports.

In general, you expect to specify the network interface using -e and to explicitly disable ping scan -Pn.

Therefore, instead of nmap -S SPOOFED_IP MACHINE_IP, you will need to issue nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply.

• It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.

When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well.

You can specify the source MAC address using --spoof-mac SPOOFED_MAC. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).

(Video) Try Hack Me : NMAP Advanced Port Scanning

You can launch a decoy scan by specifying a specific or random IP address after -D.

• For example, nmap -D 10.10.0.1,10.10.0.2,ME MACHINE_IP will make the scan of MACHINE_IP appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then ME to indicate that your IP address should appear in the third order.

Another example command would be nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.

[Question 5.1] What do you need to add to the command sudo nmap 10.10.116.100 to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address?

Answer: -S 10.10.10.11

[Question 5.2] What do you need to add to the command sudo nmap 10.10.116.100 to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address?

Answer: -D 10.10.20.21,10.10.20.28

Firewall — It’s essentially a piece of software or hardware that either allows or blocks “packets,” and is quite similar to the entrance guard.

It operates on the basis of “firewall rules,” which can be characterized as blocking all traffic with exceptions or letting all traffic with exceptions.

• For example, you could block all communication to your server except that from your web server.
• A typical firewall inspects the IP header and the transport layer header at the very least.
• A more advanced firewall would additionally attempt to inspect the data transmitted by the “transport layer.”

IDS (Intrusion Detection System) — It examines network packets for certain behavioural patterns or content signatures and produces an alert whenever a malicious rule is matched.

• In addition to the IP header and transport layer header, an IDS would scan the data in the transport layer to see whether it matches any malicious patterns.

How can you reduce the likelihood that a standard firewall/IDS would detect your Nmap activity?Answer: It is not easy; however, depending on the type of firewall/IDS, breaking the packet into smaller packets may help.

Fragmented Packets — Nmap has a -f option for fragmenting packets.

When this option is selected, the IP data will be split into 8 bytes or fewer. Adding additional -f (-f -f or -ff) divides the data into 16 byte-fragments rather than 8.

You can override the default amount using the — mtu option; however, you should always use a multiple of 8.

To fully comprehend fragmentation, we must examine the IP header in the figure below. It may appear complicated at first, but we realize that we are familiar with the majority of its fields.

Take note that the source address occupies 32 bits (4 bytes) on the fourth row, while the destination address occupies another 4 bytes on the fifth row.

The data that will be divided into many packets is highlighted in red. IP employs the identification (ID) and fragment offset, as indicated in the second row of the picture below, to aid with reassembly on the recipient side.

Let’s compare running sudo nmap -sS -p80 10.20.30.144 and sudo nmap -sS -p80 -f 10.20.30.144. As you know by now, this will use stealth TCP SYN scan on port 80; however, in the second command, we are requesting Nmap to fragment the IP packets.

• We can see an ARP query and response in the first two lines. Because the target is on the same Ethernet, Nmap did an ARP query.
• The second and third lines show a TCP SYN ping and a response.
• The fifth line starts the port scan by sending a TCP SYN message to port 80. The IP header is 20 bytes in this case, whereas the TCP header is 24 bytes.
• The TCP header must be at least 20 bytes in size.

When fragmentation is requested with -f, the TCP header’s 24 bytes are divided into multiples of 8 bytes, with the final fragment containing 8 bytes or less of the TCP header.

We obtained three IP fragments because 24 is divisible by eight; each comprises 20 bytes of IP header and 8 bytes of TCP header. The three fragments can be seen between the fifth and seventh lines.

Note that if you added -ff (or -f -f), the fragmentation of the data will be multiples of 16. In other words, the 24 bytes of the TCP header, in this case, would be divided over two IP fragments, the first containing 16 bytes and the second containing 8 bytes of the TCP header.

On the other hand, if you prefer to increase the size of your packets to make them look innocuous, you can use the option --data-length NUM, where num specifies the number of bytes you want to append to your packets.

[Question 6.1] If the TCP segment has a size of 64, and -ff option is being used, how many IP fragments will you get?

• 64 / 16 = 4

Answer: 4

Spoofing the source IP address is a wonderful way to scan stealthily. Spoofing, on the other hand, will only function in specific network configurations. It necessitates that you be in a position to observe traffic.

Given these constraints, spoofing your IP address may be of little utility; nevertheless, we can improve it with the “Idle/Zombie Scan.”

Idle/Zombie Scan — It requires an idle system that is connected to the network and with which you can communicate.

In fact, Nmap will make each probe appear to come from the idle (zombie) host, then look for indicators that the idle (zombie) host received any response to the spoofed probe.

This is performed by inspecting the IP header’s IP identification (IP ID) value.

Option to use: -sI
Example: nmap -sI <zombie_IP> <target>

To determine whether a port is open, the idle (zombie) scan requires the following three steps:

1. Trigger the idle host’s response so that you can record the idle host’s current IP ID.
2. Send an SYN packet to the target’s TCP port. The packet should be spoofed so that it appears to be coming from the idle host’s (zombie’s) IP address.
3. Restart the idle machine so that you can compare the new IP ID with the one you obtained before.

Let us illustrate with numbers. The attacker system is seen in the diagram below probing an idle machine, a multi-function printer. It responds with a RST packet containing its newly incremented IP ID after receiving a SYN/ACK.

(Video) Tryhackme |Advanced Port Scan |Jr. Penetration Path

In the next stage, the attacker will send an SYN packet to the TCP port of the target machine that they want to examine. This packet, however, will utilize the idle host (zombie) IP address as the source.

There would be three possibilities:

1) The TCP port is closed in the first case, as illustrated in the picture below, and the target machine answers to the idle host with a RST packet. Because the idle host does not react, its IP ID is not increased.

2) The TCP port is open in the second scenario, as shown below, thus the target machine answers with a SYN/ACK to the idle host (zombie). The idle host reacts to the unexpected transmission with a RST packet, which increases its IP ID.

3) Due to firewall rules, the target machine does not respond at all in the third case. This lack of response has the same effect as a closed port in that the idle host's IP ID will not be increased.

The attacker then sends another SYN/ACK to the idle host as the final step. The idle host answers with an RST packet, which increases the IP ID by one. The attacker must compare the IP ID of the first RST packet received with the IP ID of the third RST packet received. If the difference is one, the target machine’s port has been closed or filtered. If the difference is 2, it indicates that the port on the target was open.

• It is worth reiterating that this scan is termed an idle scan since selecting an idle host is critical to the scan’s accuracy. If the “idle host” is in use, all of the returned IP IDs are worthless.

[Question 7.1] You discovered a rarely-used network printer with the IP address 10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?

Answer: -sI 10.10.5.5

You might consider adding --reason if you want Nmap to provide more details regarding its reasoning and conclusions.

Consider the two scans below to the system; however, the latter adds --reason.

Without --reason

With --reason

By specifying “--reason,” we get a clear reason “why” nmap concluded that the system is up or a certain port is open.

As in Example (2), we can see that this system is believed to be online because Nmap “received arp-response.”

On the other hand, we know that the SSH port is open because Nmap received a “syn-ack” packet in response.

Consider using -v for verbose output or -vv for even more verbosity for more thorough output.

If -vv does not satisfy your curiosity, try -d for debugging information or -dd for even more. You can be certain that using -d will result in output that goes beyond a single screen.

[Question 8.1] Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason 10.10.53.242 to scan the VM. What is the reason provided for the stated port(s) being open?

Answer: syn-ack

These scan types rely on unexpectedly setting TCP flags to prompt ports for a response.

1. The Null, FIN, and Xmas scan provoke a response from closed ports.
2. The Maimon, ACK, and Window scans provoke a response from both open and closed ports.

[Question 9.1] Ensure you have taken note of all the Nmap options explained in this room. Please join the Nmap Post Port Scans room, the last room in this Nmap series.

Answer: No answer is needed.

CONCLUSION

There is no doubt that it is another room packed with an abundance of scanning characteristics that brings another viewpoint on what type of scanning we would like to undertake, particularly for “port” scanning.

Because we would want to remain stealthy, but we also need accurate data and are looking for solutions to circumvent firewalls and intrusion detection systems (if possible). Nonetheless, there is so much to learn from this room that I would redo it all over again to fully grasp the concept and what goes into each scan.

Cheers! ◡̈