Nmap/Short Course/Lecture 2: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 22: | Line 22: | ||
With a list of live hosts, port scanning is the next logical step. If host discovery tells us which houses in the neighborhood are occupied, port scanning is akin to checking all the doors and windows on those houses to see which ones are open, closed, or perhaps just look suspicious. Technically, a port is a numerical identifier that applications use to differentiate network traffic and services on a host. Port scanning uses Nmap to send specially crafted packets to target ports and analyze the responses (or lack thereof) to determine their status. This helps us identify which services (like web servers, mail servers, databases, etc.) are potentially running on a target machine. | With a list of live hosts, port scanning is the next logical step. If host discovery tells us which houses in the neighborhood are occupied, port scanning is akin to checking all the doors and windows on those houses to see which ones are open, closed, or perhaps just look suspicious. Technically, a port is a numerical identifier that applications use to differentiate network traffic and services on a host. Port scanning uses Nmap to send specially crafted packets to target ports and analyze the responses (or lack thereof) to determine their status. This helps us identify which services (like web servers, mail servers, databases, etc.) are potentially running on a target machine. | ||
===Why Port Scanning is the Next Logical Step=== | |||
Identifying open ports is crucial because these represent potential entry points into a system. An open port means a service is listening, and that service could be misconfigured, unpatched, or inherently vulnerable. Understanding the "attack surface" presented by these open ports is fundamental for both offensive reconnaissance (finding weaknesses) and defensive auditing (identifying and mitigating risks). Without port scanning, we'd only know a host is alive, not what it's actually doing or offering to the network. | |||
==Understanding Ports and Port States== | |||
===Brief Overview of TCP vs. UDP Ports=== | |||
Network services use two primary transport protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP is a connection-oriented protocol; it establishes a session (like a phone call) and ensures reliable data delivery with features like acknowledgments and retransmissions. Services like web Browse (HTTP/HTTPS), SSH, and FTP use TCP. UDP, on the other hand, is connectionless and offers faster, low-overhead data delivery but without guarantees of reliability or order. It's like sending a postcard – you send it but don't get confirmation it arrived. Services like DNS, DHCP, SNMP, and many online gaming protocols use UDP. Each host has 65,535 potential TCP ports and another 65,535 potential UDP ports. | |||
===Commonly Scanned Ports=== | |||
Scanning all 65,535 TCP and all 65,535 UDP ports on every host is extremely time-consuming. Nmap helps by focusing on commonly used ports. By default, Nmap scans the 1000 most popular TCP ports. If you want a quicker scan, you can use the <code>-F</code> (Fast scan) option, which scans the 100 most common TCP ports. You can also specify custom port ranges with the <code>-p</code> option (e.g., <code>-p 1-1024</code>, <code>-p U:53,T:80,443</code>, <code>-p-</code> for all ports). | |||
<pre> | |||
# Scan default 1000 TCP ports (if host is up) | |||
nmap <target_IP> | |||
# Fast scan (top 100 TCP ports) | |||
nmap -F <target_IP> | |||
# Scan specific TCP ports | |||
nmap -p 22,80,443 <target_IP> | |||
# Scan specific UDP ports | |||
nmap -sU -p 53,161 <target_IP> | |||
# Scan all 65,535 TCP ports (can be very slow!) | |||
nmap -p- <target_IP> | |||
</pre> | |||
===Nmap's Six Port States Explained=== | |||
Nmap categorizes ports into six states, and understanding these is crucial for interpreting scan results: | |||
# Open: An application is actively accepting TCP connections, UDP datagrams, or SCTP associations on this port. These are often the primary interest as they indicate running services. | |||
# Closed: A port is accessible (it receives and responds to Nmap's probe packets), but there is no application listening on it. Useful for showing that a host is up but not offering a particular service. They can also be helpful in OS detection. | |||
# Filtered: Nmap cannot determine whether the port is open or closed because packet filtering (e.g., a firewall, router rule, or host-based firewall software) prevents its probes from reaching the port. Nmap often retries several times if it suspects filtering. These can be frustrating but indicate a hardened target. | |||
# Unfiltered: This state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan (<code>-sA</code>) classifies ports this way. It indicates that the port responded to Nmap's probes in a way that doesn't differentiate between open or closed, often meaning a firewall is present but not blocking the ACK packet itself. | |||
# Open|filtered: Nmap is unable to determine whether a port is open or filtered. This happens for scan types where open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. This is common for UDP scans and some advanced TCP scans. | |||
# Closed|filtered: Nmap is unable to determine whether a port is closed or filtered. This state is only used by the IP ID Idle Scan (<code>-sI</code>). | |||
=Lab= | =Lab= | ||
Revision as of 20:55, 26 May 2025
Main page: Nmap/Short Course
Summary and Objective
Summary:
- This 30-minute session will build directly on the host discovery skills from Lecture 1, diving into how to identify what services are listening on discovered hosts.
Objective:
- To enable students to understand and proficiently use Nmap's fundamental TCP and UDP port scanning techniques, accurately interpret port states, and effectively perform service and version detection to identify running applications on target systems.
Notes
Recap & What is Port Scanning?
Quick Recap of Host Discovery
In our last session, we focused on host discovery – the critical first step of figuring out which targets on a network are online and responsive. We explored techniques like Ping Scans (-sn), various ICMP probes (-PE, -PP, -PM), TCP SYN/ACK pings (-PS, -PA), UDP pings (-PU), and ARP scans (-PR) for local networks. Remember, effective host discovery narrows our focus, ensuring we only expend resources on live systems. You should now have lists of active hosts from your initial sweeps of the lab scenarios.
Defining Port Scanning: Knocking on Doors
With a list of live hosts, port scanning is the next logical step. If host discovery tells us which houses in the neighborhood are occupied, port scanning is akin to checking all the doors and windows on those houses to see which ones are open, closed, or perhaps just look suspicious. Technically, a port is a numerical identifier that applications use to differentiate network traffic and services on a host. Port scanning uses Nmap to send specially crafted packets to target ports and analyze the responses (or lack thereof) to determine their status. This helps us identify which services (like web servers, mail servers, databases, etc.) are potentially running on a target machine.
Why Port Scanning is the Next Logical Step
Identifying open ports is crucial because these represent potential entry points into a system. An open port means a service is listening, and that service could be misconfigured, unpatched, or inherently vulnerable. Understanding the "attack surface" presented by these open ports is fundamental for both offensive reconnaissance (finding weaknesses) and defensive auditing (identifying and mitigating risks). Without port scanning, we'd only know a host is alive, not what it's actually doing or offering to the network.
Understanding Ports and Port States
Brief Overview of TCP vs. UDP Ports
Network services use two primary transport protocols: TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP is a connection-oriented protocol; it establishes a session (like a phone call) and ensures reliable data delivery with features like acknowledgments and retransmissions. Services like web Browse (HTTP/HTTPS), SSH, and FTP use TCP. UDP, on the other hand, is connectionless and offers faster, low-overhead data delivery but without guarantees of reliability or order. It's like sending a postcard – you send it but don't get confirmation it arrived. Services like DNS, DHCP, SNMP, and many online gaming protocols use UDP. Each host has 65,535 potential TCP ports and another 65,535 potential UDP ports.
Commonly Scanned Ports
Scanning all 65,535 TCP and all 65,535 UDP ports on every host is extremely time-consuming. Nmap helps by focusing on commonly used ports. By default, Nmap scans the 1000 most popular TCP ports. If you want a quicker scan, you can use the -F (Fast scan) option, which scans the 100 most common TCP ports. You can also specify custom port ranges with the -p option (e.g., -p 1-1024, -p U:53,T:80,443, -p- for all ports).
# Scan default 1000 TCP ports (if host is up) nmap <target_IP> # Fast scan (top 100 TCP ports) nmap -F <target_IP> # Scan specific TCP ports nmap -p 22,80,443 <target_IP> # Scan specific UDP ports nmap -sU -p 53,161 <target_IP> # Scan all 65,535 TCP ports (can be very slow!) nmap -p- <target_IP>
Nmap's Six Port States Explained
Nmap categorizes ports into six states, and understanding these is crucial for interpreting scan results:
- Open: An application is actively accepting TCP connections, UDP datagrams, or SCTP associations on this port. These are often the primary interest as they indicate running services.
- Closed: A port is accessible (it receives and responds to Nmap's probe packets), but there is no application listening on it. Useful for showing that a host is up but not offering a particular service. They can also be helpful in OS detection.
- Filtered: Nmap cannot determine whether the port is open or closed because packet filtering (e.g., a firewall, router rule, or host-based firewall software) prevents its probes from reaching the port. Nmap often retries several times if it suspects filtering. These can be frustrating but indicate a hardened target.
- Unfiltered: This state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan (
-sA) classifies ports this way. It indicates that the port responded to Nmap's probes in a way that doesn't differentiate between open or closed, often meaning a firewall is present but not blocking the ACK packet itself. - Open|filtered: Nmap is unable to determine whether a port is open or filtered. This happens for scan types where open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. This is common for UDP scans and some advanced TCP scans.
- Closed|filtered: Nmap is unable to determine whether a port is closed or filtered. This state is only used by the IP ID Idle Scan (
-sI).
Lab
Flags
