types of nmap cyber security 2022?

 

A Complete Guide to Nmap 


Nmap Scan Types
  • TCP SCAN. A TCP scan is generally used to check and complete a three-way handshake between you and a chosen target system. ...
  • UDP SCAN. ...
  • SYN SCAN. ...
  • ACK SCAN. ...
  • FIN SCAN. ...
  • NULL SCAN. ...
  • XMAS SCAN. ...
  • RPC SCAN.




Nmap is one of the most commonly used tools by ethical hackers. Its ease of use and clean installation along with powerful scanning options, adds to its popularity. This nmap tutorial gives you a comprehensive understanding of the tool and teaches you how to perform advanced scans by yourself.
Below is the list of topics that I’ll be covering through the course of this nmap tutorial. 

You can go through this Nmap Tutorial lecture where our Training expert is discussing each & every nitty-gritty of the technology.



What is Nmap?

Nmap, short for Network Mapper, is a network discovery and security auditing tool. It is known for its simple and easy to remember flags that provide powerful scanning options. Nmap is widely used by network administrators to scan for:nmap logo - nmap tutorial - Edureka

  • Open ports and services
  • Discover services along with their versions
  • Guess the operating system running on a target machine
  • Get accurate packet routes till the target machine
  • Monitoring hosts

According to the official Nmap website –

Nmap  is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. 


Let’s move ahead in this nmap tutorial and discuss the various types of scans.

Nmap Scan Types

A variety of scans can be performed using Nmap. Below are the types of scans:

TCP SCAN

A TCP scan is generally used to check and complete a three-way handshake between you and a chosen target system. A TCP scan is generally very noisy and can be detected with almost little to no effort. This is “noisy” because the services can log the sender IP address and might trigger Intrusion Detection Systems.

UDP SCAN

UDP scans are used to check whether there is any UDP port up and listening for incoming requests on the target machine. Unlike TCP, UDP has no mechanism to respond with a positive acknowledgment, so there is always a chance for a false positive in the scan results. However, UDP scans are used to reveal Trojan horses that might be running on UDP ports or even reveal hidden RPC services. This type of scan tends to be quite slow because machines, in general, tend to slow down their responses to this kind of traffic as a precautionary measure.

SYN SCAN

This is another form of TCP scan. The difference is unlike a normal TCP scan, nmap itself crafts a syn packet, which is the first packet that is sent to establish a TCP connection. What is important to note here is that the connection is never formed, rather the responses to these specially crafted packets are analyzed by Nmap to produce scan results.

ACK SCAN

ACK scans are used to determine whether a particular port is filtered or not. This proves to be extremely helpful when trying to probe for firewalls and their existing set of rules. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

FIN SCAN

Also a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all computers will send an RST packet (reset packet) back if they get this input, so the FIN scan can show false positives and negatives, but it may get under the radar of some IDS programs and other countermeasures.

NULL SCAN

Null scans are extremely stealthy scan and what they do is as the name suggests — they set all the header fields to null. Generally, this is not a valid packet and a few targets will not know how to deal with such a packet. Such targets are generally some version of windows and scanning them with NULL packets may end up producing unreliable results. On the other hand, when a system is not running windows this can be used as an effective way to get through.

XMAS SCAN

Just like null scans, these are also stealthy in nature. Computers running windows will not respond to Xmas scans due to the way their TCP stack is implemented. The scan derives its name from the set of flags that are turned on within the packet that is sent out for scanning. XMAS scans are used to manipulate the PSH, URG and FIN flags that can be found in the TCP header.

RPC SCAN

RPC scans are used to discover machines that respond to Remote Procedure Call services (RPC). RPC allows commands to be run on a certain machine remotely, under a certain set of connections. RPC service can run on an array of different ports, hence, it becomes hard to infer from a normal scan whether RPC services are running or not. It is generally a good idea to run an RPC scan from time to time to find out where you have these services running.

IDLE SCAN

IDLE scan is the stealthiest of all scans discussed in this nmap tutorial, as the packets are bounced off an external host. Control over the host is generally not necessary, but the host needs to meet a specific set of conditions. It is one of the more controversial options in Nmap since it only has a use for malicious attacks.

Nmap Commands

In this section of Nmap Tutorial, I’ll be listing down the various commands you can use in Nmap along with their flag and usage description with an example on how to use it.

Scanning Techniques

FlagUseExample
-sSTCP syn port scannmap -sS 192.168.1.1
-sTTCP connect port scannmap -sT 192.168.1.1
sUUDP port scannmap –sU 192.168.1.1
sATCP ack port scannmap –sA 192.168.1.1

 

Host Discovery

Cyber Security Training

FlagUseExample
-Pnonly port scannmap -Pn192.168.1.1
-snonly host discovernmap -sn192.168.1.1
-PRarp discovery on a local networknmap -PR192.168.1.1
-ndisable DNS resolutionnmap -n 192.168.1.1

 

Port Specification

FlagUseExample
-pspecify a port or port rangenmap -p 1-30 192.168.1.1
-p-scan all portsnmap -p- 192.168.1.1
-Ffast port scannmap -F 192.168.1.1

 

Service Version and OS Detection

FlagUseExample
-sVdetect the version of services runningnmap -sV 192.168.1.1
-Aaggressive scannmap -A 192.168.1.1
-Odetect operating system of the targetnmap -O 192.168.1.1

 

Timing and Performance

FlagUseExample
-T0paranoid IDS evasionnmap -T0 192.168.1.1
-T1sneaky IDS evasionnmap -T1 192.168.1.1
-T2polite IDS evasionnmap -T2 192.168.1.1
-T3normal IDS evasionnmap -T3 192.168.1.1
-T4aggressive speed scannmap -T4 192.168.1.1
-T5insane speed scannmap -T5 192.168.1.1

 

NSE Scripts

FlagUseExample
-sCdefault script scannmap -sC 192.168.1.1
–script bannerbanner grabbingnmap –script banner 192.168.1.1

 

IDS Evasion

FlagUseExample
-fuse fragmented IP packetsnmap -f 192.168.1.1
-Ddecoy scansnmap -D 192.168.1.1
-guse a given source port numbernmap -g 22 192.168.1.1

 

You can also take a look at our newly launched course on CompTIA Security+ Course which is a first-of-a-kind official partnership between Edureka & CompTIA Security+. It offers you a chance to earn a global certification that focuses on core cybersecurity skills which are indispensable for security and network administrators. 

Learn Cybersecurity the right way with Edureka’s POST-GRADUATE PROGRAM with NIT Rourkela and defend the world’s biggest companies from phishers, hackers and cyber attacks.

Got a question for us? Please mention it in the comments section of the “Nmap tutorial” blog and we will get back to you.

Nmap - Switches and Scan Types in Nmap



Nmap - Switches and Scan Types in Nmap

Nmap is probably the most famous reconnaissance tool among Pentesters and Hacker. It is essentially a port scanner that helps you scan networks and identify various ports and services available in the network, besides also providing further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. It also comes in handy during network auditing!

The barebone syntax of Nmap is:

$ nmap [FLAGS] [IP]

Note that you may also need to run it with sudo privileges at times to perform some particular types of scans,

Nmap Switches

Nmap is strong and powerful networking scanning to tool which allows for customizing our scans with the help of flags passed via the command line. Some of the important flags are :

  • -h: Print a help summary page
  • -sS: Perform a TCP SYN scan
  • -sU: Perform a UDP scan
  • -sV: Probe open ports to determine service/version info
  • -O: Enable OS detection
  • -v: Enable verbosity. You can even set the verbosity level as such :
    • -vv: Level 2 verbosity. The minimum level of verbosity advised for use.
    • -v3: Level 3 verbosity. You can always specify the verbosity level by specifying a number like this.
  • -oA: Same Nmap output in “normal”, XML and grepable formats. However you can specify the format of your choice with :
    • -oN: Redirect normal output to a given filename
    • -oX: Produce output in a clean, XML format and store it in a given file
    • -oG: Produce “grepable” output and store it to a file. Deprecated format as users are now moving towards XML outputs.
  • -A: Enables “aggressive” scanning. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute)
  • -p: Specify the ports to scan. It can be a single port as well as a range of ports. For Example :
    • nmap -p 80 127.0.0.0.1: This scans port 80 on localhost
    • nmap -p 1-100 127.0.0.1: This scans ports from 1 to 100 on localhost
    • nmap -p- 127.0.0.1: This scans all the ports on the localhost

Scan Types in Nmap

Nmap supports a lot of different scan types. However the most popular ones are:

1. TCP Connect Scans (-sT)

In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. In this scenario two things can occur :

  • The target responds with an RST packet that signifies that the port is closed.
  • Target doesn’t respond at all, probably due to a firewall dropping all incoming packets in which case the port will be considered filtered
  • The target responds back with a TCP packet with the SYN/ACK flags set which would signify that the port is open and then Nmap would respond with a TCP packet with the ACK flag set and hence would complete the TCP 3-way handshake.

This is not a very reliable scan technique as it is easy to configure a firewall rule to respond back with RST packets or drop all incoming packets. Also this method is extremely slow as it waits for the entire TCP 3 way handshake.

2. SYN “Half-open” Scans (-sS)

SYN scans, also known as “Half-Open” or “Stealth Scan” are an improvement over the previous method. In the previous method where we were sending back a TCP packet with the ACK flag set after receiving an SYN/ACK packet, now we would be sending an RST packet. This prevents the server from repeatedly trying to make the requests and massively reduces scan times.

This method is an improvement on the previous ones because:

  • They are faster
  • They might be able to bypass some primitive firewalls
  • Often, SYN Scans are not logged by applications running on the ports as most applications start logging a connection only after it has been fully established which is not the case with SYN Scans

However, it is not advisable to run SYN Scans on production environments as it might break certain unstable applications. It is also to be noted that SYN scans also require sudo privileges because it needs to craft raw packets.

Infact, when run with sudo privileges, nmap defaults to SYN Scans, otherwise it defaults to TCP scan.

3. UDP Scans (-sU)

UDP scans are much less reliable than the previous two as UDP connections are stateless by nature. This means that there’s no “feedback mechanism” like TCP. UDP works on the principle “Fire and Forget” which means that it sends packets directed to targets at certain ports and hopes that they would make it. This gives more emphasis on speed than quality. However, the lack of a feedback mechanism makes it difficult to identify open ports.

When an UDP packet is sent to a target port, there might be three scenarios :

  • Usually there is no response received in which case nmap marks the port as open|filtered. If no response is received yet, it sends another UDP packet to double check and if yet again no response is received, it marks the port as open|filtered and moves on
  • It might get a UDP response back which is very rare. In such a scenario, the port is marked open
  • If the port is closed and it receives an ICMP echo request back which signifies that the port is unreachable.

Special Scans in Nmap

Apart from these, some less popular scan types which are even “stealthier” than a TCP SYN scan. These are as follows :

1. TCP Null Scans (-sN)

In TCP Null Scans, the TCP packets sent don’t have any of the flags set. According to RFC, under such a circumstance, the target should respond back with an RST if the port i s closed

2. TCP FIN Scans (-sF)

This is very similar to the TCP Null Scan except for the fact that instead of sending a completely empty TCP packet, it sends a packet with the FIN flag set which is used to gracefully close a connection. Accordingly the target must respond back with an RST for closed ports as per RFC.

3. TCP Xmas Scans (-sX)

TCP Xmas Scans is also very similar to the last two scan techniques except for the fact that they use TCP packets with the PSH, URG and FIN flags set. Like the last two scan types, this too expects RST packets for closed ports under RFC.

Limitations

As these scans are of a similar nature, they also have similar outputs which is very similar to that of UDP Scans. In this case, we can only have the following three responses :

  • open|filtered : When no response is received then the port is categorized as this this because no response can mean only two things :
    • The port is open
    • The port is protected behind a firewall hence filtered
  • filtered : When the port is protected behind a firewall which sends an ICMP ping back
  • closed : When it receives and RST packet

It is also to be note that though RFC 793 mandates that network hosts respond to malformed packets with a RST TCP packet for closed ports, and don’t respond at all for open ports, some systems reject this convention. This behaviour is mostly observed in Microsoft Windows Servers and some CISCO devices where all malformed packets are dropped by default.

Scanning A Network For Hosts using Nmap

One of the most important things to do on connecting to a network is to obtain a list of all active hosts on the network before further probing. This can be done via an “Ping Sweep”, which as the name implies, involves sending ICMP packet to all the IPs in the network and await for responses. The hosts which reply back with an ICMP packet are considered active in this case.

You can specify your target IP ranges by using hypens or via CIDR as follows :

$ nmap -sn 192.168.0.1-254

Or,

$ nmap -sn 192.168.0.0/24

The -sn flag suppresses any port scans, and forces nmap to rely solely on ICMP echo packets (or ARP requests if run with superuser privileges) to identify active hosts in the network. It also sens a TCP SYN packet to the target’s port 443 and a TCP ACK request ( TCP SYN if run with superuser privileges) to the target’s port 80.

Nmap Scripting Engine

The Nmap Scripting Engine(NSE) is a powerful addition to Nmap which allows us to even further extend its functionality. Written in Lua, we can use it to write our scripts and automate a lot of our work like testing for vulnerabilities and exploitation.

There are many categories available. Some useful categories include:

  • safe:- Won’t affect the target
  • intrusive:- Not safe: likely to affect the target
  • vuln:- Scan for vulnerabilities
  • exploit:- Try to exploit a vulnerability
  • auth:- Attempt to bypass authentication for running services
  • brute:- Try to brute force credentials for running services
  • discovery:- Attempt to query running services for further information about the network (

To run a script, we need to specify it as --script=<script-name>

You can also specify multiple scripts to run at the same time by separating the script names like --script=<script-name1>,<script-name2>

Some scripts also require an argument which can be specified with --script-args <args>

Some scripts have an built-in help menus which can be referred with :

$ nmap --script-help <script-name>





Comments

Post a Comment

Popular posts from this blog

python interview questions 2022?

Image
  Top 100+ Python Interview Questions You Must Prepare In 2022 Basic Python Interview Questions for Freshers Q1. What is the difference between list and tuples in Python? LIST vs TUPLES LIST TUPLES Lists are mutable i.e they can be edited. Tuples are  immutable (tuples are lists which can’t be edited). Lists are slower than tuples. Tuples are faster than list. Syntax: list_1 = [10, ‘Chelsea’, 20] Syntax: tup_1 = (10, ‘Chelsea’ , 20) Q2. What are the key features of Python? Python is an  interpreted  language. That means that, unlike languages like  C  and its variants, Python does not need to be compiled before it is run. Other interpreted languages include  PHP  and  Ruby . Python is  dynamically typed , this means that you don’t need to state the types of variables when you declare them or anything like that. You can do things like  x=111  and then  x="I'm a string"  without error Python is well suited to  object oriented progamming  in that it allows the definition of
Read more

Java Basic Interview Questions?

Image
  1. Why is Java a platform independent language? Java language was developed in such a way that it does not depend on any hardware or software due to the fact that the compiler compiles the code and then converts it to platform-independent byte code which can be run on multiple systems. The only condition to run that byte code is for the machine to have a runtime environment (JRE) installed in it. 2. Why is Java not a pure object oriented language? Java supports primitive data types - byte, boolean, char, short, int, float, long, and double and hence it is not a pure object-oriented language. 3. Pointers are used in C/ C++. Why does Java not make use of pointers? Pointers are quite complicated and unsafe to use by beginner programmers. Java focuses on code simplicity, and the usage of pointers can make it challenging. Pointer utilization can also cause potential errors. Moreover, security is also compromised if pointers are used because the users can directly access memory with the he
Read more

How to Code – Coding for Beginners and How to Learn Programming for Free?

Image
  These days, there are a lot resources out there for learning how to code. And many of them are readily available online for free – so choosing one can be overwhelming. But there's definitely an upside: you don't need to attend a paid bootcamp or university anymore in order to learn how to code. You can teach yourself. In this article, I will share some tips and info about how to learn to code for free as a beginner. I'll also point you to free learning platforms and resources. What is Coding? "Coding" is a commonly used term for computer programming. Some people use it interchangeably with programming, while others would argue they are not entirely the same. By definition, "code" refers to a set of instructions that tells a computer what to do. Computers don't understand human language, so over time, humans have created languages that computers can understand. And developers speak to them through those languages. Examples of coding languages includ
Read more