nmap
Network port/service enumeration techniques with network-mapper (nmap).
TCP connect scan
-sTflag
-sT(TCP connect scan) . TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
Used when user does not have raw packet privileges.
TCP SYN scan
-sSflag
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
Also known as half-open scanning.
UDP scan
-sU flag
While most popular services on the Internet run over the TCP protocol, UDP [6] services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports.
Window scan
-sW flag
Window scan is exactly the same as
ACKscan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when aRSTis returned.
For certain systems, an open port will return a positive TCP window field size (even for RST packets), while closed ones will return a zero window size. This allows resolving the TCP port as closed/open rather than unfiltered when a RST is received.(as in the ACK scan).
TCP ACK scan
-sAflag
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
For unfiltered systems, both open and closed ports will return a RST packet.
Custom TCP scan
--scanflags flag
Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags.
Other possible scan types
-sY, -sN, -sF,-sX, -sM, etc.
Default port range
The default port range for most of the scan types above are the 1000 most popular port defined in the configuration file. (/usr/share/nmap/nmap-services?)
Port options
-p-
all ports
-p1-1023
scan ports 1 to 1023
Service/version info scan
For example, the following is a truncated output from Metasploitable 2:
Idle/Zombie scan
-sI zombie host[:probeport]
An idle/zombie host is required. This host should be idle, and not have any other ongoing forms of interactions with the other devices in the network.
This scan works based on the fact that the TCP Identification (ID) field increments by 1 for every packet sent outward by a host on the network. The overview of the steps involved in an idle/zombie scan is highlighted:
Attacker sends a
SYN/ACKpacket to the idle hostThe idle host will respond with a
RSTpacket containing its IP headerIDvalue
Attacker sends a TCP
SYNscan packet to the target at the desired port, with the source IP address as that of the idle hostAttacker sends another
SYN/ACKpacket to the idle host, and determine if the target's port is open|filtered/close based on the updated IP headerIDvalue (discussed below)
Consider the following scenarios:
a) Target port is closed
The IP header ID value will increment by 1 for the idle host from step 1 above. In step 2, if the port on the target host is closed, it will respond with a RST packet, to which the idle host will not respond with anything.
Overall, the IP header ID value incremented by 1.
b) Target port is open
The IP header ID value increments by 1 from step 1 mentioned above. In step 2, the target host will respond with a SYN/ACK packet, to which the idle host will respond with a RST packet (as the idle host did send any SYN packets). The IP header ID value increments by 1 again.
Overall, the IP header ID value incremented by 2.
Last updated