Scanning using Nmap - Part 1

A thief wanted to rob a bank; he started watching the bank since a week
now, and he started to take notes about when the employees come, when
they leave, when there is big cash in the bank, when this cash is gone, and
he decided to rob the bank on the X day.
What do you think is missing here?

The thief has gathered his information from the outside, but he missed the
inside part. He didn’t report where the entrances and exits are, where the
guards are located, where the monitoring cameras are, and how to disable
or evade them; he didn’t see where cash is, what kind of vault they have,
how he will escape, what Plan B is…

Wow, this guy missed so many things, and this is what hackers try to avoid.
And this is what we call “Scanning and Enumeration”.
In “Scanning and Enumeration” we are trying to gather more information –
but this time by a partial delving into our target and grabbing the
information that will help us prepare our attack.

From the previous phase, we were able to gather general information about
our target, this time we will scan our system to find out:
1- Live systems
2- Open ports
3- Services running
4- Operating systems used
5- Vulnerabilities

Any “Penetration Testing” scanning starts with defining the live systems and
drawing a network topology for your target, our mission here is to find host,
routers, firewalls…
Both requirements can be achieved using some methods like “Tracerouting”
– which we already discussed in a previous article; another method is “Ping
Sweeping” – which is technique used by attackers where you send ICMP
Echo Request to multiple hosts, trying to find who of these hosts are alive.
Some of the tools that can accomplish “Ping Sweeping” are Nmap, Hping3,
netenum, Fping…

Let’s see what we can get from Nmap:

As we have seen, the command used was
nmap –sP 207.x.x.0/24
Or
nmap –sP 207.x.x.1-255
Both commands are the same, but in the first we used CIDR or Classless
Inter-Domain Routing, while in the second we added manually the range we
want to scan.

Let’s see the result in the Protocol Analyzer “Wireshark”

At the end of the Nmap command, you will see the result of the Ping
Sweeping

The good thing about “Ping Sweeping” is:

* You will be able to detect all the live hosts (if ICMP Echo requests are
allowed)
* You can run the ICMP scanning in parallel, which means you can scan so
many hosts at the same time. And this will be very helpful if you are
scanning an entire network

The bad thing about “Ping Sweeping” is:

* This technique is detectable; either by IDS or awaken administrators :),
because of the huge amount of ICMP Echo Requests against so many
machines at a small time range.
Would you like to know how to avoid that?
Search for “Nmap Timing Options” and enjoy reading :)

* If ICMP Echo Requests are blocked at the perimeter zone, then you are
stuck, because Ping Sweeping using ICMP won’t work then.
Note – In this case, we will use a TCP Ping Sweep to scan our target’s
network. What happens is that we send an ACK to the targets, and the live
ones should respond with a RST.
For example with Nmap, the command will be:
nmap –sP –PT 207.x.x.0/24
Or
nmap –sP –PT80 207.x.x.0/24 (where 80 here is a port number that is
allowable through the firewall, and it doesn’t mean that this port should be
opened on the scanned machines)

Now after we were able to see the live hosts on the target network, let’s see
which of these systems have open doors for our entry, and what services
might be running on these systems.

I will tell you the types of scans, and with each scan I will describe how it is
accomplished and what’s going on behind the scenes.

But before that, I would like to talk remind you about TCP connections.
We said before that all TCP connections are established using a 3 way
handshake SYN, SYN / ACK and finally ACK. And we said that TCP is a
Transport Protocol that is responsible for transferring data from one system
to another, and it divides the data into pieces and label them with sequence
numbers for proper order upon delivery.

“My Computer” sends a packet with Initial Sequence Number or ISN (Let’s
call it A) and the SYN flag is set to 1.
“My Target” will respond with a packet that has both the SYN and ACK flags
set to 1. The Acknowledgment will add 1 to the sequence it got from “My
Computer”, and will create another ISN special for responses (Let’s call it B).
“My Computer” will establish now the 3-Way handshake by sending an ACK,
using the ISN of “My Target and adding 1 to it.
From now on, whenever “My Computer” sends any packet to “My Target”, it
will be based on the ISN(A)+1. While whenever “My Target” send any packet
to “My Computer”, it will be based on the ISN(B)+1.

Now to the scan types :)

TCP Connect Scan (Plain Vanilla):

“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way
handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it
responded with a SYN/ACK, then the attacker will send the last ACK and tear
down the connection using the RST.

As we said previously, that this scan can be detected easily, because it will
generate a huge amount of scan targeting all of the ports on our Target,
trying to detect what the opened ports are.

Let’s see what we can get from Nmap:

The command used is
nmap –sT 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a SYN to different
random ports on our target (The yellow lines), and the target is responding
with RST if the port is closed (The red lines), while it responds with a
SYN/ACK if the port is opened (The green line)

TCP SYN Scan (Half Open):

TCP SYN scan is a little bit stealthier than the previous scan, because it uses
a different technique.

The attacker sends a SYN to the targets, if the target’s port is open and it
responded with a SYN/ACK, then the attacker will immediately tear down the
connection using the RST.

The good thing about TCP SYN scan is:

* It doesn’t establish a connection (as it sends an immediate RST before the
connection is established), therefore these scans are not logged
Note – Though the target itself doesn’t log these types of scans, the
perimeter devices has the ability to report such scans, so be aware of that
* Speed, because it sends fewer packets than the previous scan.
Let’s see what we can get from Nmap:
The command used is
nmap –sS 192.168.2.31
From “Wireshark”, we can see that the attacker is sending a SYN to different
random ports on our target (The yellow lines), and the target is responding
with RST if the port is closed (The red lines), while it responds with a
SYN/ACK if the port is opened (The green line).
Notice the Red line directly after the Green line; you will notice that the
attacker sends an immediate RST after the SYN/ACK of the target.

TCP FIN, XMAS, NULL Scans (Stealth):

I decided to gather these 3 scans together because they are really working
in the same manner; they break the rule of TCP connection establishment.
We have seen that the normal TCP connection establishment starts with a
SYN, and then goes further, whether you complete the connection
establishment (TCP Connect Scan) or terminate it (TCP SYN Scan).
But these 3 scans (FIN, XMAS, NULL), are acting totally in a different
manner; they send an unexpected packet at the start of the connection.
The FIN Scan starts with a FIN packet, the XMAS Scan starts with a packet
that has the Flags URG, ACK and PSH set to 1, while the NULL Scan starts
with a packet that has all the Flags set to 0.
But why are they doing that? The reason is to confuse the targets, because
each target expects a SYN packet for connection establishment. When the
target receives a FIN packet (which indicates a normal TCP Connection
termination), it will take it because it will think that it’s coming from a
previous established connection. While the other 2 (XMAS and NULL) are
violating the rules of flag settings, because the target is expecting a 1 flag
packet which indicates 1 thing. So when the target receives a packet with all
flags set, or all flags removed, then this is confusing.

Note – One important thing you have to know here, these scans are not
going to work if your target is a WINDOS based.
Remember in the last article, our homework was to read the RFC793. In this
RFC it is indicated that when a port is closed, then a RST is sent back. And
no response is sent when the port is open.
Unfortunately, Microsoft doesn’t follow this RFC :) and whenever they
receive any of these scans, the response is always RST. That’s why these
scans will not work against Windows based systems.

Let’s start with the TCP FIN Scan:

The command used is
nmap –sF 192.168.2.31
Notice that the result indicates Open|Filtered, do you know why?
The reason is that some Firewalls (such as Stateful Firewalls) can drop this
kind of packets without sending a response back (so the port might be open,
or it might be filtered by the firewall)

From “Wireshark”, we can see that the attacker is sending a FIN to different
random ports on our target (The White lines), and the target is responding
with RST if the port is closed (The red lines), while it sends no response if
the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)

Now, let’s examine the XMAS Scan

The command used is
nmap –sX 192.168.2.31
Notice that result indicates open|filtered, I’m sure you know why :)

From “Wireshark”, we can see that the attacker is sending a packet with all
Flags set (FIN, PSH, URG) to different random ports on our target (The
White lines), and the target is responding with RST if the port is closed (The
red lines), while it sends no response if the port is open or filtered (by
Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)

Now let’s examine the NULL Scan

The command used is
nmap –sN 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a packet with no
Flags set (can you see the 2 empty brackets []) to different random ports on
our target (The White lines), and the target is responding with RST if the
port is closed (The red lines), while it sends no response if the port is open
or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond,
just add a filter to your Wireshark such as tcp.port==22 (as in our case
here). This will show only the SSH packets, and you will see no responses
from the port (which indicates either open or filtered)

Now I'm tired and need a break :)

Don't worry, our talking about Nmap is not finished. But you have to wait till
Part 2 :)