Nmap Port Scanning Techniques - Nikola's Digital Garden

#readwise # Nmap Port Scanning Techniques ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article4.6bc1851654a0.png) ## Metadata - Author: [[nmap.org]] - Full Title: Nmap Port Scanning Techniques - URL: https://nmap.org/book/man-port-scanning-techniques.html ## Summary Nmap supports various port scanning techniques to identify open, closed, and filtered ports. The SYN scan is the default and fastest method, while the TCP connect scan establishes a full connection when SYN scan isn't possible. Nmap also includes UDP scanning, which is slower and can be combined with TCP scans. Some advanced options allow users to customize their scans with specific TCP flags for more nuanced results. ## Highlights Only one method may be used at a time, except that UDP scan (`-sU`) and any one of the SCTP scan types (`-sY`, `-sZ`) may be combined with any one of the TCP scan types. ... By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix). ^l4kawq --- `-sS` (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the `open`, `closed`, and `filtered` states. This technique is often referred to as half-open scanning, because you don't open a full TCP connection. ([View Highlight](https://read.readwise.io/read/01jpcsx8ttgtndfa2qhhk90awe)) ^rrwdee --- `-sT` (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the `connect` system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. ... When SYN scan is available, it is usually a better choice. Nmap has less control over the high level `connect` call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. ^lkdkl6 --- `-sU` (UDP scans) While most popular services on the Internet run over the TCP protocol, [UDP](http://www.rfc-editor.org/rfc/rfc768.txt) services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the `-sU` option. It can be combined with a TCP scan type such as SYN scan (`-sS`) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the `--data`, `--data-string`, or `--data-length` options are specified. ... A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in `net/ipv4/icmp.c`). Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using `--host-timeout` to skip slow hosts. ^rolw1i --- `-sN`; `-sF`; `-sX` (TCP NULL, FIN, and Xmas scans) These three scan types (even more are possible with the `--scanflags` option described in the next section) exploit a subtle loophole in the [TCP RFC](http://www.rfc-editor.org/rfc/rfc793.txt) to differentiate between `open` and `closed` ports. Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.” Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the segment, and return.” When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. ^7i3toz - Nmap exploits this with three scan types: ^fkfywl - Null scan (`-sN`): Does not set any bits (TCP flag header is 0) - FIN scan (`-sF`): Sets just the TCP FIN bit. - Xmas scan (`-sX`): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered `closed`, while no response means it is `open|filtered`. The port is marked `filtered` if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. ^bwrh83 The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled `closed`. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish `open` ports from certain `filtered` ones, leaving you with the response `open|filtered`. ([View Highlight](https://read.readwise.io/read/01jpctzvg8mzj9hcm8v8ac2gkg)) ^ccmap0 --- `-sA` (TCP ACK scan) This scan is different than the others discussed so far in that it never determines `open` (or even `open|filtered`) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. The ACK scan probe packet has only the ACK flag set (unless you use `--scanflags`). When scanning unfiltered systems, `open` and `closed` ports will both return a RST packet. Nmap then labels them as `unfiltered`, meaning that they are reachable by the ACK packet, but whether they are `open` or `closed` is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled `filtered`. ([View Highlight](https://read.readwise.io/read/01jpcv1cynbnyx3em1prq3c11b)) ^ph1o58 --- `-sM` (TCP Maimon scan) The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in *Phrack* Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to [RFC 793](http://www.rfc-editor.org/rfc/rfc793.txt) (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. ([View Highlight](https://read.readwise.io/read/01jpcv3y773vsybrze05n7z7h1)) ^oa6vgv ---