Monday, August 17, 2009

Scanning network for open ports with nmap command

SkyHi @ Monday, August 17, 2009
You can use nmap tool for this job. It is flexible in specifying targets. User can scan entire network or selected host or single server. Nmap is also useful to test your firewall rules. namp is metwork exploration tool and security / port scanner. According to nmap man page:
It is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
nmap port scanning

TCP Connect scanning for localhost and network
# nmap -v -sT localhost
# nmap -v -sT
nmap TCP SYN (half-open) scanning

# nmap -v -sS localhost
# nmap -v -sS
nmap TCP FIN scanning

# nmap -v -sF localhost
# nmap -v -sF
nmap TCP Xmas tree scanning

Useful to see if firewall protecting against this kind of attack or not:
# nmap -v -sX localhost
# nmap -v -sX
nmap TCP Null scanning

Useful to see if firewall protecting against this kind attack or not:
# nmap -v -sN localhost
# nmap -v -sN
nmap TCP Windows scanning

# nmap -v -sW localhost
# nmap -v -sW
nmap TCP RPC scanning

Useful to find out RPC (such as portmap) services
# nmap -v -sR localhost
# nmap -v -sR
nmap UDP scanning

Useful to find out UDP ports
# nmap -v -O localhost
# nmap -v -O
nmap remote software version scanning

You can also find out what software version opening the port.
# nmap -v -sV localhost
# nmap -v -sV
A note about Windows XP / 2003 / Vista version

Windows user can find ipEye and IPSecScan utilities useful. Please note that Nmap also runes on Windows OS.

Scanning using Nmap
June 4, 2008 — fadils

In order to be a good penetration tester (pen tester), one should equip himself/herself with a good scanning ability. By scanning, we mean that we try to find “doors” to sneak in from our authorized targets. We can think about “doors” as ports here.

By knowing what ports are open, we can respectively know what kind of services are active in a system. Scanning can also reveal the running OS, giving us a general picture of our targets.

By scanning, we try to gather as much information as we can regarding the underlying system of our targets so that we can prepare ourselves. We can prepare exploitation tools to utilize as well as the time-line of our penetration strategy. Note that timing is very important here because, as professional pen testers, we want to maximize our time for our clients.

Nmap is one of the most popular tools for scanning. In this tutorial, I am going to show you some basic things you can do with Nmap.
- Ping Sweep

Ping sweep is a way to determine which computers are active in a network. It will send a ping (ICMP request) and a TCP SYN to each computer. An active computer will reply to the ping and from this reply we can see which computer is active.

The command to do this is:
nmap -sP ip_addrORdomainName

If you want to test only one host, then you can do it by issuing:
nmap -sP

You can also put the CIDR after the IP address in case you want to “sweep” a set of computers.

For example, the following command will scan all hosts under /24. That is,,,, and so on:
nmap -sP

And yes, you can put a domain name too. For example, if you want to scan, then the following command will do it:
nmap -sP

Note though, as an ethical hacker, we want to get a written authorization before we try to sneak into someone’s system.
- Save the result into a file

We can put the result of our scanning into a file by setting the -oA option. By using -oA option, we can submit our scan results to our clients.

nmap -sP -PA -oA my-scan-result
- Ping Sweep (Bypassing a stateful firewall)

Before we go, it is important to review how a TCP connection is established through a three-way handshake. First stage, the sender will send a TCP SYN to the receiver. Second stage, the receiver will reply with SYN + ACK. Last stage, the sender will send a TCP ACK, and a connection between the sender and the receiver is established.
There are many Nmap options to bypass a firewall or IDS that are based on this mechanism.

Let’s go first with a stateful firewall.

A stateful firewall? What is that? Here is a wikipedia definition:

“In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.


The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.”

Thanks to Nmap-hackers, Nmap has a function that will send a ping along with TCP ACK packet. When a stateful firewall receives this packet, then it will think as if an established connection is coming. Therefore, the ping will pass the firewall and reach the targeted host and we will receive a reply if the host is up! Very neat!

To achieve this, we need to set the -PA option. For example the following command will scan all hosts under /24, and if a stateful firewall exists in between, (hopefuly) it will be bypassed:
nmap -sP -PA
- Port Scanning (Full connection)

By doing port scanning, we can determine ports in a system and know their status (up or down) and their respective services. This is important to know before we deepen the state of our attack. For example, if we know that port 23 is open (which is Telnet service), then we can plan our penetration strategy based on known vulnerabilities of Telnet.

Port scan can be achieved by specifying -sT for TCP services (well the “T” in -sT is for TCP, then could you tell me for UDP services? Exactly, it is -sU).

For example, the following command will list TCP ports that are open and their respective services:
nmap -sT localhost

However, with -sT option, we are trying to connect to ports that are open. If a connection to a specific port is established, then Nmap will list the port as open. This mechanism is a problem if an IDS is installed in a system. Usually, the IDS will detect a penetration attempt from the sign that we are trying to connect to multiple ports in a very short time. IDS can log our attempt and (maybe) track down our IP address which is not good.

What is the solution? Read on!
- Port Scanning (Stealth Scanning)

Nmap hackers create an option to handle the previous problem (yes, it is based on the three-way handshake). Instead of trying to fully connect to a port, why don’t we just send a TCP SYN only? If we receive a SYN + ACK, that means that specific port is open, and Nmap will disconnect? That is exactly what -sS is doing. Again the “S” in -sS if for SYN. Maximize your time by memorizing this so that we can give a great service to our clients.

Usually, either with -sT or -sS, the result will be the same.
- OS Fingerprinting

This is the last basic function that we’re going to cover. OS fingerprinting is achieved by specifying the -O option. Nmap will try to reveal the running OS of a system and list open ports in it (using a stealth scan, -sS).

We’re done! These are some of the most basic functions that a pen tester should equip himself/herself with. If you have any suggestion or advice (that I might forget or don’t even know about it), please leave some comments.