Port scanning - the Nmap way
Port scanning is an active information gathering technique in which we will now start dealing with our target directly. Port scanning is an interesting process of information gathering. It involves a deeper search of the target machine. Nmap is the most powerful and preferred scanner for security professionals. The usage of Nmap varies from novice to an advanced level. We will analyze the various scan techniques in detail.
Getting ready
Starting nmap from Metasploit is easy. Launch the msf console and type in nmap to display the list of scan options that Nmap provides.
msf > nmap
How to do it...
We will analyse four different types of Nmap scans which can be very helpful during penetration testing. Nmap provides lots of different modes for scanning the target machine. Here, we will focus on four scan types namely TCP connect scan, SYN stealth scan, UDP scan, and ACK scan. The different scan options of Nmap can also be combined in a single scan in order to perform a more advanced and sophisticated scan over the target. Let us move ahead and start the scanning process.
TCP connect [-sT] scan is the most basic and default scan type in Nmap. It follows the three way handshake process to detect the open ports on the target machine. Let us perform this scan on our target.
msf > nmap -sT -p1-10000 192.168.56.102 [*] exec: nmap -sT -p1-10000 192.168.56.102 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:03 IST Nmap scan report for 192.168.56.102 Host is up (0.0058s latency). Not shown: 9997 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems
As we can see, we have passed the -sT parameter which denotes that we want to perform a TCP connect scan. The -p parameter shows the range of port numbers that we want to scan. TCP connect scan is based on a three way handshake process, hence the results of this scan returned are considered accurate.
SYN scan [-sS] is considered as a stealth scanning technique, as it never forms a complete connection between the target and the scanner. Hence, it is also called half open scanning. Let us analyze a SYN scan on the target.
msf > nmap -sS 192.168.56.102 [*] exec: nmap -sS 192.168.56.102 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:17 IST Nmap scan report for 192.168.56.102 Host is up (0.0019s latency). Not shown: 997 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems
The -sS parameter will instruct Nmap to perform a SYN scan on the target machine. The output of both TCP connect and the SYN scan are similar in most of the cases, but the only difference lies in the fact that SYN scans are difficult to detect by firewalls and Intrusion Detection Systems (IDS). However, modern firewalls are capable enough to catch SYN scans as well.
UDP scan [-sU] is the scanning technique to identify open UDP ports on the target. 0-byte UDP packets are sent to the target machine and the recipient of an ICMP port unreachable message shows that the port is closed, otherwise it is considered open. It can be used in the following manner:
msf > nmap -sU -p9001 192.168.56.102
The following command will check whether the UDP port on 192.168.56.102 is open or not. Similarly, we can perform a UDP scan on a complete range of ports by modifying the -p operator.
ACK scan [-sA] is a special scan type which tells which ports are filtered or unfiltered by a firewall. It operates by sending TCP ACK frames to a remote port. If there is no response, then it is considered to be a filtered port. If the target returns an RST packet (connection reset), then the port is considered to be an unfiltered port.
msf > nmap -sA 192.168.56.102 [*] exec: nmap -sA 192.168.56.102 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 00:19 IST Nmap scan report for 192.168.56.102 Host is up (0.0011s latency). Not shown: 999 filtered ports PORT STATE SERVICE 9001/tcp unfiltered tor-orport MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
The preceding output shows the result of an ACK scan performed on the target. The output shows that all the ports on the target are filtered, except port number 9001 which is unfiltered. This will help us to find out weak points in our target, as attacking an unfiltered port will have a better success rate of exploiting the target.
How it works...
Generally, penetration testers don't stress too much on the scanning process, but a good scan can provide lots of useful results. Since the information collected here will form the basis of penetration testing, hence proper knowledge of scan types is highly recommended. Let us now take a deeper look into each of these scan techniques we just learnt.
The TCP connect scan is the most basic scanning technique in which a full connection is established with the port under test. It uses the operating system's network functions to establish connections. The scanner sends a SYN packet to the target machine. If the port is open then it returns an ACK message back to the scanner. The scanner then sends an ACK packet back to the target showing the successful establishment of a connection. This is called a three-way handshake process. The connection is terminated as soon as it is opened. This technique has its benefits, but it is easily traceable by firewalls and IDS.
A SYN scan is another type of TCP scan, but it never forms a complete connection with the target. It doesn't use the operating system's network functions, instead it generates raw IP packets and monitors for responses. If the port is open, then the target will respond with an ACK message. The scanner then sends an RST (reset connection) message and ends the connection. Hence, it is also called half-open scanning. This is considered as a stealth scanning technique as it can avoid raising a flag in some misconfigured firewalls and IDS.
UDP scanning is a connectionless scanning technique, hence no notification is sent back to the scanner whether the packet has been received by the target or not. If the port is closed, then an ICMP port unreachable message is sent back to the scanner. If no message is received then the port is reported as open. This method can return false results as firewalls can block the data packets and, hence, no response message will be generated and the scanner will report the port as open.
An ACK scan has the sole purpose of identifying filtered and unfiltered ports. It is a unique and handy scanning technique which can be helpful in finding weak points in the target system as unfiltered ports can be easy targets. But a major disadvantage with an ACK scan is that since it never connects with the target, it cannot identify the open ports. The outputs of an ACK scan will only list whether the port is filtered or unfiltered. Combining an ACK scan with other scan types can make a very stealthy scanning process.
There's more...
Let us cover more about nmap scans and see how we can club different scan types into one.
There are some advanced options provided by Nmap, apart from port scanning. These options can help us to gain more information about our target. One of the most widely used options is operating system identification [-O]. This can help us in identifying the operating system running on the target machine. An operating system detection scan output is shown, as follows:
msf > nmap -O 192.168.56.102 [*] exec: nmap -O 192.168.56.102 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:25 IST Nmap scan report for 192.168.56.102 Host is up (0.0014s latency). MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems) Device type: general purpose Running: Microsoft Windows XP|2003
As we can see, Nmap has successfully detected the operating system of the target machine. This can ease our task of finding the right exploits according to the operating system of the target.
The other widely used Nmap option is version detection [-sV] of different open ports on the target. It can be mixed with any of the scan types that we saw previously to add an extra bit of information of what version of services are running on the open ports of the target.
msf > nmap -sT -sV 192.168.56.102 [*] exec: nmap -sV 192.168.56.102 Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-19 02:27 IST Nmap scan report for 192.168.56.102 Host is up (0.0011s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems) Service Info: OS: Windows
As we can see, an extra column of Versions has been added in our scan output which reports about the different versions of services running on the target machine.
It is very essential to perform scans in an anonymous manner. The firewall and IDS logs can reveal your IP address if you perform a scan without using security measures. One such feature is provided in Nmap which is called Decoy [-D].
The decoy option does not prevent your IP address from getting recorded in the log file of firewalls and IDS, but it does make the scan look scary. It adds other torrents in the log files, thus creating an impression that there are several other attackers scanning the machine simultaneously. So, if you add two decoy IP addresses then the log file will show that the request packets were sent from three different IP addresses, one will be yours and the other two will be the fake addresses added by you.
msf > nmap -sS 192.168.56.102 -D 192.134.24.34,192.144.56.21
The following scan example shows the use of decoy parameter. The IP addresses after the -D operator are the fake IP addresses which will also appear in the network log files of the target machine, along with the original IP address. This process can confuse the network administrators and create suspicion in their mind that all three IP addresses are fake or spoofed. But adding too many decoy addresses can affect the scan results, hence one should use a limited number of decoy addresses only.