Post

Network Enumeration with Nmap

Posted
By bughra
6 min read
Network Enumeration with Nmap

TCP/UDP Port States

  • Open: Port actively accepting connections; service is listening. Nmap receives positive response (SYN-ACK for TCP scans, relevant UDP response for UDP scans).
  • Closed: Port accessible but no service listening. For TCP, receives RST packet; for UDP, receives ICMP port unreachable message.
  • Filtered: Firewall/filter blocks scan, no response received or ICMP error messages like type 3, code 13 (communication administratively prohibited). Timeouts typically indicate filtering.
  • Unfiltered: Port accessible but unable to determine open/closed status. Common in ACK scans where RST responses come from both open and closed ports.
  • Open|Filtered: Cannot determine if port is open or filtered. Common in UDP scans where no response could mean either state.
  • Closed|Filtered: Cannot determine if port is closed or filtered. Seen in some cases where diagnostic techniques can’t distinguish between them.

TCP Flags

  • SYN: Initiates connection. Firewalls often track SYN packets to prevent SYN flood attacks.
  • ACK: Acknowledges received data. Stateful firewalls permit outbound ACKs for established connections only.
  • PSH: Pushes buffered data. Some IDS/IPS systems flag unusual PSH usage patterns.
  • URG: Marks data as urgent. Often blocked by firewalls as it’s rarely used legitimately.
  • RST: Resets connection. Firewalls generate RST packets to silently drop unauthorized connections.
  • FIN: Ends connection. Many firewalls track connection state and only allow FIN on established connections.
  • NS/CWR/ECE: Congestion control flags. Next-generation firewalls may monitor these for anomalies.

Nmap Scan TCP and UDP Scan Parameters

  • TCP SYN Scan (-sS):
    • Sends SYN packet, receives SYN-ACK (open), RST (closed), or no response (filtered)
    • Firewalls: Packet filtering firewalls may block SYN packets to protected ports
    • Stealthier than connect scans as it doesn’t complete TCP handshake
  • TCP Connect Scan (-sT):
    • Completes full TCP handshake
    • Open: Full connection established
    • Closed: RST received after SYN
    • Filtered: No response or ICMP unreachable
    • Firewalls: More easily detected and logged by firewalls and IDS systems
  • UDP Scan (-sU):
    • Open|Filtered: No response (common as open UDP ports often don’t respond)
    • Closed: ICMP port unreachable message
    • Filtered: Other ICMP unreachable messages (type 3, codes 1,2,9,10,13)
    • Firewalls: May rate-limit ICMP responses, causing false positives
  • TCP ACK Scan (-sA):
    • Doesn’t determine open ports but firewall rulesets
    • Unfiltered: RST response
    • Filtered: No response or ICMP error
    • Firewalls: Useful for mapping firewall rules as ACK packets are often treated differently than SYN
  • Version Detection (-sV):
    • Probes open ports with application-specific tests
    • Firewalls: Deep packet inspection firewalls may block based on payload signatures

Nmap Fine-tuning Scope and Performance

  • Parallelism (--min-parallelism, --max-parallelism):
    • Controls concurrent probes
    • High values may trigger firewall/IDS rate limiting or blocking
    • Low values avoid detection but slow scanning
  • Min-rate (--min-rate <rate>):
    • Forces minimum packet rate
    • Example: --min-rate 1000 sends at least 1000 packets per second
    • Firewalls/IDS: High rates increase detection probability but overcome timeout-based defenses
  • Max-retries (--max-retries <num>):
    • Affects accuracy vs. speed tradeoff
    • Lower values reduce timeout delays from filtered ports
    • Firewalls leveraging delayed responses may cause false negatives with low retries
  • Host timeout (--host-timeout <time>):
    • Skips slow-responding hosts
    • Bypasses hosts implementing defensive delay tactics
  • Timing templates (-T0 to -T5):
    • T0/T1: Can evade IDS rate-based detection but extremely slow
    • T3: Default balance
    • T4/T5: Fast but easily detected by defensive systems

Nmap Live Host Discovery

  • ARP Scan (-PR):
    • Bypasses IP-based firewall rules on local networks
    • Not affected by software firewalls that filter IP traffic
    • Works only on local networks; most accurate for LAN scanning
  • ICMP Echo (-PE):
    • Firewalls: Commonly blocked at network perimeters
    • Open/Up: Echo reply received
    • Filtered/Down: No response or prohibited ICMP messages
  • ICMP Timestamp/Address Mask (-PP, -PM):
    • Alternative when echo requests are blocked
    • Many firewalls block echo but overlook these ICMP types
    • Response indicates host is up; no response suggests filtering
  • Skip host discovery (-Pn):
    • Treats all hosts as online, bypassing firewall blocks on ping
    • Useful when firewalls block all ICMP but allow connections to services
  • List input (-iL file.txt):
    • Scans pre-determined hosts regardless of discovery responses
    • Helpful when combining results from multiple reconnaissance methods

Nmap Scanning Network Range

  • Single IP: nmap 192.168.1.1
  • Multiple IPs: nmap 192.168.1.1 192.168.1.2
  • CIDR notation: nmap 192.168.1.0/24
    • Firewalls may detect sequential scanning; use randomization (--randomize-hosts)
  • Octet range: nmap 192.168.1.1-254
  • Using wildcards: nmap 192.168.1.*
  • Scan from file: nmap -iL targets.txt
    • Can help evade pattern detection by scanning non-sequential addresses

Nmap Advanced Port Scan

  • NULL Scan (-sN):
    • Sends packets with no flags set
    • Open|Filtered: No response
    • Closed: RST packet
    • Firewalls: May bypass stateless packet filters that only check for SYN flag
    • RFC-compliant systems should respond with RST to closed ports
  • FIN Scan (-sF):
    • Only FIN flag set
    • Open|Filtered: No response
    • Closed: RST packet
    • Firewalls: Often passes through firewalls that only watch for SYN packets
    • Can bypass simple firewall rulesets looking specifically for connection initiations
  • Xmas Scan (-sX):
    • Sets FIN, PSH, URG flags simultaneously
    • Open|Filtered: No response
    • Closed: RST packet
    • Firewalls: Abnormal flag combination often triggers IDS alerts but may bypass basic filters
    • More detectable than NULL or FIN scans due to distinctive flag pattern
  • Maimon Scan (-sM):
    • FIN and ACK flags set
    • Responses vary by OS; some systems drop packet for open ports
    • Firewalls: May confuse firewalls as it appears as part of established connection
  • Window Scan (-sW):
    • Examines TCP window size of RST packets
    • Open: Non-zero window size in RST (on some systems)
    • Closed: Zero window size in RST
    • Firewalls: Useful against systems where packet filtering handles RST responses differently
  • Custom Scan (--scanflags):
    • Define specific flag combinations
    • Allows crafting packets to test specific firewall rule behaviors
    • Example: --scanflags SYNFIN to test for improper handling of invalid flag combinations

Nmap Spoofing and Decoys

  • IP Spoofing (-S <IP>):
    • Makes scan appear from different source
    • Firewalls: Can bypass source IP filtering but responses go to spoofed host
    • Requires privileged access and often network proximity
  • Decoys (-D decoy1,decoy2,...):
    • Mixes real scan with additional spoofed source scans
    • Firewalls/IDS: Makes attribution difficult as multiple scan sources appear
    • Example: -D 10.0.0.1,10.0.0.2,ME,10.0.0.3 (ME represents your actual IP)
  • Interface (-e <interface>):
    • Specifies which network interface to use
    • Useful for multi-homed systems to select network path
  • Source port (-g/-source-port <port>):
    • Uses specific source port number
    • Firewalls: May bypass misconfigured firewalls that allow all traffic from specific ports (e.g., 53/DNS, 80/HTTP)

Nmap Fragmented Packets

  • Fragment packets (-f):
    • Splits headers across multiple IP packets
    • Open/Closed/Filtered determined as per scan type, but packets arrive fragmented
    • Firewalls: May bypass inspection systems that don’t properly reassemble fragments
    • Double fragmentation possible with -ff
  • Specific fragment sizes (--mtu <size>):
    • Custom fragment size (must be multiple of 8)
    • Firewalls: Different fragmentation patterns may evade signature-based detection
  • Behavior: Some firewalls/IDS fail to properly reassemble fragments for inspection, allowing malicious content to pass

Nmap Idle/Zombie Scan

  • Idle scan (-sI <zombie host[:probeport]>):
    • Uses side-channel attack via IP ID sequence numbers
    • Open port: Zombie’s IP ID increments by 2 (target response to zombie + your probe to zombie)
    • Closed/Filtered: Zombie’s IP ID increments by 1 (only your probe to zombie)
    • Firewalls: Extremely stealthy as scan appears to come from zombie host
    • Requirements: Zombie must have predictable IP ID sequence and low traffic
    • Advanced firewall detection requires correlation between multiple traffic sources
1
2
3
4
5
6
7
8
9
10
11
12
13

Attacker                 Zombie Machine               Target System
    |                          |                          |
    |-- IPID query ----------->|                          |
    |<-- IPID=X response ------|                          |
    |                          |                          |
    |-- Spoofed SYN (Source: Zombie IP) ----------------->|
    |                          |                          |
    |                          |<- SYN-ACK (port is open) |
    |                          |--  RST ----------------->|
    |                          |   (IPID increased)       |
    |                          |                          |
    |-- IPID query ------==--->|                          |
    |<-- IPID=X+1 response ----|                          |
Network Security, Ports & Protocols
networking enumeration port scanning
This post is licensed under CC BY 4.0 by the author.