Nmap/Short Course/Lecture 3

From charlesreid1

Main page: Nmap/Short Course

Lab: Nmap/Short Course/Lab 3

Summary and Objective

Summary:

  • This 30-minute lecture will introduce more nuanced scanning techniques, delve into operating system identification, and cover Nmap's versatile output options.

Objective:

  • To equip students with knowledge of advanced TCP scanning techniques useful for firewall analysis and stealth, the ability to perform and interpret OS detection, and proficiency in managing and utilizing Nmap's various output formats, including scan comparison with Ndiff.

Notes

Recap and Introduction to Advanced Scanning

Quick Recap of Essential Scans

In our previous lecture, we covered fundamental port scanning techniques, including TCP SYN (-sS) and Connect (-sT) scans for identifying TCP services, and UDP scans (-sU) for UDP services. We also emphasized the importance of interpreting port states (open, closed, filtered) and performing service and version detection (-sV) to understand exactly what software is running on discovered ports. These skills form the bedrock of network service enumeration.

Why Advanced Scans? Beyond the Basics

While SYN, Connect, and basic UDP scans are powerful, there are scenarios where more sophisticated techniques are needed. Advanced scans can help in:

  • Stealth: Attempting to gather information while minimizing the chances of detection by Intrusion Detection Systems (IDS) or vigilant administrators.
  • Firewall Analysis: Understanding firewall rule sets, such as determining if a firewall is stateful or stateless, and identifying which ports are specifically being blocked or allowed.
  • Evasion: Bypassing certain types of packet filters or less sophisticated IDS. These techniques often involve sending TCP packets with unusual flag combinations or leveraging indirect scanning methods.

Understanding Target and Firewall Reactions

The effectiveness of advanced scans hinges on how target operating systems and intermediary devices (like firewalls and IDS) respond to non-standard network probes. Different systems adhere to or deviate from TCP/IP RFCs (Request for Comments – the technical standards documents for the internet) in unique ways. Nmap exploits these differences to infer port states or device characteristics. For example, some scans are designed to elicit responses only from closed ports, or to see if a firewall drops certain packets silently versus rejecting them with an error.


Advanced TCP Scan Types

These scans manipulate TCP flags to probe targets in ways that can be less obvious or provide specific insights into filtering mechanisms.

Fin (-sF), Xmas (-sX), and Null (-sN) Scans

These are "stealth" scans because they don't use the SYN flag, which is how firewalls and logging systems typically monitor connection attempts.

Mechanics:

  • FIN Scan (-sF): Sends a TCP packet with only the FIN (finish) flag set.
  • Xmas Scan (-sX): Sets the FIN, PSH (push), and URG (urgent) flags simultaneously (lighting the packet up like a Christmas tree).
  • Null Scan (-sN): Sends a TCP packet with no flags set.

Expected Behavior (RFC 793):

  • According to TCP RFC 793, if a port is closed, the target system should respond with a TCP RST (reset) packet.
  • If the port is open, the target should drop these malformed packets without a response.

Real world behavior:

  • If an RST packet is received, Nmap marks the port as closed.
  • If no response is received (after retransmissions), the port is marked open|filtered. This ambiguity means it could be open, or a firewall could be dropping the probe.
  • If an ICMP unreachable error (e.g., type 3 code 1, 2, 3, 9, 10, or 13) is received, the port is marked filtered. These scans are generally effective against UNIX-based systems. However, Microsoft Windows systems (and some others like Cisco devices) don't strictly follow RFC 793 in this regard; they tend to send RST packets for both open and closed ports in response to these probes, making these scan types ineffective against them for determining open ports.
# Perform a FIN scan (requires sudo/root)
sudo nmap -sF <target_IP>

# Perform an Xmas scan
sudo nmap -sX <target_IP>

# Perform a Null scan
sudo nmap -sN <target_IP>

[Instructor: Run 'sudo nmap -sF <your_lab_Linux_target_IP_with_known_ports>' and show output]
Starting Nmap X.XX ( https://nmap.org ) at YYYY-MM-DD HH:MM ZONE
Nmap scan report for <target_IP>
Host is up (0.0XXs latency).
Not shown: XXX closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp closed        rpcbind
Nmap done: 1 IP address (1 host up) scanned in X.XX seconds

ACK Scan (-sA)

The ACK scan is primarily used to map out firewall rule sets and determine if a firewall is stateful or stateless. It does not typically determine if a port is open or closed.

Mechanics:

  • Nmap sends TCP packets with only the ACK flag set to the specified ports.

Purpose & Port States:

  • If an RST packet is returned, the port is classified as unfiltered. This means the target host received the ACK packet and responded, indicating that a firewall (if present) did not block it.
  • If nothing is returned, or if an ICMP unreachable error is received, the port is classified as filtered. This suggests a firewall is likely dropping the ACK packets. A stateful firewall will usually drop unsolicited ACK packets (marking ports as filtered), whereas a simple stateless firewall might pass them through, leading to RSTs from the target host (marking ports as unfiltered).
# Perform an ACK scan (requires sudo/root)
sudo nmap -sA <target_IP>

# ACK scan common web ports to test firewall rules
sudo nmap -sA -p 80,443,8080 <target_IP>

This scan is valuable for reconnaissance against firewalls. For example, if -sS shows a port as filtered, but -sA shows it as unfiltered, it implies a stateful firewall is blocking incoming SYN packets but not necessarily other types.

Idle Scan (-sI zombiehost)

TCP Idle Scan (-sI <zombie host> [options]):

  • This is an advanced and truly blind TCP port scanning method. It doesn't send packets to the target from your true IP address. Instead, it leverages an idle "zombie" host on the internet that has a predictable IP fragmentation ID (IPID) sequence. Nmap sends SYN packets to the target, spoofing the zombie's IP. If the target port is open, it sends a SYN/ACK back to the zombie. This causes the zombie's IPID to increment. Nmap then probes the zombie's IPID to see if it changed.
    • Pros: Ultimate stealth regarding the target (it never sees your IP).
    • Cons: Difficult to find suitable zombie hosts (must be idle, predictable IPID), can be slow, and complex to set up correctly. This is more of an expert technique.

This is a very sophisticated scan type, often discussed more in penetration testing courses, but good for students to be aware of its existence.

OS Detection (-O)

Why Detect the Operating System?

Identifying the operating system and its version on a target host is a crucial piece of information for several reasons:

  • Vulnerability assessment: Known vulnerabilities are often OS-specific or even version-specific. Knowing the OS helps narrow down potential exploits.
  • Tailoring attacks: Payloads or exploits might need to be customized for the target OS.
  • Network inventory: Understanding the OS landscape of a network is vital for asset management.
  • Policy compliance: Verifying that only authorized operating systems are present on the network.

How Nmap Performs OS Detection

Nmap's OS detection (-O option) is a sophisticated process that involves sending a series of TCP, UDP, and ICMP probes to open and closed ports on the target host. Nmap analyzes the responses to these probes, looking for subtle differences in network protocol implementations across various operating systems. Some of the characteristics Nmap examines include:

  • TCP Initial Sequence Number (ISN) sampling and predictability.
  • TCP options support and ordering (e.g., Window Scale, Timestamps, Selective ACK).
  • IP ID (Identification) field sampling (e.g., all zeros, incremental, random).
  • Responses to various ICMP probes.
  • Explicit Congestion Notification (ECN) support.
  • Characteristics of TCP initial window sizes. Nmap compares the collected "fingerprint" of responses against its extensive database (nmap-os-db) of known OS fingerprints.

Lab

Nmap/Short Course/Lab 3

Flags


Defcon.png
Nmap Short Course
12-part short course on advanced nmap topics for cybersecurity professionals.

lectures, plus red team and blue team lab scenarios.

Nmap/Short Course


Module 1: Nmap Mastery - Beyond the Basics

Lectures:

Nmap/Short Course/Lecture 1
Nmap/Short Course/Lecture 2
Nmap/Short Course/Lecture 3
Nmap/Short Course/Lecture 4

Labs:

Nmap/Short Course/Lab 1
Nmap/Short Course/Lab 2
Nmap/Short Course/Lab 3
Nmap/Short Course/Lab 4


Module 2: Red Team Nmap - Offensive Recon & Vuln Identification

Lectures:

Nmap/Short Course/Lecture 5
Nmap/Short Course/Lecture 6
Nmap/Short Course/Lecture 7
Nmap/Short Course/Lecture 8

Labs:

Nmap/Short Course/Lab 5
Nmap/Short Course/Lab 6
Nmap/Short Course/Lab 7
Nmap/Short Course/Lab 8


Module 3: Blue Team Nmap - Auditing, Defense & Network Monitoring

Lectures:

Nmap/Short Course/Lecture 9
Nmap/Short Course/Lecture 10
Nmap/Short Course/Lecture 11
Nmap/Short Course/Lecture 12

Labs:

Nmap/Short Course/Lab 9
Nmap/Short Course/Lab 10
Nmap/Short Course/Lab 11
Nmap/Short Course/Lab 12


Notes for the Instructor:

Nmap/Short Course/Running the Labs


Flags  · Template:NmapShortCourseFlag  · e


Retrieved from "https://charlesreid1.com/w/index.php?title=Nmap/Short_Course/Lecture_3&oldid=30282"