Let's dig in deep with Port Scanning Techniques. Port scanning in Nmap is like an art. Experts understand the different types of scan techniques and choose one or a combination for a given task that is well suited. On the other hand, inexperienced users and script kiddies try to solve the problem using a simple SYN scan.
First things first, you can use the help command for Nmap by typing nmap -h.
- SYN scan is the most powerful and default scan option.
- It is stealthy since it never completes TCP connections.
- It is fast and can scan up to thousands of ports per second on a fast network.
TCP connect scan (-sT)
- Default TCP scan when SYN is not available (Generally when the root privilege is not available).
- Less efficient as it takes a longer time and requires more packets to obtain the same result.
- In this case, Nmap does not craft rat packets instead the OS sends the request.
- These kinds of scans are noisier, in terms of IDS.
UDP and SCTP scan
UDP scan (-sU)
- Most services run on TCP protocol. UDP services are widely used such as DNS (53), SNMP (161/162), and DHCP (67/68).
- UDP scanning is generally slower and more difficult than TCP, which is why some security auditors ignore these ports.
- This option can be combined with an SYN scan (-sS) to check both protocols during the same run.
- --host-timeout can be used to tell the Nmap not to spend more than a specified time on a single host. The below example will spend a maximum of 2 minutes on each port.
nmap <IPs> -sU --host-timeout 2m
SCTP INIT scan (-sY)
- SCTP stands for String Control Transmission Protocol.
- It is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP.wh
- It is mostly used for SS7/SIGTRAN services like cellular networks.
- This scan is the SCTP equivalent of a TCP SYN scan.
SCTP Cookie ECHO (-sZ)
- It is a more advanced SCTP scan.
- It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed.
- The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.
TCP NULL, FIN, and Xmas scans
These scans are the same in behaviour except for the TCP flag set in the
probe packet. These scanned types exploit a subtle loophole in TCP RFC
to differentiate OPEN or CLOSED ports. The key advantage of these scan
types is that they can possibly sneak through certain non-stateful
firewalls.
NULL scan (-sN)
- Does not set any bits (TCP flag header is 0). Disable the post scap.
FIN scan (-sF)
- Sets just the TCP FIN bit.
Xmas scan (-sX)
- Sets the FIN, PSH, and URG flags, lighting the packet like a Christmas tree thus the name Xmas.
TCP ACK and Windows scans
TCP ACK scan (-sA)
- This scan never determines whether the port is open or open|filtered.
- It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
TCP Window Scan (-sW)
- Exactly the same as the ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing unfiltered when an RST is returned.
Maimon and IP Protocol scans
TCP Maimon Scan (-sM)
- This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK
- Useful on BSD systems as many BSD-derived systems simply drop the packet if the port is open.
IP Protocol Scan (-sO)
- This scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.
- This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers.
We hope this helps. If any suggestions or doubts you can add a comment and
we will reply as soon as possible.
No comments:
Post a Comment