Advanced Ethical Hacking - Nmap Scan Types Tutorial

3.1 Review of Scan Types

We're going to review some of the Nmap scan types. Now you may know or remember that Nmap is a port scanning utility. And so it can actually used a number of different techniques in order to determine Whether ports are open or not, and also what operating system is running on the host that you're scanning. So I just want to walk through some of the different scan types that are pretty common in traditional using endmap. Now, the first thing is, I need administrative rights, and since I'm Running this under a Mac in this particular case. I need to be able to have Administrative rights here so I'm going to use sudo for that and I'm going to run nmap. I'm going to run a SynScan and I'm going to do that on So I didn't actually specify any ports in this case. So I'm just using the thousand or so [INAUDIBLE] ports or well known ports that end map uses by default. And what I did here was just a simple CIN scan. Now what I'm doing with the CIN scan is I am sending out a TCP synchronize packet. And I am expecting a SYN-ACK back. So what I'm actually doing is I'm leaving a connection half open because I'm not actually replying with an ACK message. Now if I wanted to, Maybe make a little less noise because a lot of half open connections may cause some eyebrows to be raise depending on what sorts of intrusion detection or other Monitoring utilities are being used. What I could do is a full TCP open scan and that's minus ST here we should get the same ports back and of course we do. So that's a TCP scan where I do the full handshake And I'm doing the send. I get the send back and then I send the act back. I do a full open on the tcp port. So again, these are all tcp ports that we've been looking at so far. I could also do a udp scan. Minus sU would be a UDP scan, and I could again. UDP scans can actually take quite a lot of time because I'm not actually doing a connection establishment. And so there's nothing to indicate whether the message to the port was actually received or not. And so I end up having to do a lot of re-transmits if I don't get messages back. Because I don't really know whether it was received. For whether the port actually wasn't listening or what was going on. So UDP scans can actually take quite a lot of time and I've seen cases where UDP scans can actually take literally days to finish, depending on How far away the system is, how slow the system is responding. The number of ports that I'm actually scanning. In this case, again, I'm scanning just the default set of ports. If I was to scan all 65,000 ports that could take quite a lot of time. So I'm going to kill that. And of course, there are oddball scans as well. But sometimes these are useful in order to do firewall evasion, for example. Or do some other types of Scans that may get less noticed. So, this would be a Christmas tree scan, and that's where all of the TCP flags are actually lit up, and it's called a Christmas tree scan as a result. Because everything is lit up and it looks like a digital equivalent of a Christmas tree I guess, if you want to think about it that way. Though I'm doing a Christmas tree scan and again I get the same ports that are open and because of the way that it respond we can't really tell whether it's open or whether it's just filtered in other words if there is firewall in between or not. So that's just a few of the basic Nmap scans. And we'll get into some advanced scanning in the next lesson.

3.2 Advanced Scanning

We're going to do a little advances scanning with in map here. So what I want to do is I'm going to do something called an idle scan and an idle scan makes use of Actually IP. In addition to doing some checking on tcp ports because of course ports live at the transport layer where tcp is, we're actually going to be making use of the IP headers as well. In this case we're going to be using the IP identifier. Now the IP identifier Is actually used to figure out whether packets are fragmented or not. And so I'm going to start this scan off. And what I want to do is I actually want to save it in this case. And so I'm going to Give this a file name. And I'm going to save it because we're going to load it up into Dradis just to have some record here. Now the IP address I've given here is, this is the quote unquote zombie host that we're going to be bouncing Messages off from although we're not actually going to be bouncing messages off from it's going to appear is though we're sort of bouncing messages off it. So I want to do and so in this case I could have done a minus p and in order to prevent Nmap from doing a ping of the system that we're actually scanning. And Nmap does a ping traditionally to determine whether the system is up to see whether we actually need to scan it or not. Now if I've pinged it, then that system knows about me. In this case, what I'm actually doing is I'm bouncing messages Sort of through this system. And how I do that is nmap actually sends messages to my target, which is the .39, with a spoof Spoofed IP address of the dot one here. And as a result messages are going to go back to dot one. So you may be wondering if responses are going back to dot one, how am I supposed to know Whether the port is open or not. Well the reason we know that the port is open is because we keep sending messages to dot one as well and we'll check the IP identification header and determine How that identification number has been incremented. If it increments one way then we know that the target didn't actually reply. If it increments another way, then we know that it got a Different type of response. So based on how many numbers the IP ID flag or header field increments we can make some determinations about how the target replied to it because in between we keep checking the IP ID field And see how the field has actually changed based on the messages that we send and the messages that we send pretending to be them and as a result, we end up keeping track of the ports that appear to be open. So you can see that We did this zombie scanner idle scan and we bounced messages out appearing to be from this IP address to this IP address and we did get the set of ports that are open back. And in this case, it looks pretty complete. It looks like the same set of ports that we got back when we did the sim scan And the full TCP open scan as well. So you can see that if you pick the right host, then you can actually get some pretty accurate results. And when I say right host, I mean you need to find one that's actually not getting a lot of messages. If it's actually getting a lot of messages then the IP ID Header field is going to increment in ways that we can't predict, so it's called a zombie scan because the host that we're bouncing through is just kind of not doing much of anything. So, it's a bit of a zombie. So, if you pick the right zombie host, then you can get pretty accurate results on your target. Using that zombie host to mask your identity. And that's really the point of doing this idle scan, is you want the real target not to know about you. And so, you use this other host that can't be tracked back to you. To be able to bounce these scans through.

3.3 Scripting Engine

At this point, we've done some basic scanning, and we've also done a little bit of advanced scanning with nmap. One of the other capabilities nmap has is, we can do things like write scripts that nmap can execute and do some more advanced things, and Maybe do things like probing, open ports or checking for the existence of particular web applications. This is something that end map can do based on the ports that it finds. So scripts with end map are actually written in the language Lua and I've got a script here That we're going to use. And just see whether we can find the WordPress login. So there are some components of script that are required by N Map. Or just components that N Map makes use of. So here is the description here. And we've got an author and the license and some categories. I don't actually have the categories set. There is a categories variable here as well. So we're setting up some requirements. These are different components That the script is going to use, or we're going to use an htdp module a short port and then standard nse. And nse is the Nmap scripting engine. So we're going to use a port rule that is going to make use of htdp. And so if we find one of the standard HTTP ports open. We're actually going to call this function. So, in the action, which is what gets run when the port rule gets triggered, we get a variable here that says The URI, I'm setting the URI here. So I'm looking for /blog/wp/login.php. And I'm going to check first of all here To see whether the web server actually responds with something useful when it doesn't find a page. Now many web servers will actually respond with a 200 http status and 200 actually suggests that a page was found so if for example, theres a custom error page. The custom error page may actually reply with a 200 status, and we wouldn't get the 404 status that we're expecting on page not found. So, if we don't get the 404 that we expect on page not found, we're just going to generate a message Saying that the web server error responses are unclear and we're going to execute, we're not even going to bother running the script. So in order to check whether the page is there or not, we've got this line here where we're calling The HTTP head request and we're calling it on the host that was found and the port that was found and then we're going to use this URI string up here. So if we get a response, And that response status is 200. Then we're going to return a string that says WordPress login page found and we're going to give the URL of that WordPress login page. So I can actually run this script now. And now I'm going to say --script wordpress. And then I'm going to give it a website here. So we're going to run N map. We're only going to check port 80. You can see here we're only checking port 80. And it's going to run the script. So we found port 80 to be open. And you'll note this is where the message that we created in the script. Is actually called and it says WordPress login page found and right here is the script that was used to generate this message. So WordPress login page found and here's the URL where we found it at. So the scripting engine actually gives us a lot of capabilities To check for different things using in map without getting into more complex vulnerability checking tools. We can write our own scripts to do custom checks for various things in order to make some determinations as to what we may do next. As a result of just looking at the in maps scan.

3.4 Investigating Scan Types with Wireshark

We've been doing some scanning with nmap at this point. We've done some basic scanning, some advance scanning, we've even written some scripts. Now I think it's useful to just take a look at The actual network layer details of these different scan types and how they actually behave on the wire. Now, the one I really wanted to show was the idle scan or the zombie scan. And the reason for that is because it's not a straightforward scan. So you can see here that this packet here on the very top We're sourcing a message to This is where we're actually probing the zombie. And you can see that we're sending a SYN ACK. The reason for sending a SYN ACK Is to make sure that we get a reset in returns since the Synack without the server actually sending a Syn to us. Would be not really illegal but it certainly wouldn't be an expected message. And so The system is going to respond with a reset. So you'll see actually several of these messages and the reason for replying with these messages is because we want to see the behavior of the ID field right here. So the IP identification field We want to see what the behavior is based on several interactions. So we're sending a here we get a reset back. And you can see the identification field is 11620. And the next one is 11621. And the next one is 11622. So what we're seeing here is an incremental behavior With the IP ID field. So, then what we do is, we send a whole bunch of SYN ACKs, and we continue checking the IP ID field. Based on that behavior, then what we can do is, we can send messages To the actual target right here which is .39 so we're sending out a message from .1 to .39 and we send several of those and then eventually we'll send a message 2.1 to see what the behavior of the IP ID field is. So, right here, we've got a message that we are sending from our IP address to the zombie host or the idle host. And then we check the IP id field right here, 11641, and of course, based on that, we can determine whether the ports that we have checked are open or not. So we continue sending these spoofed source messages And periodically we go and check the IP ID field. And based on what we expect the IP ID to be, we can make determinations about ports being open. So the other one I wanted to show you was the script that we had run We've using the N map scripting language. So there is a message in here where we check for the location of a particular page and actually the first thing here is we check to see whether we've got a 404. So there is a message where we are requesting a page that shouldn't be there and you can see right here we get an HTTP response and the message is, 404 not found right there. So that's the response code that we've got, so we know we've got a server that will actually generate a 404. And then what we do is we issue the head request here to see whether this particular page exists or not. And of course we get a 200 OK to that. Now prior to that, there would've been messages from us to Port 80 which is the HTTP port and that would be to see whether the server actually existed and this is the message right here. So this is where we check to see whether that port is actually listening or not and because we've got a response then We actually go ahead with the requests. So, that's what a couple of different scan types look in Endmap, and it's always useful to go just check and see what's actually happening on the network and not just what the application tells you. It's a really great way of understanding what's actually happening by being able to look at the packet by packet details of any particular action. Particularly when you're talking scans and particularly when you're talking about something like an idol scan Where we're using spoofed messages and a zombie host.

3.5 Importing Results to Dradis

At this point we're done scanning. We've got all of the results that we need to get and so what I want to do is load them into Dratus and we can start moving them around and make sure that they are in right place. So I have an end map File that I created as a result of doing the Nmap scans. And this is the file right here. Actually this is the file right here and we're going to import that. And we're going to wait for it to be done. It says it's done. So now I can go back to Dradis, and you'll see that we've got nmap right here. And, if I open this up, we've got all of the ports. That we're open. So what I want to do is I want to drag this up under my internal testing branch and I'm going to at this point, I'm going to rename it. To end map results. So now I can click on each one of these and I'll get just a indication that the port is open. So there's not much of a note here. I could actually add notes along the lines of I checked this and there is really nothing there. So for example, nothing of substance to follow up on as an example. In this case, For this particular port that's probably not true. This is the FDP port and I probably want to do a little bit more checking with that. But just to show you that I could actually add a message here or a note here And I want to assign this to. I'm going to put it into manual test results. So I've got my end map App results. And I've loaded them up into Dradis. And we've dumped them into the appropriate branch. And I could actually just go down at this point and delete this node because we've removed the data from it and put it into the branch that we want it to be in. So I've got my N Map results, and I've got all of the ports here. And as I said I could make notes as to the ones I wanted to follow up on. And the ones that I didn't follow up on were the ones I didn't think were worth following up on. Just to kind of annotate the work that we're doing and make sure that I've covered All of my bases at this point, before we move forward or, at least, flag things that I want to do a little bit later on, once we get through the automated stages.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*