Write For Us

Submit Tips

Subscribe to Print Edition

Search

HOME

REVIEWS

HOW-TOS

CODING

INTERVIEWS

FEATURES

OVERVIEW

BLOGS

SERIES

IT ADMIN

Advanced Nmap: Scanning Techniques Continued

By Rajesh Deodhar on December 1, 2010 in How-Tos, Sysadmins, Tools / Apps 1 Comment

Search for:

Search

Get Connected RSS Feed Twitter

The earlier articles on Nmap had covered the basic features, the working of the TCP 3-way handshake, and some important scan types, along with their practical use. The third article in this series continues with some more interesting scanning techniques.
One very important aspect of Nmap scanning is the Nmap ping process, sometimes also called the host discovery/ping scan process. As documented on nmap.org, an Nmap scan of a subnet usually begins with discovering which hosts in the subnet are online. This host discovery is in operation every time any of the Nmap scan types is run. It is different from standard ICMP pings, and combines ARP requests and elaborate combinations of TCP, ICMP and other probes. The exact type of scan is decided based on whether the Nmap workstation is scanning its own (local) subnet, or an external subnet. Host discovery is followed by deeper investigation of the online hosts.

Typical Nmap host discovery

Local subnets
For scanning devices in a local subnet, Nmap uses an ARP scan, where an ARP request is sent to the local device. The device acknowledges this with an ARP reply, thus revealing its presence. Being at the OSI Layer 2, ARP requests are limited to only the local subnet.

Remote subnets
To scan remote subnets, Nmap sends an ICMP echo packet and a TCP ACK packet to the remote device. The remote device may send an ICMP reply and TCP RST respectively, thus revealing its presence.

Assume online switch

Now, consider a real-life scenario where all hosts on the local network have personal firewalls, and the default ping scan shows no active hosts. How do you probe this network further?

Nmap provides an excellent option P N , which tells Nmap not to do a ping scan to discover active hosts, but to assume that all hosts in the range being scanned are online. The implications of disabling host discovery for even a Class C subnet with 254 IP addresses is that all the 254 IP addresses will be probed, including non-existent hosts, thus increasing scan time to a great extent. Exercise care in using this option. For example, n m a pvP N 1 9 2 . 1 6 8 . 1 0 0 . 0 / 2 4will scan all hosts from 192.168.100.1 to 192.168.100.254 by disabling host discovery. (The voption will increase the verbosity of the output.)
Find us on Facebook

LINUX For You on

Follow

+2,513

A TCP Connect scan

As discussed in the earlier article, any Nmap scan type requiring modification/tweaking of the standard TCP 3-way handshake requires administrative privileges. Since the default Nmap scan is a TCP SYN scan that requires administrator access, for non-privileged users, Nmap uses a TCP Connect scan as the default scan instead. Nmap starts a TCP connect scan by initiating a TCP handshake with a standard SYN packet to the required TCP port of the target device. The targets response to the TCP Connect scan is the same as that in the case of a TCP SYN Scan it varies, depending on the state of the destination port (see the following table).

Open Source For You

Like 254,851 people like Open Source For You.

F acebook social plugin

TCP Connect Scan client responses Port status Open Closed Filtered Client response Standard response: SYN ACK Standard response: RST No response Inference Service running on the port / port is open Service not running on the port / port is closed Firewalled port
May 6, 2013 6 Comments Priyanka Sarkar

Popular

Comments

Tag cloud

August 13, 2013 42 Comments Diksha P Gupta

India has immense under-utilised talent in the cloud security space

PHP Development: A Smart Career Move

For a port that is open, Nmap sends an ACK packet to complete the TCP handshake, thus opening the connection. It then sends an RST packet to reset the connection, closing the open connection. In this way, the host is scanned without modifying the standard TCP handshake. Do you see the downside of this scan type? Since it completes the full handshake, it leaves a log entry on the target device. Like the TCP SYN scan, the TCP Connect scan also works across all operating systems and other devices that implement TCP, such as PLCs, network printers, Ethernet switches, mobile phones, etc. An example scan would be n m a ps T1 9 2 . 1 6 8 . 1 0 0 . 1 0 0 . The disadvantage of this scan type is that it uses more resources than the TCP SYN scan, since it opens a full TCP connection, and then resets it. It also leaves a log entry on the target device.

June 20, 2013 3 Comments sophie-samuel

New and amazing features of Linux

June 20, 2013 3 Comments Priyanka Sarkar

What it Takes to be an Open Source Expert

May 6, 2013 1 Comments Deepti Sharma

A Simple guide to building your own Linux Kernel

Version scan
The more you study Nmap, the more astonished you will be at its functionality. Nmap uses simple TCP, UDP and ICMP scans in very interesting ways to detect various devices, operating systems, services running on various ports, and even the versions of these services. The Nmap version scan, s V , is used to find the versions of services running on open ports. A simple command like n m a pvs V1 9 2 . 1 6 8 . 1 0 0 . 1 0 0will find open ports on the host, and find and display versions of all the services running on these ports.

OS fingerprinting
Nmap can detect the operating system of the scanned host. If, for example, you use n m a pvO 1 9 2 . 1 6 8 . 1 0 0 . 1 0 0 , it can detect a variety of operating systems like the versions of Microsoft Windows, Linux (including kernel version), etc. If there is an unrecognised service or operating system, Nmap will show the services fingerprint, and request the user to send the fingerprint and the version of the service/operating system to the Nmap developers at www.insecure.org, for inclusion in future Nmap versions. Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by Nmap. And dont forget to keep a watch on this series for further details!

Related Posts:
Advanced NMap: Some Scan Types Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Firewalls Continued

Advanced Nmap: A Recap Advanced Nmap: Scanning Firewalls

Tags: Advanced Nmap Series, ARP, ARP requests, ARP scan, Class C Subnet, Ethernet, ICMP, IP addresses, LFY December 2010, Linux, Microsoft Windows, network security, Networking, NMap, online hosts, operating systems, ping, port scan, port scanner, remote devices, RST service, Security, SYN-ACK, target devices, TCP connect, TCP port, UDP

Article written by:

Rajesh Deodhar
The author is BE (Industrial Electronics), CISA (Certified Information Systems Auditor) and DCL (Diploma in Cyber Law). He has more than 15 years of experience in the field of computer hardware, networking, firewalls and IS auditing. He is a director at Omega Systems and Services, Pune. Connect with him: Website

Previous Post

Next Post

FreedomYUG: GPL v4 -- A New Decade of Delight

Getting Started with RTLinux

AROUND THE WEB

ALSO ON LINUX FOR YOU

What's this?

Pastor Mocked For His "Biblical Money Code" Moneynews These 7 Things Activate Alzheimer's In Your Brain Newsmax Health 5 Ways to Stay Young and Fit VIDEO: Hostess Gifts with the Mostest DailyCandy
Stack

India has immense under-utilised talent in the cloud 42 comments Code Sport
1 comment

File Systems A Semester Project-II, Part-19 6 comments Linux Professionals in High Demand
10 comments

1 comment Leave a message...

Newest Community Neeraj
11 months ago

Share

Hi, I'm trying to execute this command (nmap -sV -sC --allports --version-all --script=sslcert.nse,ssl-enum-ciphers) via command line. Sometimes it gives me the desired output such as ssl certificates and ssl ciphers but not every time. What am i missing in this command? how do i ensure that this command will return ssl information each time? Please reply.

Thanks
Reply Share

C o m m e n t fe e d

Su b s cri b e vi a e m a i l

Reviews

How-Tos

Coding

Interviews

Features

Overview

Blogs

Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems

For You & Me Developers Sysadmins Open Gurus CXOs Columns

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.