To understand the background of scanning, we should know some basic thing about the “three-way handshake” that occurs during a network connection. The three-way handshake is another way of describing the SYN/ACK method. When a computer sends a “Hello” signal to a target machine, it actually sends a SYN packet. After receiving this packet, if the target is listening, it will normally respond with a SYN/ACK packet. When the first computer receives this SYN/ACK packet, it will respond back to the target machine with an ACK packet. This way, the three-way handshake is accomplished.

The SYN/ACK handshake is analogously described by talking on the phone (back on the old days when there weren’t caller id’s!). When we dial some number, we basically send a SYN signal, when the target answers the phone saying “Hello?”, it actually is a SYN/ACK packet, meaning “I’m listening?”, after that when we introduce ourselves as in “Hi, I’m calling from VeriTeknik”, then we’re sending the last ACK packet.

Now since we understand what SYN, SYN/ACK and ACK means, we can start digging around with nmap and see what it uses these information for.
By the way, for what it’s worth, SYN stands for synchronize and ACK stands for acknowledge.

The TCP Scan

Like we’ve discussed earlier in our target specification post, nmap executes a TCP scan with the -sT option. A TCP scan is accomplished with the full three-way handshake, meaning that when we ask nmap to execute a TCP scan on a port on some target, it will send a SYN, wait for the SYN/ACK and send back the ACK, after these, it will tell us that the port is open (or closed). Since we’re going all the way through with the three-way handshake in this method, even though it seems the most reliable one on standard targets (not behind firewall etc.) it has the slightest possibility to flood the target.

Here’s is the basic command to perform one.

$ nmap -sT 10.20.30.40

The SYN Scan

This is the most popular scan type of nmap. In fact, it is also the default option on nmap, meaning if you don’t specify any scan type, nmap will use the default SYN scan method.

The SYN scan is popular because it is faster. This comes from the fact that it doesn’t complete the three-way handshake. It only goes through the two steps of the handshake, first sending the SYN packet, waiting for a SYN/ACK packet, after this, instead of sending an ACK packet, it sends an RST (reset) packet, which tells the target to disregard any previous packets and close the connection between the two machines. The advantage of this is that the RST packet is much smaller than the ACK packet. Even though it may sound like one tiny packet won’t change much, when you add up hundreds (or thousands) of ports on multiple hosts, tiny packets do matter! Also, sending less information to the target always means less possibility to flood it.

$ nmap -sS 10.20.30.40
$ nmap 10.20.30.40

The UDP Scan

Overlooking the UDP scanning technique is a common rookie mistake. Even though most services use the TCP ports today, UDP ports are still essential and cause security vulnerabilities. Also, UDP ports are as useful as TCP ports for getting information on the system.

Note that both TCP and SYN scanning use the TCP method of connection. There are basically two methods for computers to communicate, either the TCP (Transmission Control Protocol) or the UDP (User Datagram Protocol). TCP ensures that the packets sent from one computer to another arrive at the receiver intact and in the order they were sent. But, UDP has no such mechanism, it just sends the data and we never know whether it arrived to the target or not. There are many advantages and disadvantages between the two technologies including speed, reliability, error checking etc. The important thing is to know which one to use under your case.

Comparing the UDP scan to our analogous example of the phone call, it is often described with a mailing system. It is like when we write a mail (not an e-mail, the regular ones!), put a stamp on it, no return address and put it in the mailbox. Maybe sometime the post officer will pick it up, deliver it to the address. You’ll never know if the mail reached its destination or not, and the receiver might not know the origin.

$ nmap -sU 10.20.30.40

Don’t forget that even though people tend to think that services run on TCP ports, a lot of them still stick with the UDP ones, such as DNS, DHCP, SNMP, or TFTP.

The Xmas Scan

This scan method is based on the technical descriptions on the RFC 793 (page 65) of TCP. If the target operating system is bound to the RFC, then when dealing with TCP connections it should obey the following two rules.

* If a closed port receives a packet that doesn’t have a SYN, ACK or RST flag, the port should respond with an RST packet of its own.
* If an open port receieves a packet that doesn’t have a SYN, ACK or RST flag, the packet should be ignored.

So, according to these rules, if a send a packet that doesn’t contain any one of SYN, ACK and RST, and if the relevant port does not answer back, that port should be open. So when we tell Nmap to perform a Xmas scan on a target, it simply sends FIN, PSH and URG packet flags on. The name Xmas comes from the fact that it has so many flags set to “on” as if it lights like a Christmas tree!

The problem with this scan type is that we assume the target operating system fully complies with the RFC standard of the TCP. Linux and Unix operating systems do, but Microsoft operating systems don’t. Ironically this makes Linux systems vulnerable to this scan type.

$ nmap -sX -p- -PN 10.20.30.40

Null Scan

This type of scanning is almost the same with the Xmas scanning method. Instead of switching some of the flags “on”, with the Null scan, Nmap switches everything “off”. This way, the closed ports will respond with a RST flag. (if the operating system complies with the RFC standards)

These type of scans are important when scanning a system behind firewalls. Some firewalls block communication establishment by filtering SYN packets. Since our scanning packets with the Xmas and Null scans don’t have a SYN packet, the firewall won’t filter it. Well, bear in mind that since we don’t have a SYN packet, it is not possible to establish a connection, but the point is scanning for ports, and that is possible without a SYN packet!

$ nmap -sN -p- -PN 10.20.30.40

FIN Scan

This is also almost the same with Xmas and Null scans, this time, nmap only sends the packet with the FIN flag “on”.

$ nmap -sF -p- -PN 10.20.30.40

ACK Scan

This scan type does not directly look for open ports. Instead it tests whether our ACK packets reach the ports or not. By default, it only has the ACK flag set. An unfiltered (ex. no firewall) system would return with RST packets when an ACK packet reaches it, regardless of the port state being open or closed. If a port doesn’t respond, or it responds with ICMP error messages, nmap will label it as filtered, if the port responds with an RST packet, it will be labeled as “reachable”. Detecting if reachable ports are open or not, is not checked by this scan. This type of scan is very useful to check the security of a target.

$ nmap -sA -p- -PN 10.20.30.40

Window Scan

This one is similar to the ACK scan, but categorizes the port filtered or unfiltered depending on the value the returning package’s RST flag is. On some systems open ports have a positive window size, but the closed ports have a window size equal to zero. So when a port replies RST, instead of labeling it as unfiltered (like it does in ACK scan), nmap will read the TCP Window value of the RST package. If the value is zero, the port is filtered, if it has a positive value, it is labeled as unfiltered. This type of scan does not work on most of the systems. In fact, if most of the ports you scan from 1000 ports are open, and only a few are closed, it is possible that the values are incorrect, the few closed ones might be the open ports and the open labeled ones might be the closed ones.
So, things can get the other-way around, use the feedback with caution!

$ nmap -sW -p- -PN 10.20.30.40

Additional Options for Detailed Information

Lastly, there are a few options to remember that can give us great detail about the target system.

Version detection : The -sV switch tries to determine what version of a service is running on a detected open port. This is great when scanning either UDP ports or unusual ports. If you find an unusual port number to be open, a version scan might tell you whether it is an SSH service running or an HTTP.

Operating System detection : The -O switch is for determining the operating system of the target. This does not 100% work but it does give some clues. It also tries to determine the kernel version, if it fails to get the kernel version, it sometimes reports possibilities in percentages.

Another option for Operating System and Version detection is the -A switch. This does not provide as much detail as the -O option but is still useful.

The Speed : You can choose the speed of each scan with the -T switch. The timing switch ranges on a numeric scale from 0 to 5, with 0 being the slowest scan.

It is important to know the backgrounds of a scan when executing it. Otherwise the results would seem meaningless to the scanner. Go ahead and try scanning your own systems. Don’t forget that if you have multiple servers, nmap also has a nice way of dealing with target specification.

The post Nmap : Scanning Methods appeared first on VeriTeknik.

There are several methods to scan ports. One of them is the “TCP” scanning method. With this method, nmap will try to establish a TCP connection with each of the port to be scanned on the target. If we don’t specify any ports, nmap will scan these. This speeds up the process a lot! Below, you’ll find an example of TCP scan on every port on the target machine.

$ nmap -sT -p- -PN 10.20.30.40

When we break down the arguments, things will get clearer.

-sT : The -s there indicates what method to use to scan, so the following T says its a TCP scan.
-p- : With this we tell nmap to scan every port on the target. Normally, nmap has a predefined list of 1000 ports that are widely used. To scan only the default 1000 ports, just don’t use this flag. Alternately you can tell which specific range of ports to scan. For example to scan the ports 21,23 and 25, we specify it as -p21,23,25 or to scan every port between 21 and 25, -p21-25. If we want to scan everything between 21 and 25 plus the 80’th port, it goes like this : -p21-25,80
-PN : This options tells nmap to skip the host discovery, which means it’ll assume that every target we specify are online. Use this if you’re only sure that the host is online, when we specify a lot of targets, and a lot of ports on these targets, host discovery will come in as a handy time saver.

Target specification in a clever way is very important if you’re willing to scan multiple targets. Below, we’ll talk about how detailed we can specify targets on nmap.

The simplest way for telling nmap to scan 2 targets,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4 192.168.16.5

The above will do the same thing with the notation below,

$ nmap -sT -p21-25,80,8080 10.20.30.40-60 192.168.16.4,5

Nmap can also understand various notations at the same time when specifying target addresses. For example we can specify a network with it’s CIDR notation, and use partial definitions on different subnet blocks. Take a look at this example :

$ nmap -sT -p- -PN 192.168.1.0/16 10.20.30,31.40

Note that you cannot use the comma notation and the CIDR notation at the same time. So target specification such as 192.168.1,2.0/16 is NOT allowed.

You can also specify IPv6 using the -6 options. Below we’re scanning for the website my-ip6.com

$ nmap -sT -p21-25,80 -6 2a00:7300:1::4

Also note that with the IPv6 scanning, nmap does NOT support CIDR notation.

Needless to, we can also specify the target with its domain name.

$ nmap -sT -p- -PN plugged.in

Nmap can also get the targets from a text file if you can’t specify them in a sequential order. Just type your targets’ IP addresses line by line on a file and run it like this:

$ nmap -sT -p- -PN -iL my_targets_text_file

When you specify a range of addresses, it sometimes is crutial to NOT SCAN some members of that network. For this, nmap allows you to exclude addresses. This time we specify multiple “excluded targets” as comma separated, and as usual, it supports all the syntax supported for target specification. (hostnames, CIDR, netblocks, octet ranges, etc.)

$ nmap -sT -p- -PN 192.168.1.0/16 –exclude 192.168.16.30,192.168.1.10-15

Here’s a problem with this syntax of nmap, since the excluded targets are specified with commas, we can’t use commas to define subnets within the exclusion. For example we can specify targets such as 192.168.1,2.1 but this is not allowed within the exclusion since nmap will use the comma as a target exclusion delimiter.

The good thing is, just like specifying your targets in a text file, you can also specify you exclusion list too!

$ nmap -sT -p- -PN 192.168.1.0/16 –excludefile my_exclusion_text_file

And the last but not least, nmap has an option to scan random addresses. This is built specifically for research (and fun!) yet you should always use this option at your own risk, since some networks might detect you as a possible break-in attempt for scanning their system. It is also a good idea to you exclusion lists with this option.

$ nmap -sT -p80 -PN -iR 5

The number 5 above means that nmap will be scanning 5 addresses. So it will generate 5 random IP addresses. To generate infinate numbers of addresses, use the -iR option with the value 0.

Let’s end this post with a quoat from the man page of nmap,

“If you find yourself really bored one rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to locate random web servers for browsing.”

The post Nmap : Target Specification in Detail appeared first on VeriTeknik.

First find out what the defined port range is

# cat /proc/sys/net/ipv4/ip_local_port_range
1024 4999

Know select the port range that you wan, I will define a port range of my desire but this is up to the network admin.
To change the port range you have two option

Edit with nano or vi /proc/sys/net/ipv4/ip_local_port_range
Or

echo “55001 65535” > /proc/sys/net/ipv4/ip_local_port_range

These will both change the port, chech this with # cat /proc/sys/net/ipv4/ip_local_port_range

To make these changes permanent as these definitions will vanish on every reboot you need to put a script in /etc/sysctl.conf

Nano or vi /etc/sysctl.conf
Add

# Controls Ephemeral Port Range (this is for the admin to remember what it is)
net.ipv4.ip_local_port_range = 55001 65535

Save
Exit
Reboot (if you like)
And you are done!

The post Ephemeral port range for FTP appeared first on VeriTeknik.