Main page: Nmap/Short Course

Lab: Nmap/Short Course/Lab 3

Summary and Objective

Summary:

• This 30-minute lecture will introduce more nuanced scanning techniques, delve into operating system identification, and cover Nmap's versatile output options.

Objective:

• To equip students with knowledge of advanced TCP scanning techniques useful for firewall analysis and stealth, the ability to perform and interpret OS detection, and proficiency in managing and utilizing Nmap's various output formats, including scan comparison with Ndiff.

Notes

Recap and Introduction to Advanced Scanning

Quick Recap of Essential Scans

In our previous lecture, we covered fundamental port scanning techniques, including TCP SYN (-sS) and Connect (-sT) scans for identifying TCP services, and UDP scans (-sU) for UDP services. We also emphasized the importance of interpreting port states (open, closed, filtered) and performing service and version detection (-sV) to understand exactly what software is running on discovered ports. These skills form the bedrock of network service enumeration.

Why Advanced Scans? Beyond the Basics

While SYN, Connect, and basic UDP scans are powerful, there are scenarios where more sophisticated techniques are needed. Advanced scans can help in:

• Stealth: Attempting to gather information while minimizing the chances of detection by Intrusion Detection Systems (IDS) or vigilant administrators.
• Firewall Analysis: Understanding firewall rule sets, such as determining if a firewall is stateful or stateless, and identifying which ports are specifically being blocked or allowed.
• Evasion: Bypassing certain types of packet filters or less sophisticated IDS. These techniques often involve sending TCP packets with unusual flag combinations or leveraging indirect scanning methods.

Understanding Target and Firewall Reactions

The effectiveness of advanced scans hinges on how target operating systems and intermediary devices (like firewalls and IDS) respond to non-standard network probes. Different systems adhere to or deviate from TCP/IP RFCs (Request for Comments – the technical standards documents for the internet) in unique ways. Nmap exploits these differences to infer port states or device characteristics. For example, some scans are designed to elicit responses only from closed ports, or to see if a firewall drops certain packets silently versus rejecting them with an error.

Advanced TCP Scan Types

These scans manipulate TCP flags to probe targets in ways that can be less obvious or provide specific insights into filtering mechanisms.

Fin (-sF), Xmas (-sX), and Null (-sN) Scans

These are "stealth" scans because they don't use the SYN flag, which is how firewalls and logging systems typically monitor connection attempts.

Mechanics:

• FIN Scan (-sF): Sends a TCP packet with only the FIN (finish) flag set.
• Xmas Scan (-sX): Sets the FIN, PSH (push), and URG (urgent) flags simultaneously (lighting the packet up like a Christmas tree).
• Null Scan (-sN): Sends a TCP packet with no flags set.

Expected Behavior (RFC 793):

• According to TCP RFC 793, if a port is closed, the target system should respond with a TCP RST (reset) packet.
• If the port is open, the target should drop these malformed packets without a response.

Real world behavior:

• If an RST packet is received, Nmap marks the port as closed.
• If no response is received (after retransmissions), the port is marked open|filtered. This ambiguity means it could be open, or a firewall could be dropping the probe.
• If an ICMP unreachable error (e.g., type 3 code 1, 2, 3, 9, 10, or 13) is received, the port is marked filtered. These scans are generally effective against UNIX-based systems. However, Microsoft Windows systems (and some others like Cisco devices) don't strictly follow RFC 793 in this regard; they tend to send RST packets for both open and closed ports in response to these probes, making these scan types ineffective against them for determining open ports.

# Perform a FIN scan (requires sudo/root)
sudo nmap -sF <target_IP>

# Perform an Xmas scan
sudo nmap -sX <target_IP>

# Perform a Null scan
sudo nmap -sN <target_IP>

[Instructor: Run 'sudo nmap -sF <your_lab_Linux_target_IP_with_known_ports>' and show output]
Starting Nmap X.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZONE
Nmap scan report for <target_IP>
Host is up (0.0XXs latency).
Not shown: XXX closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp closed        rpcbind
Nmap done: 1 IP address (1 host up) scanned in X.XX seconds

Lab

Nmap/Short Course/Lab 3

Flags

Nmap Short Course 12-part short course on advanced nmap topics for cybersecurity professionals. lectures, plus red team and blue team lab scenarios. Nmap/Short Course Module 1: Nmap Mastery - Beyond the Basics Lectures: Nmap/Short Course/Lecture 1 Nmap/Short Course/Lecture 2 Nmap/Short Course/Lecture 3 Nmap/Short Course/Lecture 4 Labs: Nmap/Short Course/Lab 1 Nmap/Short Course/Lab 2 Nmap/Short Course/Lab 3 Nmap/Short Course/Lab 4 Module 2: Red Team Nmap - Offensive Recon & Vuln Identification Lectures: Nmap/Short Course/Lecture 5 Nmap/Short Course/Lecture 6 Nmap/Short Course/Lecture 7 Nmap/Short Course/Lecture 8 Labs: Nmap/Short Course/Lab 5 Nmap/Short Course/Lab 6 Nmap/Short Course/Lab 7 Nmap/Short Course/Lab 8 Module 3: Blue Team Nmap - Auditing, Defense & Network Monitoring Lectures: Nmap/Short Course/Lecture 9 Nmap/Short Course/Lecture 10 Nmap/Short Course/Lecture 11 Nmap/Short Course/Lecture 12 Labs: Nmap/Short Course/Lab 9 Nmap/Short Course/Lab 10 Nmap/Short Course/Lab 11 Nmap/Short Course/Lab 12 Notes for the Instructor: Nmap/Short Course/Running the Labs Flags  · Template:NmapShortCourseFlag  · e