Beruflich Dokumente
Kultur Dokumente
Submit Tips
Search
HOME
REVIEWS
HOW-TOS
CODING
INTERVIEWS
FEATURES
OVERVIEW
BLOGS
SERIES
IT ADMIN
Search for:
Search
The earlier articles on Nmap had covered the basic features, the working of the TCP 3-way handshake, and some important scan types, along with their practical use. The third article in this series continues with some more interesting scanning techniques.
One very important aspect of Nmap scanning is the Nmap ping process, sometimes also called the host discovery/ping scan process. As documented on nmap.org, an Nmap scan of a subnet usually begins with discovering which hosts in the subnet are online. This host discovery is in operation every time any of the Nmap scan types is run. It is different from standard ICMP pings, and combines ARP requests and elaborate combinations of TCP, ICMP and other probes. The exact type of scan is decided based on whether the Nmap workstation is scanning its own (local) subnet, or an external subnet. Host discovery is followed by deeper investigation of the online hosts.
Remote subnets
To scan remote subnets, Nmap sends an ICMP echo packet and a TCP ACK packet to the remote device. The remote device may send an ICMP reply and TCP RST respectively, thus revealing its presence.
Nmap provides an excellent option P N , which tells Nmap not to do a ping scan to discover active hosts, but to assume that all hosts in the range being scanned are online. The implications of disabling host discovery for even a Class C subnet with 254 IP addresses is that all the 254 IP addresses will be probed, including non-existent hosts, thus increasing scan time to a great extent. Exercise care in using this option. For example, n m a pvP N 1 9 2 . 1 6 8 . 1 0 0 . 0 / 2 4will scan all hosts from 192.168.100.1 to 192.168.100.254 by disabling host discovery. (The voption will increase the verbosity of the output.)
Find us on Facebook
Follow
+2,513
TCP Connect Scan client responses Port status Open Closed Filtered Client response Standard response: SYN ACK Standard response: RST No response Inference Service running on the port / port is open Service not running on the port / port is closed Firewalled port
May 6, 2013 6 Comments Priyanka Sarkar
Popular
Comments
Tag cloud
For a port that is open, Nmap sends an ACK packet to complete the TCP handshake, thus opening the connection. It then sends an RST packet to reset the connection, closing the open connection. In this way, the host is scanned without modifying the standard TCP handshake. Do you see the downside of this scan type? Since it completes the full handshake, it leaves a log entry on the target device. Like the TCP SYN scan, the TCP Connect scan also works across all operating systems and other devices that implement TCP, such as PLCs, network printers, Ethernet switches, mobile phones, etc. An example scan would be n m a ps T1 9 2 . 1 6 8 . 1 0 0 . 1 0 0 . The disadvantage of this scan type is that it uses more resources than the TCP SYN scan, since it opens a full TCP connection, and then resets it. It also leaves a log entry on the target device.
Version scan
The more you study Nmap, the more astonished you will be at its functionality. Nmap uses simple TCP, UDP and ICMP scans in very interesting ways to detect various devices, operating systems, services running on various ports, and even the versions of these services. The Nmap version scan, s V , is used to find the versions of services running on open ports. A simple command like n m a pvs V1 9 2 . 1 6 8 . 1 0 0 . 1 0 0will find open ports on the host, and find and display versions of all the services running on these ports.
OS fingerprinting
Nmap can detect the operating system of the scanned host. If, for example, you use n m a pvO 1 9 2 . 1 6 8 . 1 0 0 . 1 0 0 , it can detect a variety of operating systems like the versions of Microsoft Windows, Linux (including kernel version), etc. If there is an unrecognised service or operating system, Nmap will show the services fingerprint, and request the user to send the fingerprint and the version of the service/operating system to the Nmap developers at www.insecure.org, for inclusion in future Nmap versions. Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by Nmap. And dont forget to keep a watch on this series for further details!
Related Posts:
Advanced NMap: Some Scan Types Advanced Nmap: FIN Scan & OS Detection Advanced Nmap: Scanning Firewalls Continued
Previous Post
Next Post
What's this?
Pastor Mocked For His "Biblical Money Code" Moneynews These 7 Things Activate Alzheimer's In Your Brain Newsmax Health 5 Ways to Stay Young and Fit VIDEO: Hostess Gifts with the Mostest DailyCandy
Stack
India has immense under-utilised talent in the cloud 42 comments Code Sport
1 comment
File Systems A Semester Project-II, Part-19 6 comments Linux Professionals in High Demand
10 comments
Share
Hi, I'm trying to execute this command (nmap -sV -sC --allports --version-all --script=sslcert.nse,ssl-enum-ciphers) via command line. Sometimes it gives me the desired output such as ssl certificates and ssl ciphers but not every time. What am i missing in this command? how do i ensure that this command will return ssl information each time? Please reply.
Thanks
Reply Share
C o m m e n t fe e d
Su b s cri b e vi a e m a i l
Reviews
How-Tos
Coding
Interviews
Features
Overview
Blogs
Search
Popular tags
Linux , ubuntu, Java, MySQL, Google, python, Fedora, Android, PHP, C, html, w eb applications , India, Microsoft, unix , Window s , Red Hat, Oracle, Security , Apache, xml, LFY April 2012, FOSS, GNOME, http, JavaScript, LFY June 2011, open source, RAM, operating systems
All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherw ise noted. LINUX For You is pow ered by WordPress, w hich gladly sits on top of a CentOS-based LEMP stack.