Sherlock of Network Scanning

NMAP : Network Mapper — Written by Gordon Lyon

NMAP was born almost 20 years ago (in 1997). Since it’s birth it has become a de-facto standard for network mapping and port scanning, allowing network administrators to discover hosts and services on a computer network, and create a map of the network.

A lot of terms were adopted before NMAP was born so let’s look into them -

Nmap is free to use and is released under the GPL license. This license gives you the right to run, study, share, and modify the software. You can find the Nmap source code here.

Nmap is a powerful network security tool. Widely used by network admins and penetration testers ( and also by hackers !)

Nmap uses raw IP packets in novel ways to determine what hosts ( What you are looking at right now - your Computer! ) are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer Zenmap.

Tools included in the NMAP package

Nping — Network packet generation tool / ping utility.
It is an open-source tool for network packet generation ( used by nmap ), response analysis and response time measurement. Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any field of the protocol headers (nmap uses nping to create packets and send them to the target to analyse the ports, discover hosts).

While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for ARP poisoning, Denial of Service attacks, route tracing, and other purposes.

Nping also offers a special mode of operation called the “Echo Mode”, that lets users see how the generated packets change in transit, revealing the differences between the transmitted packets and the packets received at the other end. (used by pentesters and network traffic analyst).

The output from Nping is a list of the packets that are being sent and received. The level of detail depends on the options used. Nmap was originally written for Linux, but it has been ported to major operating systems.

nping example for creating TCP packet and send it at port 80 and 443 to scanme.nmap.org (website provided by nmap for testing purposes) and google.com. You can see in the output that how the SYN, SYN-ACK, RST-ACK are being used while sending and receiving the packet.

Ndiff — Utility to compare the results of Nmap scans
Ndiff is a tool to aid in the comparison of Nmap scans. It takes two Nmap XML output files and prints the differences between them. The differences observed are:

  • Host states (e.g. up to down)
  • Port states (e.g. open to closed)
  • Service versions (from -sV)
  • OS matches (from -O)
  • Script output

Ncat — Concatenate and redirect sockets
ncat or nc is networking utility with functionality similar to cat command but for network. It is a general purpose CLI tool for reading, writing, redirecting data across a network.

By default , the nc utility makes connections only to TCP ports. But we can also make connections to UDP ports It is designed to be a reliable back-end tool that can be used with scripts or other programs. ncat/nc can be a port scanning tool (nmap)

NMAP — States

Studying NMAP’s Life

Types of NMAP — Scans

TCP Connect (Full Connect Scan or Vanilla Scan). This is the default scanning technique of NMAP (meaning if no options are given to NMAP, it choses it’s own option). It completes the normal TCP three way handshake process and requires the system to call connect(), which is a part of the operating system (a method to perform a full 3 way handshake which sets the SYN flag in TCP header). This technique is only applicable to find out the TCP ports, not the UDP ports.

Left- When Port is OPEN. Right- When Port is CLOSED.

Stealth Scan (Half-open scanning). This technique allows Nmap to get information from the remote host without the complete TCP handshake process (NMAP is shy but it still sets the SYN flag in TCP header). As a result, the target computer can’t create any log of the interaction because no session was initiated. If there is no scan type mentioned on the command, and no root/administrator privileges are given to you (because you must be using someone’s system as a guest, and NMAP don’t like guests) then by default NMAP uses this scan option.

Left- When Port is OPEN. Right- When Port is CLOSED.

Null Scan (No-Response). This scan causes Nmap to send packets with no TCP flags enabled (NMAP gets tired sometimes). Sending NULL packets to a target will tell the NMAP if the system is up by getting no responses back and if it sends a response it will mostly be RST meaning it’s closed. NMAP tricks a firewalled systems in this scan.

Left- When Port is OPEN. Right- When Port is CLOSED.

Security mechanisms such as firewalls and IDS (Intrusion Detection System) usually detect SYN packets being sent to sensitive ports of target hosts. What to do then ?

XMAS Scan. This scan sends packets with URG, FIN, and PSH flags activated. This has the effect of “lighting the packet up like a Christmas tree” (tada!) and can occasionally solicit a response from a firewalled system.

Left- When Port is OPEN. Right- When Port is CLOSED.

Inverse TCP Flag Scan. It’s like XMAS Scan but not heavy like it. It only sends packet with one of the URG, FIN, and PSH flag activated. This is called as an inverted technique because the target sends back the reply if it’s closed otherwise no response.

Left- When Port is OPEN. Right- When Port is CLOSED.

The target computer is not able to create a log of these types of scan.

Ping Scan. It is unlike the other scan techniques because it is only used to find out whether the host is alive or not, it is not used to discover open ports. Ping scans require root access to ICMP packets can be sent, but if the user does not have administrator privilege, then the ping scan uses connect() call.

Left- When Port is OPEN. Right- When Port is CLOSED.

Ping Sweep Scan. Same as Ping Scan but it does not target single host it targets multiple hosts at once.

UDP Scan. As the name suggests, this technique is used to find an open UDP port of the target machine. It does not require any SYN packet to be sent because it is targeting the UDP ports (duh!).

Left- When Port is OPEN. Right- When Port is CLOSED.

Idle scan (Side Channel Scan) is one of my favourite techniques, and it is an advanced scan that provides complete anonymity while scanning and you don’t even have to send a packet to the target.

Port Open is detected when IPID is different from the one recorded in the beginning. As can be seen in the above picture the left most image has IPID as x and the right most image has IPID as x+2 which means that the target must have responded to the ZOMBIE machine.
Port Closed is detected when IPID is different from the one recorded in the beginning but only with 1 as the difference. As can be seen in the above picture the left most image has IPID as x and the right most image has IPID as x+1 which means that the target is either filtered or closed.

In idle scan, Nmap doesn’t send the packets from your real IP address instead of generating the packets from the attacker machine, Nmap uses another host (ZOMBIE, BOT etc whatever you wish to call it as) from the target network to send the packets.

NMAP OS Detection Scan has the ability to detect remote operating systems and software. It is very helpful during a penetration test to know about the operating system and the software used by the remote computer because you can easily predict the known vulnerabilities from this information.

Nmap has a database called nmap-os-db, the database contains information of more than 2,600 operating systems. Nmap sends TCP and UDP packets to the target machine and then it examines the response by comparing the result with the database. The Nmap operating system discovery technique is slightly slower then the scanning techniques because OS detection involves the process of finding open ports.

Initiating SYN Stealth Scan

Scanning localhost

Discovered open port

Completed SYN Stealth Scan1

Initiating OS Detection

Nmap first discovers the open ports, then it sends the packets to discover the remote operating system. It gives the following details in it’s output -

  • Device type (router, work station, and so on)
  • Running (running operating system)
  • OS details (the name and the version of OS)
  • Network distance (the distance in hops between the target and attacker)

Summary of NMAP’s Work:

You must be thinking that why there are so many scans available.

But it’s not true! All the scans were developed according to the need of the Network Analysers and resources they have at the time of scanning and each one of them is used to arrive at some conclusion.

As stated by Arthur Conan Doyle —

“Once you eliminate the impossible, whatever remains, no matter how improbable, must be truth”

📝 Read this story later in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.