1 / 21

NMAP Scanning Options

NMAP Scanning Options. NMAP. Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org) , it was featured in the Matrix Reloaded movie. SYN Scanning. Syn scanning, a technique that is widely across the Internet today.

ekram
Download Presentation

NMAP Scanning Options

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NMAP Scanning Options

  2. NMAP • Nmap is the most popular scanning tool used on the Internet. • Cretead by Fyodar (http://www.insecure.org) , it was featured in the Matrix Reloaded movie.

  3. SYN Scanning • Syn scanning, a technique that is widely across the Internet today. • The syn scan, also called the "half open" scan, is the ability to determine a ports state without making a full connection to the host. • Many systems do not log the attempt, and discard it as a communications error. • You must first learn 3-way handshake to understand the Syn scan.

  4. TCP Communication Flags • Standard TCP communications are controlled by flags in the TCP packet header. • The flags are as follows: • Synchronize - also called "SYN” • Used to initiate a connection between hosts. • Acknowledgement - also called "ACK” • Used in establishing a connection between hosts • Push - "PSH” • Instructs receiving system to send all buffered data immediately • Urgent - "URG” • States that the data contained in the packet should be processed immediately • Finish - also called "FIN" • Tells remote system that there will be no more transmissions • Reset - also called "RST” • Also used to reset a connection.

  5. Three Way Handshake Computer A Computer B 192.168.1.2:2342 ------------syn----------->192.168.1.3:80 192.168.1.2:2342 <---------syn/ack----------192.168.1.3:80 192.168.1.2:2342-------------ack----------->192.168.1.3:80 Connection Established • The Computer A ( 192.168.1.2 ) initiates a connection to the server ( 192.168.1.3 ) via a packet with only the SYN flag set. • The server replies with a packet with both the SYN and the ACK flag set. • For the final step, the client responds back the server with a single ACK packet. • If these three steps are completed without complication, then a TCP connection has been established between the client and server.

  6. Stealth Scan Computer A Computer B 192.168.1.2:2342 ------------syn----------->192.168.1.3:80 192.168.1.2:2342 <---------syn/ack----------192.168.1.3:80 192.168.1.2:2342-------------RST----------->192.168.1.3:80 • Client sends a single SYN packet to the server on the appropriate port. • If the port is open then the server responds with a SYN/ACK packet. • If the server responds with an RST packet, then the remote port is in state "closed” • The client sends RST packet to close the initiation before a connection can ever be established. • This scan also known as “half-open” scan.

  7. Xmas Scan Computer A Computer B Xmas scan directed at open port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 Xmas scan directed at closed port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 • Note: XMAS scan only works OS system's TCP/IP implementation is developed according to RFC 793 • Xmas Scan will not work against any current version of Microsoft Windows. • Xmas scans directed at any Microsoft system will show all ports on the host as being closed.

  8. FIN Scan Computer A Computer B FIN scan directed at open port: 192.5.5.92:4031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 FIN scan directed at closed port: 192.5.5.92:4031 -------------FIN------------------192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 • Note: FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793 • FIN Scan will not work against any current version of Microsoft Windows. • FIN scans directed at any Microsoft system will show all ports on the host as being closed.

  9. NULL Scan Computer A Computer B NULL scan directed at open port: 192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 NULL scan directed at closed port: 192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 • Note: NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793 • NULL Scan will not work against any current version of Microsoft Windows. • NULL scans directed at any Microsoft system will show all ports on the host as being closed.

  10. IDLE Scan • Almost four years ago, security researcher Antirez posted an innovative new TCP port scanning technique. • Idlescan, as it has become known, allows for completely blind port scanning. • Attackers can actually scan a target without sending a single packet to the target from their own IP address.

  11. IDLE Scan: Basics • Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. • A port is considered "open" if an application is listening on the port, otherwise it is closed. • One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. • The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. • A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited RST will be ignored. • Every IP packet on the Internet has a "fragment identification" number. • Many operating systems simply increment this number for every packet they send. • So probing for this number can tell an attacker how many packets have been sent since the last probe.

  12. IDLE Scan: Step 1 • Choose a "zombie" and proble for its current IPID number

  13. IDLE Scan: Step 2 • Send forged packet "from" Zombie to target.

  14. IDLE Scan: Step 3 • Probe Zombie IPID again

  15. Fragmentation scanning • Instead of just sending the probe packet, you break it into a couple of small IP fragments. • You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. • The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.

  16. ICMP echo scanning • This isn't really port scanning, since ICMP doesn't have a port abstraction. • But it is sometimes useful to determine what hosts in a network are up by pinging them all. • nmap -P cert.org/24 152.148.0.0/16

  17. Scan Options • -sT (TcpConnect) • -sS (SYN scan) • -sF (Fin Scan) • -sX (Xmas Scan) • -sN (Null Scan) • -sP (Ping Scan) • -sU (UDP scans) • -sO (Protocol Scan) • -sI (Idle Scan) • -sA (Ack Scan) • -sW (Window Scan) • -sR (RPC scan) • -sL (List/Dns Scan)

  18. Ping Detection • -P0 (don’t ping) • -PT (TCP ping) • -PS (SYN ping) • -PI (ICMP ping) • -PB (= PT + PI) • -PP (ICMP timestamp) • -PM (ICMP netmask)

  19. Output Format • -oN(ormal) • -oX(ml) • -oG(repable) • -oA(ll)

  20. Timing • -T Paranoid – serial scan & 300 sec wait • -T Sneaky - serialize scans & 15 sec wait • -T Polite - serialize scans & 0.4 sec wait • -T Normal – parallel scan • -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe • -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe • --host_timeout --max_rtt_timeout (default - 9000) • --min_rtt_timeout --initial_rtt_timeout (default – 6000) • --max_parallelism --scan_delay (between probes)

  21. --resume (scan) --append_output • -iL <targets_filename> -p <port ranges> • -F (Fast scan mode) -D <decoy1 [,decoy2][,ME],> • -S <SRC_IP_Address> -e <interface> • -g <portnumber> --data_length <number> • --randomize_hosts -O (OS fingerprinting) -I (dent-scan) • -f (fragmentation) -v (verbose) -h (help) • -n (no reverse lookup) -R (do reverse lookup) • -r (dont randomize port scan) -b <ftp relay host> (FTP bounce)

More Related