Write For Us

Submit Tips

Subscribe to Print Edition

Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

Advanced NMap: Some Scan Types

By Rajesh Deodhar on November 1, 2010 in How-Tos, Sysadmins, Tools / Apps 1 Comment

Search for:

Search

Get Connected RSS Feed Twitter

A broad overview and the basic features of NMap have been covered in an earlier article in this series of articles on Nmap. In this article, we discuss in detail various NMap scan types, and the practical use of these commands to scan various devices and networks.
Before we begin understanding NMap scan types, let us start with the basics, including understanding the 3-way TCP handshake. TCP/IP is not a single protocol, but a suite comprising various protocols, some of which are detailed in Table 1. Table 1: Various TCP/IP protocols 1. 2. 3. 4. Application layer Transport layer Network layer Data link layer FTP, HTTP, SNMP, BOOTP, DHCP TCP, UDP, ICMP, IGMP ARP, IP, RARP SLIP, PPP

UDP and TCP

UDP is a connection-less protocol that does not assure the delivery of packets at the other end. However, that does not mean it is an unreliable protocol; higher-level applications must take care to verify that data has been received at the other end. This practice has its own uses, like with live audio/video transfers, where real-time delivery is a must. TCP is a connection-oriented protocol, which assures delivery of packets. ICMP packets are used to convey error messages, if any. The TCP three-way handshake is used to establish and reset connections, and this concept is key to understanding various NMap scan types. In the TCP three-way handshake: 1. A client initiates communication with a SYN (Synchronise) packet with a randomly generated number, X. 2. The server acknowledges with a SYN-ACK (Acknowledgement), X+1 and a randomly generated number, Y.

3. The client again sends an ACK, followed by Y+1, thus completing the handshake. Now the client and server can start data transfer. After the data transfer is complete, a FIN (Finish) packet is sent by the client, to end the connection. Nmap uses/tweaks this handshake very effectively for various scan types. Before we proceed, let us be clear about two basic but important aspects of Nmap scans: 1. By default, Nmap scans 1,000 most common ports for each protocol. The list of these ports can be modified in the n m a p s e r v i c e sfile, typically stored in / e t c / s e r v i c e s . (I have never used this; the default ports are almost always sufficient! 2. Root privileges are required to run any scan that modifies the standard TCP handshake. Now, let us try to understand the detailed workings of various NMap scan types.
Find us on Facebook

LINUX For You on

Follow

+2,513

Open Source For You

Like 254,833 people like Open Source For You.

TCP SYN Scan -sS

This is the default Nmap scan, used to detect open TCP ports in the target range. At the start of a SYN Scan, NMap initiates a TCP handshake with a standard SYN packet, to the required TCP port of the device to be scanned (target). The targets response, giving details of port status, differs depending on the status of the destination port (see Table 2). Table 2: SYN scan client responses Port status Open Closed Filtered Client response Standard response SYN-ACK Standard response RST No response Inference Service running on the port Service not running on the port Firewalled port
Popular Comments Tag cloud
August 13, 2013 42 Comments Diksha P Gupta

F acebook social plugin

India has immense under-utilised talent in the cloud security space

May 6, 2013 6 Comments Priyanka Sarkar

PHP Development: A Smart Career Move

June 20, 2013 3 Comments sophie-samuel

If the device responds with a SYN-ACK, Nmap sends an RST instead of an ACK, resetting the session, rather than completing the handshake for data transfer. If ACK was sent instead of RST, the connection would be left open till session time-out, making the device prone to a denial of service type of situation. To run a SYN scan, root privileges are required under Linux. A SYN scan is used to find the status of TCP ports on various devices on the network. Since the SYN scan works on TCP, it will work across all operating systems and other devices that implement TCP, such as controllers, PLCs, network printers, Ethernet switches, and mobile phones. Since it does not open a valid TCP connection, its quiet, and difficult to detect. However, careful network monitoring will reveal too many RST frames in traffic, due to one RST frame per scanned port. Heres a sample SYN scan that will return various open TCP ports:
n m a ps S1 9 2 . 1 6 8 . 1 0 0 . 1 0 0

New and amazing features of Linux

June 20, 2013 3 Comments Priyanka Sarkar

What it Takes to be an Open Source Expert

May 6, 2013 1 Comments Deepti Sharma

A Simple guide to building your own Linux Kernel

Ping Scan -sP

This scan is used to find active hosts in the range. Rather than using ports like a SYN scan, a ping scan starts by sending an ICMP echo request to the target range. Active devices on the network will respond with an ICMP echo reply, thus revealing their status. A firewalled host with blocked ICMP will not respond to the ICMP echo request. The obvious basic use of this scan is to find all active hosts on the network. This set of two commands gives a list of all active IP addresses in the 192.168.100.0/24 range:
n m a ps Pno Gh o s t l i s t1 9 2 . 1 6 8 . 1 0 0 . 0 / 2 4 # #g r e p ' a b l eo u t p u tf i l e ,h o s t l i s t c u td"" f 2h o s t l i s t>i p l i s t # #l i s to fa l la c t i v eI P si nt h et a r g e tr a n g e ,i p l i s t )

The ping scan uses only one packet for the request, and may get one packet in response, thus making it the fastest of all Nmap scan types, with the lowest footprint. The ping scan cannot be combined with other scan types.

UDP Scan -sU

This is used to find the status of UDP ports in the target range. At the start of the UDP scan, Nmap sends a 0-byte UDP packet directed towards a UDP port. The targets response differs depending on the status of the scanned port:

1. Open port: Data on the scanned UDP port. 2. Closed port: ICMP error message indicating no service is running on this port. 3. Open/Filtered port: No ICMP message; Nmap waits for the timeout, and cant determine whether the port is open, or filtered by a firewall. UDP can be used to detect malware/spyware effectively. The following sample UDP scan command will return open/closed/open/filtered UDP ports on the host:
n m a ps U1 9 2 . 1 6 8 . 1 0 0 . 1 0 0

Table 3: Summary of SYN, ping and UDP scans Scan type SYN scan (s S ) Scan TCP ports Facets Does not leave a log entry Requires root access. Traffic of RST frames increases with use of SYN scan. Gives information about TCP ports. Ping scan (s P ) Identify active hosts Very difficult to trace only two standard ICMP frames, which are very common in network traffic, are required to complete the scan. Root privilege not required to run the scan. Yields a device inventory by identifying active devices on the network. UDP scan (s U ) Scan UDP ports Uses 0 byte UDP data, causing low overhead on the network. Requires root access. Many operating systems put restrictions on UDP traffic, thus this scan can be very slow if run on devices running those operating systems Works well on Microsoft operating systems, since Microsoft does not restrict UDP port traffic. Best for scanning known UDP ports used by spyware/malware for communication.

Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by NMap. And dont forget to keep a watch on this series for further details!

Related Posts:
Advanced Nmap: Scanning Techniques Continued Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Firewalls Continued Advanced Nmap: A Recap Advanced Nmap: Scanning Firewalls
Tags: Advanced Nmap Series, application layer, ARP, connection oriented protocol, connection-less protocol, Ethernet, http, ICMP, IP addresses, LFY November 2010, Microsoft, network scan, Networking, NMap, operating systems, port scan, PPP, Security, snmp, SYN, SYN-ACK, TCP port, TCP/IP, transport layer, UDP, UDP port, unreliable protocol

Article written by:

Rajesh Deodhar
The author is BE (Industrial Electronics), CISA (Certified Information Systems Auditor) and DCL (Diploma in Cyber Law). He has more than 15 years of experience in the field of computer hardware, networking, firewalls and IS auditing. He is a director at Omega Systems and Services, Pune. Connect with him: Website

Previous Post

Next Post

Joy of Programming: Logical Bugs and Intuitive Thinking

Get Started with Turnkey Linux -- When and Where it Makes Sense

1 comment Leave a message...

Newest Community Geek s t er
11 months ago

Share

ICMP & IGMP are the protocols of Network layer. In table table 1 you listed wrong,..!!!
Reply Share

C o m m e n t fe e d

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.