Lab Access: https://tryhackme.com/room/nmap03
Security researchers and hackers examined the TCP flags, illustrated in the image below and explained in the preceding room, and began experimenting.
They wanted to know what would happen if we sent a TCP packet with one or more flags set that was not part of any ongoing TCP connection.
A quick refresher of the prior room, one of the sections that taught about the “ACK Flag,” which we wish to “acknowledge” received data, and it is similar to attempting to acknowledge data that was never sent or received in the first place.
Similarly to someone approaching you out of nowhere and saying, “yeah, I hear you, please continue,” when you haven’t spoken anything.
[Question 1.1] Launch the AttackBox by using the Start AttackBox button and get ready to experiment with different types of Nmap scans against different virtual machines.
Answer: No answer is needed.
Null Scan — It does not set any flags; all six flag bits are set to zero.
- When a TCP packet arrives at an open port with no flags specified, no response is generated.
- A lack of response in a null scan suggests that either the port is open or a firewall is blocking the packet, according to Nmap.
Option to use: -sN
If the port is closed, we expect the target server to react with a RST response. As a result, we may use the lack of RST response to determine which ports are open or filtered.
An example of a null scan against a Linux server is shown below. The six open ports on the target system were successfully discovered by the null scan we performed.
Because the null scan depends on the lack of response to inferring that the port is not closed, it cannot guarantee that these ports are open; the ports may be not responding because of a firewall rule.
FIN Scan — It transmits a TCP packet with the flag “FIN.” However, no answer will be sent back if the TCP port is open, therefore Nmap cannot tell if the port is open or if a firewall is blocking TCP port communication.
Just like with “NULL Scan,” the target system will react with a “RST” if the port is closed, so that we can determine which port is closed and then utilize that information to determine which ports are open or filtered.
- It’s beneficial to understand that some firewalls will ‘quietly’ drop traffic without sending a RST.
Option to use: -sF
The outcome is very similar to what we received earlier utilizing a “NULL Scan.”
Xmas Scan — This scan appears to be named after Christmas tree lights. However, the primary goal of this scan is to simultaneously activate the FIN, PSH, and URG flags.
- If a RST packet is received, comparable to a “NULL” or “FIN” scan, it indicates that the port is closed; otherwise, it will be reported as “open|filtered.”
Option to use: -sX
The obtained results are very comparable to those of the “NULL” and “FIN” scans.
When scanning a target behind a stateless (non-stateful) firewall, these three scan modes can be very efficient.
- To identify a connection attempt, a stateless firewall will examine the incoming packet for the SYN flag.
- Using a flag combination that does not match the SYN packet allows you to fool the firewall and get access to the system behind it.
- A stateful firewall, on the other hand, will effectively block all such designed packets, rendering this type of scan ineffective.
[Question 2.1] In a null scan, how many flags are set to 1?
[Question 2.2] In a FIN scan, how many flags are set to 1?
[Question 2.3] In a Xmas scan, how many flags are set to 1?
[Question 2.4] Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?
[Question 2.5] Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?
Maimon Scan — When the “FIN” and “ACK” bits are set, the target should respond with an RST packet. However, many BSD-derived systems delete the packet if it is an open port, exposing the open ports, although this scan will not function on most targets encountered owing to modern networks.
But keep in mind that this is only for educational purposes.
Option to use: -sM
Regardless of whether the TCP port is open, most target machines react with an RST response.
- We won’t be able to find the open ports in this instance.
The diagram below illustrates the expected behavior for both open and closed TCP ports.
[Question 3.1] In the Maimon scan, how many flags are set?
- Because “FIN/ACK” are being delivered to the target’s machine
TCP ACK Scan — An ACK scan will transmit a TCP packet with the ACK flag set, and the target will respond to the ACK with RST regardless of the port’s state.
It happens because, unlike in our instance, a TCP packet with the ACK flag set should only be sent in response to a received TCP packet to acknowledge the receipt of certain data. As a result, in a simple arrangement, this scan will NOT inform us whether the target port is open.
Option to use: -sA
We were unable to determine which ports were open, as expected.
Even though the results are negative in general, this type of scan is useful if there is a firewall in front of the target since it will tell you which ports were not blocked by the firewall depending on which ACK packets resulted in answers.
- In other words, this form of scan is more suited for identifying firewall rule sets and setup.
We ran the ACK scan after configuring the target VM with a firewall. We got some interesting results this time. We have three ports that are not being blocked by the firewall, as shown in the console output below. This implies that the firewall is blocking all other ports save these three.
Which leads to the question, "why" are these three ports so valuable that they require a firewall to be blocked?
Window Scan — It is similar to the ACK scan, except that it analyzes the TCP Window field of the RST packets returned.
- This can indicate that the port is open on some systems.
- Regardless of whether the port is open or closed, we expect to receive an RST message in response to our “uninvited” ACK packets.
Similarly, launching a TCP window scan against a Linux system with no firewall will not provide much information.
As we can see in the console output below, the results of the window scan against a Linux server with no firewall didn’t give any extra information compared to the ACK scan executed earlier.
However, we might expect more pleasing findings if we run our TCP window scan against a server behind a firewall.
The TCP window scan indicated that three ports were detected as closed in the console output displayed below. (This differs from the ACK scan, which labeled the same three ports as unfiltered.)
Despite the fact that we know these three ports are not closed, we can see that they answered differently, demonstrating that the firewall does not block them.
Custom Scan — If you wish to try out a different TCP flag combination than the built-in TCP scan types, use — scanflags.
For example, if you wish to set SYN, RST, and FIN all at once, use — scanflags RSTSYNFIN. As indicated in the graphic below, if you design your custom scan, you must understand how the various ports will react in order to accurately interpret the results in various settings.
Finally, it is critical to highlight that the ACK scan and the Window scan were really useful in assisting us in mapping out the firewall rules. It is important to realize, however, that just because a firewall does not block a certain port does not necessarily mean that a service is listening on that port.
For example, the firewall rules might need to be modified to reflect current service modifications. As a result, ACK and window scans expose the firewall rules rather than the services.
[Question 4.1] In TCP Window scan, how many flags are set?
[Question 4.2] You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after
[Question 4.3] The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?
[Question 4.4] What is the new port number that appeared?
[Questinon 4.5] Is there any service behind the newly discovered port number? (Y/N)
It’s worth noting that in some network configurations, we’ll be able to scan a target system using a spoofed IP address and even a spoofed MAC address.
- However, such a scan is only useful when it is possible to promise that the response will be captured.
- If we try to scan a target from a random network using a spoofed IP address, we are unlikely to receive a response, and the scan results may be inaccurate.
Option to use: -S
Example: nmap -S <spoof_if> <target>
Nmap will generate all packets with the specified source IP address SPOOFED_IP. The target machine will reply to incoming packets using the destination IP address SPOOFED_IP.
To make this scan operate and produce reliable findings, the attacker must monitor network traffic and evaluate the responses.
In brief, scanning with a spoofed IP address is three steps:1) Attacker sends a packet with a spoofed source IP address to the target machine.2) Target machine replies to the spoofed IP address as the destination.3) Attacker captures the replies to figure out open ports.
In general, you expect to specify the network interface using
-e and to explicitly disable ping scan
Therefore, instead of
nmap -S SPOOFED_IP MACHINE_IP, you will need to issue
nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply.
- It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.
When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well.
You can specify the source MAC address using
--spoof-mac SPOOFED_MAC. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).
You can launch a decoy scan by specifying a specific or random IP address after
- For example,
nmap -D 10.10.0.1,10.10.0.2,ME MACHINE_IPwill make the scan of MACHINE_IP appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then
MEto indicate that your IP address should appear in the third order.
Another example command would be
nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME MACHINE_IP, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.
[Question 5.1] What do you need to add to the command
sudo nmap 10.10.116.100 to make the scan appear as if coming from the source IP address
10.10.10.11 instead of your IP address?
Answer: -S 10.10.10.11
[Question 5.2] What do you need to add to the command
sudo nmap 10.10.116.100 to make the scan appear as if coming from the source IP addresses
10.10.20.28 in addition to your IP address?
Answer: -D 10.10.20.21,10.10.20.28
Firewall — It’s essentially a piece of software or hardware that either allows or blocks “packets,” and is quite similar to the entrance guard.
It operates on the basis of “firewall rules,” which can be characterized as blocking all traffic with exceptions or letting all traffic with exceptions.
- For example, you could block all communication to your server except that from your web server.
- A typical firewall inspects the IP header and the transport layer header at the very least.
- A more advanced firewall would additionally attempt to inspect the data transmitted by the “transport layer.”
IDS (Intrusion Detection System) — It examines network packets for certain behavioural patterns or content signatures and produces an alert whenever a malicious rule is matched.
- In addition to the IP header and transport layer header, an IDS would scan the data in the transport layer to see whether it matches any malicious patterns.
How can you reduce the likelihood that a standard firewall/IDS would detect your Nmap activity?Answer: It is not easy; however, depending on the type of firewall/IDS, breaking the packet into smaller packets may help.
Fragmented Packets — Nmap has a -f option for fragmenting packets.
When this option is selected, the IP data will be split into 8 bytes or fewer. Adding additional -f (-f -f or -ff) divides the data into 16 byte-fragments rather than 8.
You can override the default amount using the — mtu option; however, you should always use a multiple of 8.
To fully comprehend fragmentation, we must examine the IP header in the figure below. It may appear complicated at first, but we realize that we are familiar with the majority of its fields.
Take note that the source address occupies 32 bits (4 bytes) on the fourth row, while the destination address occupies another 4 bytes on the fifth row.
The data that will be divided into many packets is highlighted in red. IP employs the identification (ID) and fragment offset, as indicated in the second row of the picture below, to aid with reassembly on the recipient side.
Let’s compare running
sudo nmap -sS -p80 10.20.30.144 and
sudo nmap -sS -p80 -f 10.20.30.144. As you know by now, this will use stealth TCP SYN scan on port 80; however, in the second command, we are requesting Nmap to fragment the IP packets.
- We can see an ARP query and response in the first two lines. Because the target is on the same Ethernet, Nmap did an ARP query.
- The second and third lines show a TCP SYN ping and a response.
- The fifth line starts the port scan by sending a TCP SYN message to port 80. The IP header is 20 bytes in this case, whereas the TCP header is 24 bytes.
- The TCP header must be at least 20 bytes in size.
When fragmentation is requested with -f, the TCP header’s 24 bytes are divided into multiples of 8 bytes, with the final fragment containing 8 bytes or less of the TCP header.
We obtained three IP fragments because 24 is divisible by eight; each comprises 20 bytes of IP header and 8 bytes of TCP header. The three fragments can be seen between the fifth and seventh lines.
Note that if you added
-f -f), the fragmentation of the data will be multiples of 16. In other words, the 24 bytes of the TCP header, in this case, would be divided over two IP fragments, the first containing 16 bytes and the second containing 8 bytes of the TCP header.
On the other hand, if you prefer to increase the size of your packets to make them look innocuous, you can use the option
--data-length NUM, where num specifies the number of bytes you want to append to your packets.
[Question 6.1] If the TCP segment has a size of 64, and
-ff option is being used, how many IP fragments will you get?
- 64 / 16 = 4
Spoofing the source IP address is a wonderful way to scan stealthily. Spoofing, on the other hand, will only function in specific network configurations. It necessitates that you be in a position to observe traffic.
Given these constraints, spoofing your IP address may be of little utility; nevertheless, we can improve it with the “Idle/Zombie Scan.”
Idle/Zombie Scan — It requires an idle system that is connected to the network and with which you can communicate.
In fact, Nmap will make each probe appear to come from the idle (zombie) host, then look for indicators that the idle (zombie) host received any response to the spoofed probe.
This is performed by inspecting the IP header’s IP identification (IP ID) value.
Option to use: -sI
Example: nmap -sI <zombie_IP> <target>
To determine whether a port is open, the idle (zombie) scan requires the following three steps:
- Trigger the idle host’s response so that you can record the idle host’s current IP ID.
- Send an SYN packet to the target’s TCP port. The packet should be spoofed so that it appears to be coming from the idle host’s (zombie’s) IP address.
- Restart the idle machine so that you can compare the new IP ID with the one you obtained before.
Let us illustrate with numbers. The attacker system is seen in the diagram below probing an idle machine, a multi-function printer. It responds with a RST packet containing its newly incremented IP ID after receiving a SYN/ACK.
In the next stage, the attacker will send an SYN packet to the TCP port of the target machine that they want to examine. This packet, however, will utilize the idle host (zombie) IP address as the source.
There would be three possibilities:
1) The TCP port is closed in the first case, as illustrated in the picture below, and the target machine answers to the idle host with a RST packet. Because the idle host does not react, its IP ID is not increased.
2) The TCP port is open in the second scenario, as shown below, thus the target machine answers with a SYN/ACK to the idle host (zombie). The idle host reacts to the unexpected transmission with a RST packet, which increases its IP ID.
3) Due to firewall rules, the target machine does not respond at all in the third case. This lack of response has the same effect as a closed port in that the idle host's IP ID will not be increased.
The attacker then sends another SYN/ACK to the idle host as the final step. The idle host answers with an RST packet, which increases the IP ID by one. The attacker must compare the IP ID of the first RST packet received with the IP ID of the third RST packet received. If the difference is one, the target machine’s port has been closed or filtered. If the difference is 2, it indicates that the port on the target was open.
- It is worth reiterating that this scan is termed an idle scan since selecting an idle host is critical to the scan’s accuracy. If the “idle host” is in use, all of the returned IP IDs are worthless.
[Question 7.1] You discovered a rarely-used network printer with the IP address
10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?
Answer: -sI 10.10.5.5
You might consider adding
--reason if you want Nmap to provide more details regarding its reasoning and conclusions.
Consider the two scans below to the system; however, the latter adds
By specifying “
--reason,” we get a clear reason “why” nmap concluded that the system is up or a certain port is open.
As in Example (2), we can see that this system is believed to be online because Nmap “received arp-response.”
On the other hand, we know that the SSH port is open because Nmap received a “syn-ack” packet in response.
Consider using -v for verbose output or -vv for even more verbosity for more thorough output.
If -vv does not satisfy your curiosity, try -d for debugging information or -dd for even more. You can be certain that using -d will result in output that goes beyond a single screen.
[Question 8.1] Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with
nmap -sS -F --reason 10.10.53.242 to scan the VM. What is the reason provided for the stated port(s) being open?
These scan types rely on unexpectedly setting TCP flags to prompt ports for a response.
- The Null, FIN, and Xmas scan provoke a response from closed ports.
- The Maimon, ACK, and Window scans provoke a response from both open and closed ports.
[Question 9.1] Ensure you have taken note of all the Nmap options explained in this room. Please join the Nmap Post Port Scans room, the last room in this Nmap series.
Answer: No answer is needed.
There is no doubt that it is another room packed with an abundance of scanning characteristics that brings another viewpoint on what type of scanning we would like to undertake, particularly for “port” scanning.
Because we would want to remain stealthy, but we also need accurate data and are looking for solutions to circumvent firewalls and intrusion detection systems (if possible). Nonetheless, there is so much to learn from this room that I would redo it all over again to fully grasp the concept and what goes into each scan.
How many ports will Nmap scan if the flag was used THM? ›
By default, Nmap scans the 1,000 most popular ports of each protocol it is asked to scan. Alternatively, you can specify the -F (fast) option to scan only the 100 most common ports in each protocol or --top-ports to specify an arbitrary number of ports to scan.How tell Nmap to scan all ports? ›
- Port list separated by commas: $ nmap -p80,443 localhost.
- Port range denoted with hyphens: $ nmap -p1-100 localhost.
- Alias for all ports from 1 to 65535: # nmap -p- localhost.
- Specific ports by protocol: # nmap -pT:25,U:53 <target>
- Service name: # nmap -p smtp <target>
Nmap has an aggressive mode that enables OS detection, version detection, script scanning, and traceroute. You can use the -A argument to perform an aggressive scan. Aggressive scans provide far better information than regular scans.
You can occasionally improve Nmap scan times by increasing your available bandwidth or CPU power. This may be done either by installing a new data line or CPU, or by halting concurrently running applications which compete for these resources.What is the maximum number of ports that can be scanned? ›
So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning ( -sO ), this option specifies the protocol numbers you wish to scan for (0–255).What are the 1000 ports Nmap scans? ›
By default, Nmap scans the top 1,000 ports for each scan protocol requested. This catches roughly 93% of the TCP ports and 49% of the UDP ports. With the -F (fast) option, only the top 100 ports are scanned, providing 78% TCP effectiveness and 39% for UDP.How do you check what is running on all ports? ›
- For Microsoft Windows: netstat -ano | find "1234" | find "LISTEN" tasklist /fi "PID eq 1234"
- For Linux: netstat -anpe | grep "1234" | grep "LISTEN"
Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR-style addressing. You can append / <numbits> to an IP address or hostname and Nmap will scan every IP address for which the first <numbits> are the same as for the reference IP or hostname given. For example, 192.168.How do I scan for all open ports? ›
To view the TCP/UDP open port state of a remote host, type “portqry.exe –n [hostname/IP]” where [hostname/IP] is replaced with the hostname or IP address of the remote host.Can Nmap detect vulnerabilities? ›
Nmap can identify the operating system running on devices, including perhaps the vendor and software version. Security auditing and risk assessment. Once Nmap identifies the version and applications running on a specific host it can then further determine their open vulnerabilities.
Can Nmap be used maliciously? ›
Nmap can be used by hackers to gain access to uncontrolled ports on a system. All a hacker would need to do to successfully get into a targeted system would be to run Nmap on that system, look for vulnerabilities, and figure out how to exploit them. Hackers aren't the only people who use the software platform, however.How do you defend against Nmap? ›
One of the best defensive measures against scanning is a well-configured firewall. Rather than simply obfuscate the network configuration, as some techniques described later do, well-configured firewalls can effectively block many avenues of attack.How do I scan all ports 65535? ›
The Nmap command you will need to scan all ports is “nmap –p– 192.168. 0.1,” which scans ports 0 through 65,535. If you want to scan a single port, the command to enter is “nmap -p 22 192.168. 1.1.” For scanning a range of ports, you would need to insert the following command in the Nmap window: “nmap -p 1-100 192.168.Is Nmap port scanning illegal? ›
Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited.How long should a full Nmap scan take? ›
How long do Nmap scans take? Nmap takes about 21 minutes for each host connected to the network.What is a full port scan? ›
A port scan is a network reconnaissance technique designed to identify which ports are open on a computer. This can enable the scanner to identify the applications running on the system as certain programs listen on particular ports and react to traffic in certain ways.How many connections can a port handle? ›
Ports are 16-bit numbers, therefore the maximum number of connections any given client can have to any given host port is 64K.What advanced port scanning tool can allow? ›
Advanced Port Scanner is a fast and free software for port scanning. It will allow you to quickly find all open ports (TCP and UDP) and detect versions of programs running on them.What is the port 4444? ›
Port 4444, Transfer Control Protocol: Some rootkits, backdoors, and Trojans open and use port 4444. It uses this port to eavesdrop on traffic and communications, for its communications, and to receive data from the compromised computer.Why are there 65535 ports? ›
Dynamic ports—Ports in the range 49152 to 65535 are not assigned, controlled, or registered. They are used for temporary or private ports. They are also known as private or non-reserved ports. Clients should choose ephemeral port numbers from this range, but many systems do not.
Is NMap the best port scanner? ›
NMap is the most popular port scanner for system administrators, network engineers, and developers. Angry IP Scanner is also a popular tool for scanning the local network and the internet.How do I know if port 443 is open? ›
You can use netstat command to list the tcp port, if 443 port is listed there and state is established means 443 is open for outbound communication.How do I know if port 8080 is open? ›
- Hold down the Windows key and press the R key to open the Run dialog.
- Type “cmd” and click OK in the Run dialog.
- Verify the Command Prompt opens.
- Type “netstat -a -n -o | find "8080"". A list of processes using port 8080 are displayed.
- Hold down the Windows key and press the R key to open the Run dialog.
- Type “cmd” and click OK in the Run dialog.
- Verify the Command Prompt opens.
- Type “netstat -a -n -o | find "8080"". A list of processes using port 8080 is displayed.
Nmap Command to Scan for Open Ports
Nmap can reveal open services and ports by IP address as well as by domain name. If you need to perform a scan quickly, you can use the -F flag. The -F flag will list ports on the nmap-services files. Because the -F "Fast Scan" flag does not scan as many ports, it isn't as thorough.
What Do Nmap Scanning Flags Do? These flags are used for scanning port related information about target hosts. If you know which ports are open then you have a potential opening to get into the system, so pentesters rely heavily on this kind of Nmap query.How many packets does Nmap send to the target when running a no port scan? ›
On average Nmap sends 5–10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168. 0.0/24) Nmap may only have to send two packets to most hosts.How many TCP ports are targeted when using the full scan option? ›
The number of ports scanned is determined by what you've configured in your option profile, in the scans tab. Notice, the default is 1900 ports. However, you can run a full 65,535 TCP port scan, or configure the service to just scan on one port.Is Nmap the best port scanner? ›
NMap is the most popular port scanner for system administrators, network engineers, and developers. Angry IP Scanner is also a popular tool for scanning the local network and the internet.Does Nmap show all open ports? ›
Nmap Commands to Scan All Open Ports
That's why they are essential to both hackers and security analysts. Nmap makes scanning open ports easier even for starting users. You can find a list of all open network ports using the below Nmap command. The -sT option tells Nmap to perform a full TCP scan.
What is the most common Nmap scan type? ›
Nmap Ping Scan
The most famous type of scan is the Nmap ping scan (so-called because it's often used to perform Nmap ping sweeps), and it's the easiest way to detect hosts on any network.
In a null scan, the attacker sends a packet to the target without any flags set within it. Once again, the target will be confused and will not respond. This will indicate the port is open on the target. However, if the target responds with an RST packet, this means the port is closed on the device.What is a stealth scan? ›
Stealth scan types are those where packet flags cause the target system to respond without having a fully established connection. Stealth scanning is used by hackers to circumvent the intrusion detection system (IDS), making it a significant threat.