Practical 2: TCP Scanning Using nmap

Target Specification

1. Scan a single host or an IP address (IPv4) ### Scan

a single ip address ###
nmap 192.168.1.1

## Scan a host name ### nmap

server1.cyberciti.biz

## Scan a host name with more info### nmap -v

server1.cyberciti.biz

2. Scan multiple IP address or subnet (Ipv4) nmap

192.168.1.1 192.168.1.2 192.168.1.3 nmap
192.168.1.1,2,3

scan a range of IP address too:

nmap 192.168.1.1-20

scan a range of IP address using a wildcard:

nmap 192.168.1.*

scan a range of IP address using a wildcard:

nmap <IP address/dir>

3. Read list of hosts/networks from a file (IPv4)

nmap -iL <input filename>

The -iL option allows you to read the list of target systems using a text file. This
isuseful to scan a large number of hosts/networks. Create a text file as follows:

cat > /tmp/test.txt

nmap -iL /tmp/test.txt

nmap <IP address/dir>

By :- Sushma Prajapati
 4. Random Host to scan nmap -iR
<number of hosts>
This option is used to specify random hosts to scan. Nmap generates its own targets to
scan. The <number of hosts>argument tells nmap the number of IP’s to generate.

5. Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5

nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

6. Excluding hosts/networks (Ipv4)

nmap [targets] -excludefile[file name]

(file must be created)

Host Discovery

7. -sL (list scan)

The list scan is a degenerate form of host discovery that simply lists each host
of the network(s) specified, without sending any packets to the target
hosts.Since the idea is to simply print a list of target hosts, options for higher
level functionality such as port scanning, OS detection, or ping scanning
cannot be combined with this.

Nmap -sL [targets]

8. -sn(No port Scan)

By :- Sushma Prajapati
 This option tells Nmap not to do a port scan after host discovery, and only print
out the available hosts that responded to the scan
nmap -sL [targets]

9. -Pn(No Ping Scan)

This option skips the Nmap discovery stage altogether. Normally, Nmap uses
this stage to determine active machines for heavier scanning. By default, Nmap
only performs heavy probing such as port scans, version detection, or OS
detection against hosts that are found to be up. Disabling host discovery with-
Pn causes Nmap to attempt the requested scanning functions against every
target IP address specified. So if a class B target address space (/16) is
specified on the command line, all 65,536 IP addresses are scanned. Proper
host discovery is skipped as with the list scan, but instead of stopping and
printing the target list, Nmap continues to perform requested functions as if
each target IP is active.

nmap -Pn [targets]

10. -PS(TCP-SYN ping)

nmap -PS [targets]

The TCP SYN ping accomplishes its goal in just a few packets. This minimal
amount of network traffic appears to be normal TCP handshake frames. This
makes the TCP SYN ping appear almost invisible when compared to normal
network traffic.

11. -PA(TCP-ACK ping)

The TCP ACK ping uses little network trafic. In most cases, the common ACK query to
a device is relatively undetectable. The TCP ACK ping also allows different port
numbers to be probed, providing nmap with additional options when negotiating a
scan through a firewall.The TCP ACK ping identifies a filtered connection or a non-
filtered connection. This is a perfect use of a ping probe, since the goal of the ping is to
get any type of response from a remote device. An nmap ping doesn't focus on
identifying ports. Instead, its goal is to locate other active devices.

By :- Sushma Prajapati
 nmap -PA [targets]

12. -PU(UDP ping)

The port list takes the same format as with the previously discussed-PSand-
PAoptions. If no ports are specified, the default is 40125.The primary
advantage of this scan type is that it bypasses firewalls and filters that only
screen TCP.

nmap -PU [target]

13. -PO(IP Protocol Ping)

nmap -PO [target]

One of the newer host discovery options is the IP protocol ping, which sends IP
packets with the specified protocol number set in their IP header. The protocol
list takes the same format as do port lists in the previously discussed TCP and
UDP host discovery options.

14. -- traceroute

Traceroutes are performed post-scan using information from the scan results to
determine the port and protocol most likely to reach the target. It works with all
scan types except connect scans (-sT) and idle scans (-sI). All traces use
Nmap's dynamic timing model and are performed in parallel.

Nmap –traceroute [target]

scan techniques

15. -sS(TCP SYN scan)

By :- Sushma Prajapati
 SYN-scanning, or Half Open scanning is where the full TCP connection is
never made. SYN-scanning sends the first packet only, the one marked with the
SYN flag. It waits for either a RST, ACK or SYN,ACK response. If a
RST,ACK response comes in there is nothing is running on the port and issues
a RST. If a SYN,ACK response is received, a service is known to be running
on the port.The benefit of TCP SYN scanning is the fact that most logging
applications do not look to log TCP RST by default. They generally create a
log entry in the application/device/server when the final ACK comes from the
client device. Due to the fact that this ACK never comes but a RST, it can go
unnoticed if a scan is taken place.

nmap -sS [target]

16. -sT(TCP connect scan)

An attacker uses full TCP connection attempts to determine if a port is open.

The scanning process involves completing a 'three-way handshake' with a
remote port, and reports the port as closed if the full handshake cannot be
established. An advantage of TCP connect scanning is that it works against any
TCP/IP stack. RFC 793 defines how TCP connections are established and torn
down. TCP connect scanning commonly involves establishing a full
connection, and then subsequently tearing it down, and therefore involves
sending a significant number of packets to each port that is scanned.
Compared to other types of scans, a TCP Connect scan is slow and methodical

nmap -sT [target]

17. -sU (UDP scans)

UDP port scan available for common UDP services. The UDP port scan is part
of the IP Tools range of network testing tools. The test uses the excellent Nmap
Port Scanner to scan 5 of the most common UDP ports.Ports tested in the quick
UDP scan are 53,123,161,5353 and 1900.
nmap -sU [target]

18. -sY (SCTP INIT scan)

SCTP is a relatively new alternative to the TCP and UDP protocols, combining
most characteristics of TCP and UDP, and also adding new features like multi-

By :- Sushma Prajapati
 homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related
services but has the potential to be used for other applications as well. SCTP
INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed
quickly, scanning thousands of ports per second on a fast network not
hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively
unobtrusive and stealthy, since it never completes SCTP associations. It also
allows clear, reliable differentiation between the open,closed, and
filtered states.This technique is often referred to as half-open scanning
nmap -sY [target]

19. -sF(Fin Scan)

nmap -sF [target]

Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed
ports are required to reply to the probe packet with RST, while open ports must
ignore the packet in question.

20. -sN(Null Scan)

nmap -sN [target]

In NULL scan, the packet is sent without any flag set. This takes advantage of
RFC 793 as the RFC does not specify how the system should respond. Most
UNIX and UNIX related system respond with a RST (if the port is open) to
close the connection.

21. -sX(Xmas Scan)

nmap -sX [target]

In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK,
FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work
on UNIX and related systems and cause the

By :- Sushma Prajapati
 kernel to drop the packet if the receiving port is open.

22. -sA(TCP ACK scan)

nmap -sA [target]

This type of Scanning is used to map out firewall rulesets.It can determine that
the firewall is stateful or just a packe filter that blocks incoming SYN packets.
In this type of scan an Ack packet is send to the port and if it replies with an
RST it means it is unfiltered and it is open and if no reply is returned it is
classified as filtered.

23. -sW (TCP Window scan)

nmap -sW [target]

Window scan is exactly the same as ACK scan except that it exploits an
implementation detail of certain systems to differentiate open ports from closed
ones, rather than always printing unfiltered when a RST is returned. It does this
by examining the TCP Window field of the RST packets returned. On some
systems, open ports use a positive window size (even for RST packets) while
closed ones have a zero window. So instead of always listing a port as
unfiltered when it receives a RST back, Window scan lists the port as open or
closed if the TCP Window value in that reset is positive or zero, respectively.
This scan relies on an implementation detail of a minority of systems out on the
Internet, so you can't always trust it. Systems that don't support it will usually
return all ports closed. Of course, it is possible that the machine really has no
open ports. If most scanned ports are closed but a few common port numbers (
such as 22, 25, 53) are filtered, the system is most likely susceptible.
Occasionally, systems will even show the exact opposite behavior. If your scan
shows 1,000 open ports and three closed or filtered ports, then those three may
very well be the truly open ones.

By :- Sushma Prajapati
 24. -sI <zombie host>[:<probeport>] (idle scan)

Example:

nmap --packet-trace -sI 172.16.1.17 172.16.1.18

This advanced scan method allows for a truly blind TCP port scan of the target
(meaning no packets are sent to the target from your real IP address). Instead, a
unique side-channel attack exploits predictable IP fragmentation ID sequence
generation on the zombie host to glean information about the open ports on the target.
IDS systems will display the scan as coming from the zombie machine you specify
(which must be up and meet certain criteria). Full details of this fascinating scan type
are in the section called “TCP Idle Scan (-sI)”.
Besides being extraordinarily stealthy (due to its blind nature), this scan type permits
mapping out IP-based trust relationships between machines. The port listing shows
open ports from the perspective of the zombie host. So you can try scanning a target
using various zombies that you think might be trusted (via router/packet filter rules).
You can add a colon followed by a port number to the zombie host if you wish to
probe a particular port on the zombie for IP ID changes. Otherwise Nmap will use the
port it uses by default for TCP pings (80).

25. -sO(IP protocol scan)

IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.)
are supported by target machines. This isn't technically a port scan, since it cycles
through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses
the -p option to select scanned protocol numbers, reports its results within the normal
port table format, and even uses the same underlying scan engine as the true port
scanning methods.

nmap -sO [target]

By :- Sushma Prajapati
 Version Detection

26.

-sV(Version detection)

Enables version detection.

nmap -sV [target]

27.

--allports (Don't exclude any ports from version detection)

nmap --allports [target]

By default, Nmap version detection skips TCP port 9100 because some printers
simply print anything sent to that port, leading to dozens of pages of HTTP
GET requests, binary SSL session requests, etc. This behavior can be changed
by modifying or removing the Exclude directive in nmap-service-probes, or
you can specify –allports to scan all ports regardless of any Exclude directive.

28. -O (to know remote operating system)

nmap -O [target]

Timing and Performance

29. -T<0-5>Set timing template (higher is faster)

There are various timing options included in the nmap to send successive
packets. It can be used to evade some of the rules in the firewalls or IDS.

T0: Paranoid (Waits 5 minutes between sending each probes, not detected by
IDS/IPS)
T1: Sneaky (waits 15 seconds)

By :- Sushma Prajapati
 T2:Polite
T3:Normal
T4:Aggressive
T5:Insane (easily detectable)

nmap -T<0-5> [target]

Example: nmap -v -sS -A -T4 scet.ac.in

FIREWALL/IDS EVASION AND SPOOFING:

30. -f(Packet Fragmentation)

The -f option causes the requested scan (including ping scans) to use tiny
fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems,
and other annoyances to detect what you are doing.

nmap -f [target]

## Set your own offset size with the --mtu option ##

31. -S <IP_Address>: Spoof source address

Attacker can spoof the source IP address (from the victim's subnet) so that it'll
appear to IDS/firewall that it's legitimate user and will be passed.

Example:

### Use a random MAC address### The number 0, means nmap chooses a completely random
MAC address

nmap -v -sT -PN --spoof-mac 0 192.168.1.1

Output

By :- Sushma Prajapati
 32.

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,and

Grepable format, respectively, to the given filename.

Example:

nmap -oN /path/to/filename 172.16.1.49

nmap -oN output.txt 172.16.1.49

33.

--open: Only show open (or possibly open) ports

nmap --open [target]

34. --iflist: Print host interfaces and routes (for debugging)

nmap --iflist

35. --reason: Display the reason a port is in a particular state

nmap --reason [target]

36. --packet-trace: Show all packets sent and received

nmap --packet-trace [target]

MISC

37. -6: Enable IPv6 scanning

nmap -6 [target]

Example: nmap -6 www.ipv6.net.cn

By :- Sushma Prajapati
 38. -V: Print version number

nmap -V

39. -h: Print this help summary page.

nmap -h

40. -A: Enable OS detection, version detection, script scanning, and

traceroute

nmap -A [target]

By :- Sushma Prajapati