NMAP TCP Scanning

J

Jarret W. Buse

Guest
NMAP TCP Scanning

When using NMAP, there are basic scans which are used to find specific information. There are four basic scans used the most by NMAP and can be handy depending on what you need to discover on a system or a network.

Let's start by listing the basic scans. The four basic scans are:

  1. PING Scan (-sP)
  2. UDP Scan (-sU)
  3. TCP SYN Scan (-sS)
  4. TCP Connect Scan (-sT)
This article covers the last two scans: TCP SYN and TCP Connect Scans.

The TCP SYN scan is the default scan for NMAP. The TCP SYN scan performs the start of a partial 3-way handshake. The TCP SYN performs the following:

  1. Source sends a SYN (sync) + Port number to Target
  2. Target responds with a SYN (sync)/ACK (acknowledgment) to the Source when the Port is open
  3. Source sends a RST (reset) to the Target to stop the 3-way handshake

NOTE: Keep in mind that the TCP SYN scan requires Root privileges to run.

The partial 3-way handshake is not completed, so it is called a half-open session. Half-open sessions are not logged on the Target, but does cause a lot of RST Frames on the network which can be detected by Intrusion Detection Systems if RST Frames are being monitored.

Since a reset (RST) is sent to the Target, the connection is not made. The resources used on the Target system is minimal because the connection is not made.

If the Port is closed on the Target system, then the following occurs:

  1. Source sends a SYN (sync) + Port number to Target
  2. Target responds with a RST (reset) to the Source system

Another option is that the Port is filtered by a Firewall between the Source and Target. In the case of filtering, the 3-way handshake occurs as follows:

  1. Source sends a SYN (sync) + Port number to Target
  2. Source receives no response from the Target

When dealing with a Target on the other side of a Firewall, the time to perform the scan will be more lengthy than when the Target is not Firewalled.

NOTE: Be aware that the Target has already been found to be online. No response means that a Firewall is blocking the ICMP responses being sent back to the Source system.

As shown in Figure 1, the output of a TCP SYN scan shows available Ports, NetBIOS name, IP Address and MAC Address of the Targets (except the local system).

Figure 1.jpg

FIGURE 1

Figure 1 also shows the command to run the TCP SYN scan: “sudo nmap -sS <IP Address>”.

Looking at Figure 2, you can see that initially NMAP performs an Address Resolution Protocol (ARP) scan for all available Targets. Line 11 shows that one Target, The Dell at 10.0.0.1, responded to the ARP scan. In Figure 3, on Line 538, the Source system sent a request for the NetBIOS-SSN Port (139). Line 539 shows the response from the Target system (10.0.0.1) showing the SYN/ACK response to the Source. Lines 550 and 551 show the same process occurring again to verify the findings.

Figure 2.jpg

FIGURE 2

Figure 3.jpg

FIGURE 3

If you do not have Root privileges, then the next best scan is a TCP Connect() scan.

The TCP Connect() Scan performs an actual connection to the Target system. When a Port is open, the 3-way handshake is performed by:

  1. Source sends a SYN (sync) + Port number to the Target
  2. Target responds with a SYN (sync)/ACK (acknowledgment) to the Source when the Port is open
  3. Source sends an ACK (acknowledgement) + RST (reset) to Target

A full-connection, not half-connection, is made between the Source and Target systems. The Operating System is performing the 3-way handshake and technically not NMAP which is why Root privileges are not needed.

If the Port is closed then the process is:

  1. Source sends a SYN (sync) + Port number to the Target
  2. Target responds with a RST (reset) to the Source when the Port is closed

The TCP Connect () scan is performed by the command “nmap -sT <IP Address>”.

Looking at Figure 4, you can see the output of the TCP Connect() Scan performed on the same subnet as the TCP SYN Scan performed above.

Figure 4.jpg

FIGURE 4

The Target System is found, but no open Ports are detected. Sometimes, when nothing is detected in this manner, the “-Pn” option can be added to the command. The “-Pn” option will skip the Host Discovery phase and assume all systems are online. The option is especially helpful when only a few systems are being scanned. The new results are shown in Figure 5.

Figure 5.jpg

FIGURE 5

Now, with the “-Pn” option added you can see that the open Ports have been detected like in the TCP SYN Scan. The same results were found without the requirement of needing Root privileges.

Try these scans out on a local subnet. Try an Internet system at your own risk since some website Admins may frown at having their systems scanned.
 

Attachments

  • slide.jpg
    slide.jpg
    9.5 KB · Views: 8,593

Members online


Top