THE PRINCIPLE AND USAGE OF NMAP SCANNING

Nmap is used to enumerate network host inventories, manage service escalation schedules, and monitor host or service health. Nmap can detect whether the target machine is online, the port is open, the service type and version information of the detection operation, the detection operating system and device type, etc.

Nmap mainly includes four aspects of scanning functions: host discovery, port scanning, application version detection, and operating system detection.

Basic Scan Method

Determin port status

If you want to scan a special computer or a domain name, then the command below can be used.

nmap targethost.

This method can determine the target host's online situation and port basic condition in a fast way.

Complete and comprehensive scan

If you want a complete and comprehensive scan against a host, you can use the Nmap -a option. Nmap will make a host discovery, port scanning, application version detection, operating system detection, and calling NSE script scans for target hosts by default with this parameter.

nmap -t4 -a -v targethost

The -a option is used for aggressive scanning; -T4 specifies the sequence(Timing) used by the scanning process with a total of levels(0-5). The higher the level, the faster the scan will be and will be more easily detected and masked by firewalls or IDS. -T4 is recommended in a good network environment; -V is for displaying redundant(verbosity) information, showing the scan's details during the scan so that the user can understand the current scan status.

Host Discovery

Host Discovery Principle

The host discovery is similar to the ping command. By sending probe packets to the target host, if received, the target host is turned on. Nmap supports more than 10 different host detection methods, such as sending ICMP Echo/timestamp/netmask messages, sending TCP syn/ack packets, sending SCTP Init/cookie-echo packets. Users can choose different ways to detect the target machine flexibly under different conditions.

Host Discovery Fundamentals: (for example, ICMP echo method)

Nmap users are located at the source, 192.168.0.5, and send ICMP Echo Request to the target host 192.168.0.3. If the request message is not blocked by the firewall, then the target replies the ICMP Echo packet back to determine if the target host is online.

By default, Nmap sends four different types of packets to detect whether the target host is online.

1. ICMP Echo Request
2. A TCP SYN packet to port 443
3. A TCP ACK packet to port 80
4. An ICMP timestamp request

Using four different packets is to avoid the error of judgment caused by firewalls or packet loss. We can determine the target machine is turned on, as we receive a reply from one of the packages.

Usage of Host Discovery

Typically, host discovery is not used alone but as the first step of the scan. In some special applications, such as determining the number of active hosts in a large local area network, the host Discovery feature may be used solely for the purpose of implementation.

Whether as an auxiliary use or a specialized purpose, users can use Nmap's options to customize the host discovery's detection.

-sl: list scan only scan the IP on the list
-sn: ping scan only detect the active host
-Pn: Treat all designated hosts as open, skipping the host discovery process
-PS/PA/PU/PY: found using Tcpsyn/ack or SCTP Init/echo method
-pe/pp/pm: Using ICMP echo, timestamp, and netmask request Package Discovery host. -po[protocollist]: Use IP protocol packets to detect if the other host is open.
-n/-r:-n means no DNS resolution;-R always means DNS resolution
--dns-servers <serv1[,serv2],...: Specify a DNS server.
--system-dns: Specifies the system's DNS server to use 
--TRACEROUTE: Tracking each routing node

demo

Probe scanme.nmap.org

nmap –sn –PE –PS80,135 –PU53 scanme.nmap.org.

Using the Wireshark grab the package, we can see that scanme.nmap.org's IP address 182.140.147.57 sent four types of packets: ICMP echo,80 and 135-port TCP SYN Packets, 53-port UDP packets (DNS domain). Received the reply of ICMP echo and 80-port reply. Thus the scanme.nmap.org host is determined to be normal online.

Port Scan

Port scanning is the most basic and core function of Nmap, which is used to determine the opening of the TCP/UDP port of the target host.

By default, NMAP scans 1000 TCP ports that are most likely to be open.

Nmap takes a port as six status:

1. open
2. closed
3. filtered
4. unfiltered
5. open|filtered
6. closed|filtered

Port Scan Principle

Nmap is mighty in port scanning and provides more than 10 ways to detect.

1. TCP SYN scanning

This is the default scanning method for Nmap, often referred to as a half-open(scanning). This method sends SYN to the target port, and if the syn/ack reply is received, it determines the port is open, and if the RST packet is received, that expresses the port is closed. If no reply is received, then the port is judged to be blocked(filtered). This way is relatively hidden and has high efficiency and a wide range of applications. This method only sends SYN packets to the target host's specific port and doesn't establish a complete TCP connection.

2. TCP connect scanning
   TCP connect using system network API, connect, make communication to the target host, if it can't establish communication, then expresses the port of target host are closed. Using this way, the scan will be slow. Since we need a complete TCP connection, we will leave footprints on the target host that will not be hidden enough. So TCP Connect should be used after TCP SYN doesn't work.

3. TCP ACK scanning
   After sending the ACK packet to the target hosts, if received RST packets, that expresses the port is not be marked by firewall. if not received the RST packet, then we can know the port is blocked by the firewall. This way can only be used to judge if the port is blocked by a firewall as an auxiliary tool for the TCP SYN method.

4. TCP FIN/Xmas/NULL scanning
   the three scan ways also are called Stealthy Scan, since they are relatively hidden. Xmas tree packet means Fin URG PUSH value = 1; NULL packet means all flags = 0

5. UDP scanning
   UDP scan is for determining the status of the UDP ports. If the reply is "ICMP port unreachable", that means the port is closed; Otherwise, it could be open or filtered.

6. other methods

Except for those common methods upon, Nmap is supportable for other detection methods. Such as IP protocol to detect the type of protocols on the target host; SCTP INIT/COOKIE-ECHO for SCTP port open condition; idle scan method scan target host to hidden itself; FTP bounce scan to proxy service.

Usage of port scan

-sS/sT/sA/sW/sM: use under methods TCP SYN/Coneect()/ACK/Window/Maimon scans to scan target hosts
-sU: Use UDP scan UDP port on target host
-sN/sF/sX: use TCP NULL,FIN,and Xmas scans to scan
--scanflags<flags>: customize the flags's value
-sI: use idle scan to scan
-sY/sZ: use SCIP INIT/COKKIE-ECHO to detect ports running on SCTP protocol
-sO: use IP protocol to check the supported protocol types by target host
-b: use FTP bounce scan

-p: Scan the specified port
-F: Fast mode,only scan Top 100 port
-r: not using random order to scan port
--top-port: scan port that has the most possibility to open 
--port-ratio<ratio>: only the possibility that the port could be open beyond the ratio, the port will be scan 

Example: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9（T represent TCP protocol、U represent UDP protocol、S represent SCTP protocol）

version detection

1. check the open or open|filtered ports if under the port scan list
2. if the port we want to detect is a TCP port, then we try a TCP connection. Usually, we will receive a "WelcomeBanner" message from the target host. Nmap will compare the information with the messages in Nmap-services-probes.
3. If we couldn't determine the application version by "Welcome banner", Nmap will try other detection packets, and compares again. If it couldn't return the version, it will return packets content, and let users judge by themselves.

Usage of port scan

-sV: version detection
--version-intensity<level>: (0-9)
--versin-light: use light detection method(intensity 2)
--version-all: try all of the probes to detect(intensity 9)
--version-trace: print the detail during detecting

operating system detection

fingerprint

Usage

-O: OS detection

Advanced Method

Bypass firewall/IDS

Packet Change and Timing Change

1. Fragmentation
   Divide the suspect packets into clips, since some normal firewall for speeding up the processing speed may not perform reorganization checks.
2. IP decoys
   When performing the scan, mix the real Ip address and the IP address of other hosts(other hosts need to be online, otherwise the target host will reply to a large number of data packets to a non-existent host, which essentially constitutes a denial of service attack) to allow the target host's firewall or IDS Tracking and checking a large number of data packets of different IP addresses, reducing the probability of tracking itself. Note that some advanced IDS systems can still track the real IP address of the scanner through statistical analysis.
3. IP Spoofing
   Spoof the target host the address is from other hosts.
4. Specify source port
   Some target hosts only allow data packets from specific ports to pass through the firewall. For example, the FTP server is configured to allow TCP packets whose source port is 21 to communicate with the FTP server through the firewall, but data packets whose source ports are other ports are blocked. Therefore, in such cases, you can specify that the source port of the data packet that Nmap will send is set to a specific port.
5. Scan delay
   Some firewalls will conduct strict investigations for packets that are sent too frequently, and some systems limit the frequency of error messages (for example, Solaris systems usually limit only one ICMP message per second to reply to UDP scanning). Therefore, customizing the frequency and delay of sending packets, in this case, can reduce the intensity of the target host's review and save network bandwidth.
6. Other technologies
   Nmap also provides a variety of circumvention techniques, such as specifying the use of a certain network interface to send data packets, specifying the minimum length of the sending packet, specifying the MTU of the packet, specifying TTL, specifying the masquerading MAC address, and using the bad checksum.

Usage

-f; --mtu: Fragmentation; Specify the MTU of the packet
-D <decoy1,decoy2[,ME],...>: decoy the real IP address
-S <IP_Address>: IP Spoofing
-g--source-port <portnum>: specify the ser sport
--data-length <num>: Fill random data so that the packet length reaches Num.
--ttl <val>: set time-to-live time
--spoof-mac <mac address/prefix/vendor name>
--badsum: Use the wrong checksum to send data packets (under normal circumstances, this type of data packet is discarded, if you receive a reply, it means that the reply comes from the firewall or IDS/IPS).