NMAP Scanning Options - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

NMAP Scanning Options

Description:

NMAP Scanning Options NMAP Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org) , it was featured in the Matrix ... – PowerPoint PPT presentation

Number of Views:282
Avg rating:3.0/5.0
Slides: 22
Provided by: Haja1
Category:
Tags: nmap | options | scanning | this | xmas

less

Transcript and Presenter's Notes

Title: NMAP Scanning Options


1
NMAP Scanning Options
2
NMAP
  • Nmap is the most popular scanning tool used on
    the Internet.
  • Cretead by Fyodar (http//www.insecure.org) , it
    was featured in the Matrix Reloaded movie.

3
SYN Scanning
  • Syn scanning, a technique that is widely across
    the Internet today.
  • The syn scan, also called the "half open" scan,
    is the ability to determine
    a ports state without making a full connection to
    the host.
  • Many systems do not log the attempt, and discard
    it as a communications error.
  • You must first learn 3-way handshake to
    understand the Syn scan.

4
TCP Communication Flags
  • Standard TCP communications are controlled by
    flags in the TCP packet header.
  • The flags are as follows
  • Synchronize - also called "SYN
  • Used to initiate a connection between hosts.
  • Acknowledgement - also called "ACK
  • Used in establishing a connection between hosts
  • Push - "PSH
  • Instructs receiving system to send all buffered
    data immediately
  • Urgent - "URG
  • States that the data contained in the packet
    should be processed immediately
  • Finish - also called "FIN"
  • Tells remote system that there will be no more
    transmissions
  • Reset - also called "RST
  • Also used to reset a connection.

5
Three Way Handshake
  • Computer A Computer B
  • 192.168.1.22342 ------------syn-----------gt192.16
    8.1.380
  • 192.168.1.22342 lt---------syn/ack----------192.16
    8.1.380
  • 192.168.1.22342-------------ack-----------gt192.16
    8.1.380
  • Connection Established
  • The Computer A ( 192.168.1.2 ) initiates a
    connection to the server ( 192.168.1.3 ) via a
    packet with only the SYN flag set.
  • The server replies with a packet with both the
    SYN and the ACK flag set.
  • For the final step, the client responds back the
    server with a single ACK packet.
  • If these three steps are completed without
    complication, then a TCP connection has been
    established between the client and server.

6
Stealth Scan
  • Computer A Computer B
  • 192.168.1.22342 ------------syn-----------gt192.16
    8.1.380
  • 192.168.1.22342 lt---------syn/ack----------192.16
    8.1.380
  • 192.168.1.22342-------------RST-----------gt192.16
    8.1.380
  • Client sends a single SYN packet to the server on
    the appropriate port.
  • If the port is open then the server responds with
    a SYN/ACK packet.
  • If the server responds with an RST packet, then
    the remote port is in state "closed
  • The client sends RST packet to close the
    initiation before a connection can ever be
    established.
  • This scan also known as half-open scan.

7
Xmas Scan
  • Computer A Computer B
  • Xmas scan directed at open port
  • 192.5.5.924031 -----------FIN/URG/PSH-----------gt
    192.5.5.11023
  • 192.5.5.924031 lt----------NO RESPONSE------------
    192.5.5.11023
  • Xmas scan directed at closed port
  • 192.5.5.924031 -----------FIN/URG/PSH-----------gt
    192.5.5.11023
  • 192.5.5.924031lt-------------RST/ACK--------------
    192.5.5.11023
  • Note XMAS scan only works OS system's TCP/IP
    implementation is developed according to RFC 793
  • Xmas Scan will not work against any current
    version of Microsoft Windows.
  • Xmas scans directed at any Microsoft system will
    show all ports on the host as being closed.

8
FIN Scan
  • Computer A Computer B
  • FIN scan directed at open port
  • 192.5.5.924031 -----------FIN-------------------gt
    192.5.5.11023
  • 192.5.5.924031 lt----------NO RESPONSE------------
    192.5.5.11023
  • FIN scan directed at closed port
  • 192.5.5.924031 -------------FIN------------------
    192.5.5.11023
  • 192.5.5.924031lt-------------RST/ACK--------------
    192.5.5.11023
  • Note FIN scan only works OS system's TCP/IP
    implementation is developed according to RFC 793
  • FIN Scan will not work against any current
    version of Microsoft Windows.
  • FIN scans directed at any Microsoft system will
    show all ports on the host as being closed.

9
NULL Scan
  • Computer A Computer B
  • NULL scan directed at open port
  • 192.5.5.924031 -----------NO FLAGS
    SET----------gt192.5.5.11023
  • 192.5.5.924031 lt----------NO RESPONSE------------
    192.5.5.11023
  • NULL scan directed at closed port
  • 192.5.5.924031 -------------NO FLAGS
    SET---------192.5.5.11023
  • 192.5.5.924031lt-------------RST/ACK--------------
    192.5.5.11023
  • Note NULL scan only works OS system's TCP/IP
    implementation is developed according to RFC 793
  • NULL Scan will not work against any current
    version of Microsoft Windows.
  • NULL scans directed at any Microsoft system will
    show all ports on the host as being closed.

10
IDLE Scan
  • Almost four years ago, security researcher
    Antirez posted an innovative new TCP port
    scanning technique.
  • Idlescan, as it has become known, allows for
    completely blind port scanning.
  • Attackers can actually scan a target without
    sending a single packet to the target from their
    own IP address.

11
IDLE Scan Basics
  • Most network servers listen on TCP ports, such as
    web servers on port 80 and mail servers on port
    25.
  • A port is considered "open" if an application is
    listening on the port, otherwise it is closed.
  • One way to determine whether a port is open is to
    send a "SYN" (session establishment) packet to
    the port.
  • The target machine will send back a "SYNACK"
    (session request acknowledgment) packet if the
    port is open, and a "RST" (Reset) packet if the
    port is closed.
  • A machine which receives an unsolicited SYNACK
    packet will respond with a RST. An unsolicited
    RST will be ignored.
  • Every IP packet on the Internet has a "fragment
    identification" number.
  • Many operating systems simply increment this
    number for every packet they send.
  • So probing for this number can tell an attacker
    how many packets have been sent since the last
    probe.

12
IDLE Scan Step 1
  • Choose a "zombie" and proble for its current IPID
    number

13
IDLE Scan Step 2
  • Send forged packet "from" Zombie to target.

14
IDLE Scan Step 3
  • Probe Zombie IPID again

15
Fragmentation scanning
  • Instead of just sending the probe packet, you
    break it into a couple of small IP fragments.
  • You are splitting up the TCP header over several
    packets to make it harder for packet filters and
    so forth to detect what you are doing.
  • The -f switch instructs the specified SYN or FIN
    scan to use tiny fragmented packets.

16
ICMP echo scanning
  • This isn't really port scanning, since ICMP
    doesn't have a port abstraction.
  • But it is sometimes useful to determine what
    hosts in a network are up by pinging them all.
  • nmap -P cert.org/24 152.148.0.0/16

17
Scan Options
  • -sT (TcpConnect)
  • -sS (SYN scan)
  • -sF (Fin Scan)
  • -sX (Xmas Scan)
  • -sN (Null Scan)
  • -sP (Ping Scan)
  • -sU (UDP scans)
  • -sO (Protocol Scan)
  • -sI (Idle Scan)
  • -sA (Ack Scan)
  • -sW (Window Scan)
  • -sR (RPC scan)
  • -sL (List/Dns Scan)

18
Ping Detection
  • -P0 (dont ping)
  • -PT (TCP ping)
  • -PS (SYN ping)
  • -PI (ICMP ping)
  • -PB ( PT PI)
  • -PP (ICMP timestamp)
  • -PM (ICMP netmask)

19
Output Format
  • -oN(ormal)
  • -oX(ml)
  • -oG(repable)
  • -oA(ll)

20
Timing
  • -T Paranoid serial scan 300 sec wait
  • -T Sneaky - serialize scans 15 sec wait
  • -T Polite - serialize scans 0.4 sec wait
  • -T Normal parallel scan
  • -T Aggressive- parallel scan 300 sec timeout
    1.25 sec/probe
  • -T Insane - parallel scan 75 sec timeout 0.3
    sec/probe
  • --host_timeout --max_rtt_timeout (default -
    9000)
  • --min_rtt_timeout --initial_rtt_timeout (default
    6000)
  • --max_parallelism --scan_delay (between probes)

21
  • --resume (scan) --append_output
  • -iL lttargets_filenamegt -p ltport rangesgt
  • -F (Fast scan mode) -D ltdecoy1 ,decoy2,ME,gt
  • -S ltSRC_IP_Addressgt -e ltinterfacegt
  • -g ltportnumbergt --data_length ltnumbergt
  • --randomize_hosts -O (OS fingerprinting) -I
    (dent-scan)
  • -f (fragmentation) -v (verbose) -h (help)
  • -n (no reverse lookup) -R (do reverse lookup)
  • -r (dont randomize port scan) -b ltftp relay hostgt
    (FTP bounce)
Write a Comment
User Comments (0)
About PowerShow.com