Breaking Down Nmap – Part 2

Welcome back! I hope you enjoyed the first part.

This is going to be a continuation to the series and in this post we’ll be covering some port scanning basics & techniques.

SPOILER ALERT: ITS GONNA BE A LENGTHY ONE.

Port Scanning 101

Nmap has grown in its functionality over the years, however at its core; it still is a port scanner. Nmap provides a granular result when it comes to the state of the port, rather it being restricted to Open or Close.

Here, we’ll cover each state, returned by Nmap under various scenarios.

Open: When a port is actively accepting TCP, UDP or SCTP connections on a given port.

Closed: When a port receives and responds to Nmap probe packets, but does not have a active service running on the port. However, this may help us to determine the status of the host (performing a host discovery scan).

Filtered: This is commonly seen when Nmap is unable to determine the state of the port, this is generally caused by packet filtering by firewalls, router rules, etc.

Note:
This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Unfiltered:
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

Open | Filtered: This port state is returned when Nmap is unable to determine if the port is open or filtered. A lack of response could also that the probe and / or response was dropped by a packet filter.
The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Closed | Filtered : This port state is only returned when Nmap is unable to determine the state of the port (whether closed or filtered) This state is only returned in case of a IP Idle Scan.

Scan Techniques

Without further ado; let’s begin.

-sS (TCP Syn)
The most popular scan technique. It can scan thousands of port in a fast network not hampered by restrictive firewalls. It’s a very clear and reliable scan technique.
This technique is also referred to as half-open scan (as it does not complete the connection) Using a RST to terminate connection.

-sT (TCP Connect)
The default scan technique when TCP SYN is not an option (insufficient privileges) Nmap scans the target by asking the system’s underlying connect call to make the connections on ports.

Note: Nmap has less control over sys connect as compared to raw packets.
This is less preferred as it may create quite a few alerts & logs when performed.

Tip: perform a SYN scan whenever possible.

-sU (UDP Scan)
This option is invoked to scan for open UDP ports, due to it’s slow nature it’s often ignored; however, crucial services like DNS[53], SNMP[161], DHCP,[67/68] utilize UDP ports to function.
UDP scanning sends a UDP packet to defined ports, these packets are usually empty unless specified. For more common ports as mentioned above, nmap sends specially crafted packets to increase the response rate & chance.

Common Responses:

ICMP CodeResponse by Nmap
type 3, code 3Closed
type 3, code 0, 1, 2, 9, 10, or 13Filtered
No ResponseOpen | Filtered
Normal ResponseOpen


A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct re-transmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this.

For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in net/ipv4/icmp.c).

-sY (SCTP INIT)
An equivalent to TCP-SYN scan, however it is more helpful while scanning SS7/SIGTRAN services. It never completes the SCTP connection and is fairly stealthy as well as quick.
Uses a ABORT chunk to terminate connection.

-sN; -sF; -sX (TCP NULL, FIN and Xmas)
Exploiting a subtle loophole in TCP RFC helps to determine the state of a port using the -sN -sF & -sX scan methods. In this scenario, the status returns either as closed or as open | filtered.

Any system compliant with rfc-793, scanned using flags other than SYN,RST or ACK will result in a returned RST if the port is closed and no response if it is open.

-sA (TCP ACK)
This scan type serves no purpose in determining the state of a port. Instead, it is used to map out firewall rulesets (determining whether they are stateful or not) and finding out which ports are filtered.

-sW (Window Scan)
Same as an ACK scan.
It exploits an implementation detail of certain systems to differentiate open ports from closed ones.
It does this by examining the TCP Window field of an RST packet returned. On some systems open ports use a positive window size for RST packets, while closed ports have a zero window. This helps to resolve the ambiguity created when Nmap returns a port as unfiltered,window scan can lists the port as open or closed if the TCP Window value in packet is positive or zero, respectively.

-sM (TCP Maimon)
This scan type uses a combination of FIN/ACK to scan it’s target. The main usage for this scan is when scanning BSD-derived systems.
It was noted that BSD-derived systems simply dropped the packet if the port is open, instead of sending back a RST packet.

-sZ (SCTP COOKIE-ECHO)
A more advanced SCTP scan. By default, SCTP implementations drop COOKIE-ECHO chunks on open ports but send an ABORT chunk if the port is closed. An advantage of this being that cookie-echo is not as obvious a port scan (INIT / SYN) in addition, some stateless firewall rulesets blocking INIT chunks may not block COOKIE-ECHO chunks.
This technique however has a downside i.e. It is cannot differentiate between open and filtered ports; leaving you with open | filtered ports to deal with.

-sI (Zombie / Idle scan)
A truly blind TCP scan. Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. To learn how this works, this is well explained on Nmap’s idlescan page.

–scanflags (Customizing TCP Scans)
A truly advanced scan technique; this option allows you to design your own scan by specifying arbitrary TCP flags.
Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For example, –scanflags URGACKPSHRSTSYNFIN sets everything, though it’s not very useful for scanning. The order these are specified in is irrelevant.
Additionally, you can use the above explained scan methods and pair them with –scanflags, this tells nmap to interpret responses in a specific way. SYN Scan (-sS) is the default.

Some Notes:

  1. Using a privileged account is crucial to use all scan types.
  2. Only One scan method may be used at a time; however some exceptions may follow.
    1. A TCP scan type can be combined with UDP scan.
    2. Any one of the SCTP scan type can be combined with a TCP scan type.
    3. UDP and one SCTP scan type can together be paired with a TCP scan type.
  3. By default, nmap performs scan using TCP-SYN Scan.
  4. Unprivileged users can only perform FTP bounce scan. (FTP bounce scan is deprecated)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s