Introduction to Nmap and Portscanning
This post reviews usage of Nmap and demonstrates various use cases using Nmap command line options. This post uses practical scenarios covered in two TryHackMe rooms.
In another update, we also covered the answers for the below rooms:
- TryHackMe Nmap Live Host Discovery
- TryHackMe Nmap Basic Port Scans
- TryHackMe Nmap Advanced Port Scans
Intro to Port Scanning with Nmap
When it comes to hacking, knowledge is power. The more knowledge you have about a target system or network, the more options you have available. This makes it imperative that proper enumeration is carried out before any exploitation attempts are made.
Say we have been given an IP (or multiple IP addresses) to perform a security audit on. Before we do anything else, we need to get an idea of the “landscape” we are attacking. What this means is that we need to establish which services are running on the targets. For example, perhaps one of them is running a webserver, and another is acting as a Windows Active Directory Domain Controller. The first stage in establishing this “map” of the landscape is something called port scanning. When a computer runs a network service, it opens a networking construct called a “port” to receive the connection. Ports are necessary for making multiple network requests or having multiple services available. For example, when you load several webpages at once in a web browser, the program must have some way of determining which tab is loading which web page. This is done by establishing connections to the remote webservers using different ports on your local machine. Equally, if you want a server to be able to run more than one service (for example, perhaps you want your webserver to run both HTTP and HTTPS versions of the site), then you need some way to direct the traffic to the appropriate service. Once again, ports are the solution to this. Network connections are made between two ports – an open port listening on the server and a randomly selected port on your own computer. For example, when you connect to a web page, your computer may open port 49534 to connect to the server’s port 443.
Every computer has a total of 65535 available ports; however, many of these are registered as standard ports. For example, a HTTP Webservice can nearly always be found on port 80 of the server. A HTTPS Webservice can be found on port 443. Windows NETBIOS can be found on port 139 and SMB can be found on port 445. It is important to note; however, that especially in a CTF setting, it is not unheard of for even these standard ports to be altered, making it even more imperative that we perform appropriate enumeration on the target.
When port scanning with Nmap, there are three basic scan types. These are:
- TCP Connect Scans (
-sT
) - SYN “Half-open” Scans (
-sS
) - UDP Scans (
-sU
) - TCP ACK Scan: As the name implies, an ACK scan will send a TCP packet with the ACK flag set. Use the
-sA
option to choose this scan. - Window Scan: Another similar scan is the TCP window scan. The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. On specific systems, this can reveal that the port is open. You can select this scan type with the option
-sW
- Custom Scan: If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using
--scanflags
. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using--scanflags RSTSYNFIN
.
Additionally there are several less common port scan types, some of which we will also cover (albeit in less detail). These are:
- TCP Null Scans (
-sN
) : The null scan does not set any flag; all six flag bits are set to zero. You can choose this scan using the-sN
option. A TCP packet with no flags set will not trigger any response when it reaches an open port, as shown in the figure below. Therefore, from Nmap’s perspective, a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet. - TCP FIN Scans (
-sF
): The FIN scan sends a TCP packet with the FIN flag set. You can choose this scan type using the-sF
option. Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port. - TCP Xmas Scans (
-sX
): - The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option
-sX
. Like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.
Most of these (with the exception of UDP scans) are used for very similar purposes, however, the way that they work differs between each scan. This means that, whilst one of the first three scans are likely to be your go-to in most situations, it’s worth bearing in mind that other scan types exist.
Verbosity and Output Formatting
Verbose Mode (-v
): This option provides real-time feedback, showing the steps Nmap is taking as it performs the scan.Very Verbose Mode (-vv
): Provides even more detailed output.Saving Results in XML Format (-oX
): The results of the scan can be saved to an XML file for reporting purposes.
Nmap Scripting Engine
The Nmap Scripting Engine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the Lua programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is.
There are many categories available. Some useful categories include:
safe
:- Won’t affect the targetintrusive
:- Not safe: likely to affect the targetvuln
:- Scan for vulnerabilitiesexploit
:- Attempt to exploit a vulnerabilityauth
:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously)brute
:- Attempt to bruteforce credentials for running servicesdiscovery
:- Attempt to query running services for further information about the network (e.g. query an SNMP server).
A more exhaustive list can be found here.
Host Discovery with Nmap
We can ping every IP address on a target network and see who would respond to our ping
(ICMP Type 8/Echo) requests with a ping reply (ICMP Type 0). Simple, isn’t it? Although this would be the most straightforward approach, it is not always reliable. Many firewalls block ICMP echo; new versions of MS Windows are configured with a host firewall that blocks ICMP echo requests by default. Remember that an ARP query will precede the ICMP request if your target is on the same subnet.
To use ICMP echo request to discover live hosts, add the option -PE
. (Remember to add -sn
if you don’t want to follow that with a port scan.)
TCP SYN Ping
We can send a packet with the SYN (Synchronize) flag set to a TCP port, 80 by default, and wait for a response. An open port should reply with a SYN/ACK (Acknowledge); a closed port would result in an RST (Reset). In this case, we only check whether we will get any response to infer whether the host is up. The specific state of the port is not significant here.
If you want Nmap to use TCP SYN ping, you can do so via the option -PS
followed by the port number, range, list, or a combination of them. For example, -PS21
will target port 21, while -PS21-25
will target ports 21, 22, 23, 24, and 25. Finally -PS80,443,8080
will target the three ports 80, 443, and 8080.
Privileged users (root and sudoers) can send TCP SYN packets and don’t need to complete the TCP 3-way handshake even if the port is open, as shown in the figure below. Unprivileged users have no choice but to complete the 3-way handshake if the port is open.
TCP ACK Ping
As you have guessed, this sends a packet with an ACK flag set. You must be running Nmap as a privileged user to be able to accomplish this. If you try it as an unprivileged user, Nmap will attempt a 3-way handshake.
By default, port 80 is used. The syntax is similar to TCP SYN ping. -PA
should be followed by a port number, range, list, or a combination of them. For example, consider -PA21
, -PA21-25
and -PA80,443,8080
. If no port is specified, port 80 will be used.
UDP Ping
Finally, we can use UDP to discover if the host is online. Contrary to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to any reply. However, if we send a UDP packet to a closed UDP port, we expect to get an ICMP port unreachable packet; this indicates that the target system is up and available.
Enumeration with Nmap
e mentioned the different techniques we can use for scanning in Task 1. Before we explain each in detail and put it into use against a live target, we need to specify the targets we want to scan. Generally speaking, you can provide a list, a range, or a subnet. Examples of target specification are:
- list:
MACHINE_IP scanme.nmap.org example.com
will scan 3 IP addresses. - range:
10.11.12.15-20
will scan 6 IP addresses:10.11.12.15
,10.11.12.16
,… and10.11.12.20
. - subnet:
MACHINE_IP/30
will scan 4 IP addresses.
You can also provide a file as input for your list of targets, nmap -iL list_of_hosts.txt
Firewall Evasion with Nmap
There are a variety of other switches which Nmap considers useful for firewall evasion. We will not go through these in detail, however, they can be found here.
You can also check out Firewall and IDS Evasion with NMAP | Practical Scenario post.
The following switches are of particular note:
-f
:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS.- An alternative to
-f
, but providing more control over the size of the packets:--mtu <number>
, accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8. --scan-delay <time>ms
:- used to add a delay between packets sent. This is very useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.--badsum
:- this is used to generate in invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without bothering to check the checksum of the packet. As such, this switch can be used to determine the presence of a firewall/IDS.
Spoofed Scan with Nmap
In brief, scanning with a spoofed IP address is three steps:
- Attacker sends a packet with a spoofed source IP address to the target machine.
- Target machine replies to the spoofed IP address as the destination.
- Attacker captures the replies to figure out open ports.
In general, you expect to specify the network interface using -e
and to explicitly disable ping scan -Pn
. Therefore, instead of nmap -S SPOOFED_IP MACHINE_IP
, you will need to issue nmap -e NET_INTERFACE -Pn -S SPOOFED_IP MACHINE_IP
to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.
When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using --spoof-mac SPOOFED_MAC
. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).
Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. The concept is simple, make the scan appear to be coming from many IP addresses so that the attacker’s IP address would be lost among them. As we see in the figure below, the scan of the target machine will appear to be coming from 3 different sources, and consequently, the replies will go the decoys as well.
Fragemented Scan with Nmap
Nmap provides the option -f
to fragment packets. Once chosen, the IP data will be divided into 8 bytes or less. Adding another -f
(-f -f
or -ff
) will split the data into 16 byte-fragments instead of 8. You can change the default value by using the --mtu
; however, you should always choose a multiple of 8.
To properly understand fragmentation, we need to look at the IP header in the figure below. It might look complicated at first, but we notice that we know most of its fields. In particular, notice the source address taking 32 bits (4 bytes) on the fourth row, while the destination address is taking another 4 bytes on the fifth row. The data that we will fragment across multiple packets is highlighted in red.
Advanced Nmap Scans
Aggressive Scan (-A
): This scan is used in white-box penetration testing, where the tester has permission from the client. It combines OS detection, version detection, script scanning, and traceroute.
Timing Scan (-T5
or -T0
to -T5
): Timing levels adjust the speed of the scan, with T5 being the fastest and T0 being the slowest. The T5 (insane) level is used to speed up scans significantly, though it can be loud and easily detectable.
Scanning Specific Ports (-p
): Nmap can scan specific ports if you know the service you’re looking for, e.g., -p 80
for scanning port 80.
Description of port scanning output with Nmap
- Open: indicates that a service is listening on the specified port.
- Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
- Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
- Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan
-sA
. - Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
- Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
Answers to questions from room one
How many of these are available on any network-enabled computer?
[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
First, how do you access the help menu?
Often referred to as a stealth scan, what is the first switch listed for a ‘Syn Scan’?
Not quite as useful but how about a ‘UDP Scan’?
What about operating system detection?
How about service version detection?
Most people like to see some output to know that their scan is actually doing things, what is the verbosity flag?
What about ‘very verbose’? (A personal favorite)
Sometimes saving output in a common document format can be really handy for reporting, how do we save output in xml format?
How do I set the timing to the max level, sometimes called ‘Insane’?
What about if I want to scan a specific port?
How about if I want to scan every port?
What if I want to enable using a script from the nmap scripting engine? For this, just include the first part of the switch without the specification of what script to run.
What if I want to run all scripts out of the vulnerability category?
What switch should I include if I don’t want to ping the host?
Let’s go ahead and start with the basics and perform a syn scan on the box provided. What will this command be without the host IP address?
After scanning this, how many ports do we find open under 1000?
What communication protocol is given for these ports following the port number?
Perform a service version detection scan, what is the version of the software running on port 22?
Perform a script scan of vulnerabilities associated with this box, what denial of service (DOS) attack is this box susceptible to? Answer with the name for the vulnerability that is given as the section title in the scan output. A vuln scan can take a while to complete. In case you get stuck, the answer for this question has been provided in the hint, however, it’s good to still run this scan and get used to using it as it can be invaluable.
Answers to room two
Which RFC defines the appropriate behaviour for the TCP protocol?
If a port is closed, which flag should the server send back to indicate this?
Can Nmap use a SYN scan without Sudo permissions (Y/N)?
When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
Why are NULL, FIN and Xmas scans generally used?
Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Which category of scripts would be a very bad idea to run in a production environment?
What optional argument can the ftp-anon.nse
script take?
/usr/share/nmap/scripts/
directory using either of the demonstrated methods.What is the filename of the script which determines the underlying OS of the SMB server?
Read through this script. What does it depend on?
-Pn
switch?[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
Does the target (MACHINE_IP
)respond to ICMP (ping) requests (Y/N)?
Perform an Xmas scan on the first 999 ports of the target — how many ports are shown to be open or filtered?
There is a reason given for this — what is it?
Note: The answer will be in your scan results. Think carefully about which switches to use — and read the hint before asking for help!
Perform a TCP SYN scan on the first 5000 ports of the target — how many ports are shown to be open?
Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.
Deploy the ftp-anon
script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
Room Answers | TryHackMe Nmap Live Host Discovery
How many devices can see the ARP Request?
4
Did computer6 receive the ARP Request? (Y/N)
N
How many devices can see the ARP Request?
4
Did computer6 reply to the ARP Request? (Y/N)
N
What is the first IP address Nmap would scan if you provided 10.10.12.13/29
as your target?
10.10.12.8
How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125
?
6400
What is the type of packet that computer1 sent before the ping?
ARP Request
What is the type of packet that computer1 received before being able to send the ping?
ARP Response
How many computers responded to the ping request?
1
What is the name of the first device that responded to the first ARP Request?
Router
What is the name of the first device that responded to the second ARP Request?
computer5
Send another Ping Request. Did it require new ARP Requests? (Y/N)
N
How many devices are you able to discover using ARP requests?
3
What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?
-PP
What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?
-PM
What is the option required to tell Nmap to use ICMP Echo to discover live hosts?
-PE
Which TCP ping scan does not require a privileged account?
TCP SYN PING
Which TCP ping scan requires a privileged account?
TCP ACK PING
What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?
-PS23
We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?
-R
Room Answers | TryHackMe Nmap Basic Port Scans
Which service uses UDP port 53 by default?
DNS
Which service uses TCP port 22 by default?
SSH
How many port states does Nmap consider?
6
Which port state is the most interesting to discover as a pentester?
OPEN
What 3 letters represent the Reset flag?
RST
Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?
syn
Launch the VM. Open the AttackBox and execute nmap -sT MACHINE_IP
via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?
110
What is Nmap’s guess about the newly installed service?
pop3
Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS MACHINE_IP
. What is the new open port?
6667
What is Nmap’s guess of the service name?
irc
Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v MACHINE_IP
. A new service has been installed since the last scan. What is the UDP port that is now open?
53
What is the service name according to Nmap?
domain
What is the option to scan all the TCP ports between 5000 and 5500?
-p5000-5500
How can you ensure that Nmap will run at least 64 probes in parallel?
–min-parallelism=64
What option would you add to make Nmap very slow and paranoid?
-T0
Room Answers | Nmap Advanced Port Scans
In a null scan, how many flags are set to 1?
0
In a FIN scan, how many flags are set to 1?
1
In a Xmas scan, how many flags are set to 1?
3
Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. How many ports appear as open|filtered?
7
Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?
7
In the Maimon scan, how many flags are set?
2
In TCP Window scan, how many flags are set?
1
You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags
?
RST
The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?
4
What is the new port number that appeared?
443
Is there any service behind the newly discovered port number? (Y/N)
n
What do you need to add to the command sudo nmap MACHINE_IP
to make the scan appear as if coming from the source IP address 10.10.10.11
instead of your IP address?
-S 10.10.10.11
What do you need to add to the command sudo nmap MACHINE_IP
to make the scan appear as if coming from the source IP addresses 10.10.20.21
and 10.10.20.28
in addition to your IP address?
-D 10.10.20.21,10.10.20.28
If the TCP segment has a size of 64, and -ff
option is being used, how many IP fragments will you get?
4
You discovered a rarely-used network printer with the IP address 10.10.5.5
, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?
-sI 10.10.5.5
Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason MACHINE_IP
to scan the VM. What is the reason provided for the stated port(s) being open?
syn-ack