Network Enumeration with Nmap - Host and Port Scanning

#readwise # Network Enumeration with Nmap - Host and Port Scanning ![rw-book-cover](https://academy.hackthebox.com/images/apple-touch-icon.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Network Enumeration with Nmap - Host and Port Scanning ## Summary Nmap is a network scanning tool used to discover open and closed TCP ports on a target host. It can perform various types of scans, such as SYN scans and TCP Connect scans, to determine the state of ports. The tool reports if ports are open, closed, or filtered by a firewall. Additionally, Nmap can gather more information about services running on open ports using the version scan option. ## Highlights There are a total of 6 different states for a scanned port we can obtain: ^1ofplj | State | Description | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `open` | This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations. | | `closed` | When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an `RST` flag. This scanning method can also be used to determine if our target is alive or not. | | `filtered` | Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target. | | `unfiltered` | This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed. | | `open`\|`filtered` | If we do not get a response for a specific port, `Nmap` will set it to that state. This indicates that a firewall or packet filter may protect the port. | | `closed`\|`filtered` | This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall. | ^srk0g8 ([View Highlight](https://read.readwise.io/read/01jp0z60s0kcv98c1jdegjmsmz)) --- By default, `Nmap` scans the top 1000 TCP ports with the SYN scan (`-sS`). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (`-sT`) is performed by default. This means that if we do not define ports and scanning methods, these parameters are set automatically. We can define the ports one by one (`-p 22,25,80,139,445`), by range (`-p 22-445`), by top ports (`--top-ports=10`) from the `Nmap` database that have been signed as most frequent, by scanning all ports (`-p-`) but also by defining a fast port scan, which contains top 100 ports (`-F`). ([View Highlight](https://read.readwise.io/read/01jp0z7m4fptncg822j1f88p7e)) ^oirmb3 --- The Nmap [TCP Connect Scan](https://nmap.org/book/scan-methods-connect-scan.html) (`-sT`) uses the TCP three-way handshake to determine if a specific port on a target host is open or closed. The scan sends an `SYN` packet to the target port and waits for a response. It is considered open if the target port responds with an `SYN-ACK` packet and closed if it responds with an `RST` packet. The `Connect` scan (also known as a full TCP connect scan) is highly accurate because it completes the three-way TCP handshake, allowing us to determine the exact state of a port (open, closed, or filtered). However, it is not the most stealthy. In fact, the Connect scan is one of the least stealthy techniques, as it fully establishes a connection, which creates logs on most systems and is easily detected by modern IDS/IPS solutions. That said, the Connect scan can still be useful in certain situations, particularly when accuracy is a priority, and the goal is to map the network without causing significant disruption to services. Since the scan fully establishes a TCP connection, it interacts cleanly with services, making it less likely to cause service errors or instability compared to more intrusive scans. While it is not the most stealthy method, it is sometimes considered a more "polite" scan because it behaves like a normal client connection, thus having minimal impact on the target services. ([View Highlight](https://read.readwise.io/read/01jp0zs0avkvgnykye9dghbhs5)) ^3bciqz --- Scans like the SYN scan (also known as a half-open scan) are generally considered more stealthy because they do not complete the full handshake, leaving the connection incomplete after sending the initial SYN packet. This minimizes the chance of triggering connection logs while still gathering port state information. Advanced IDS/IPS systems, however, have adapted to detect even these subtler techniques. ([View Highlight](https://read.readwise.io/read/01jp0zsm8d9n1va76rgsnctt28)) ^2bjq98 --- When a port is shown as filtered, it can have several reasons. In most cases, firewalls have certain rules set to handle specific connections. The packets can either be `dropped`, or `rejected`. When a packet gets dropped, `Nmap` receives no response from our target ([View Highlight](https://read.readwise.io/read/01jp0zvr4z8snhwkg08wnhse01)) ^nt9udj --- Since `UDP` is a `stateless protocol` and does not require a three-way handshake like TCP. We do not receive any acknowledgment. Consequently, the timeout is much longer, making the whole `UDP scan` (`-sU`) much slower than the `TCP scan` (`-sS`). ([View Highlight](https://read.readwise.io/read/01jp1018gqgabdz4z05kdpx3bv)) ^htsj48 --- Another disadvantage of this is that we often do not get a response back because `Nmap` sends empty datagrams to the scanned UDP ports, and we do not receive any response. So we cannot determine if the UDP packet has arrived at all or not. If the UDP port is `open`, we only get a response if the application is configured to do so. ([View Highlight](https://read.readwise.io/read/01jp102b5qmevp73njfqq9wy9g)) ^xnl2o5 --- Another handy method for scanning ports is the `-sV` option which is used to get additional available information from the open ports. This method can identify versions, service names, and details about our target. ([View Highlight](https://read.readwise.io/read/01jp105bd14zas9vrqkyfc0738)) ^9mtgmp ---