Information gathering is an essential step while performing pen testing on any target. Knowing your target better, especially their negatives could help to potentially discover its vulnerabilities.
In this blog, we will learn about Nmap, and commonly used port scan types (TCP SYN and TCP Connect). There are many scanning tools available in the market, but for a beginner like me Nmap tool is my favorite for 2 reasons
It comes with a GUI version called Zenmap. Installation is as easy and clean as installing a VLC player application. The interface of Zenmap is very simple and self-explanatory. It also showcases Linux commands as per the selected scan type which helps you to learn how to operate Nmap using command prompt/terminal.
Secondly, it works well with Windows OS. From a beginner’s standpoint, working on Unix and Linux-based operating systems is slightly more difficult than Windows operating systems.
So, let’s understand what Nmap is?
Nmap stands for Network Mapper. It is a free and open-source tool being used for network and Host discovery. It is used by the Network Engineers for Network auditing. Nmap is helpful for information gathering during Penetration testing. Let’s assume we have an IP address or Target machine’s DNS; the next thing is to scan the target inside out thoroughly. One of the important things is to discover an open port of the target where we could find an initial attacking opening to start the pentesting.
For a tester, knowing below information about the target is essential:
- Open, Closed, and Filtered Ports
- Services version (-sV)
- Operating systems name and version
- Script scanning (–script or -sC)
Now we know what we will be looking at when using Nmap, it’s time to understand how to execute Nmap to obtain these details.
There is a long list of port scan types that can be performed using Nmap, but today we will be discussing the most common scans which we will use during our Pen testing career i.e., TCP SYN Scan and TCP Connect Scan.
TCP SYN Scan (-sS):
It is the default scan type in Nmap. It can scan thousands of ports per second on a fast network. It allows clear, reliable differentiation between the open, closed, and filtered states. It is also known as Half-open scanning as it does not open a full TCP connection. Term sound like something new?
Let us quickly recall regular how TCP connection works using a 3-ways handshake to understand what Half-open scanning is. The client sends an SYN packet to HTTP Server to communicate that it is looking to make a connection with it. In return, the server sends an SYN_ACK packet confirming to the client that it acknowledges its request for the connection, and finally, the client sends the final ACK packet. Once the server receives the final acknowledgment (ACK) from the HTTP client, it confirms the connection.
But in the TCP SYN Scan type, the client sends an SYN packet and then waits for a response. If it receives an SYN/ACK packet from the server, then it considers that specific port is listening i.e., open and then the client sends an RST (reset) packet. As a result, the server assumes that there has been a communications error and that the client has decided not to establish a connection. If no response is received after several retransmissions, the port is marked as filtered which means the port is blocked due to dedicated firewall devices, router rules, or host-based firewall software. A port is marked closed if the server receives and responds to the client’s SYN packet but there is no application listening to it. Due to its stealthiness, the SYN scan doesn’t draw the target’s attention to your scanning activity.
TCP Connect Scan (-sT)
Unlike SYN Scan, TCP Connect completes a 3-ways handshake connection with the server. The operating system issues a connect system call to establish a connection with the network.
Instead of reading through packet responses, Nmap uses this call to pull information about each connection attempt. Since it connects with the servers, it can get very noisy as it can be easily detected by the target through the continuous request being logged under network logs.
Also, it takes a longer time to enlist open ports compared to SYN scans. Basically, it is an alternative option where an SYN scan is not available.
Nmap provides versatile scanning options, depending on our needs we can use the appropriate one. Few common options to remember while scanning:
- -sC : To enlist Services
- -SV : To enlist version
- -p- : To scan all ports of the target
- -p : To scan the top 1000 ports only
- -A : to capture all available details such as OS detection (-O), version detection (-vS), script scanning (-sC), and traceroute (-traceroute). This is also known as an aggressive mode
- -T4 : For speed of the scan
The final thing to remember while performing a scan is to take save scan results by using the export options available in Nmap. Saving these scan results will help us to refer back during the execution phase.