HakTip 97 – NMap 101: Advanced Scanning Techniques
Shannon Morse shows off several advanced scanning techniques you can use while working within NMap.
We already know there are numerous ways to scan a target in NMap, from the discovery options we learned last week to the default scanning we’ve used since the beginning. There are other options I wanted to cover for user selectable scan types, instead of a basic TCP scan like NMap usually does. These advanced options are good to know if you’re scanning an uncommon target or you need to use a specific service. Similar to last week, sudo is required for a lot of these options.
The first option we have is -sS. This performs a TCP SYN scan. This option will send a SYN packet (short for synchronize) to the target and wait for a response. Some servers won’t be able to detect a SYN probe, but don’t count on it. This command looks like: nmap -sS 10.73.31.145. If required, use sudo to gain root priveleges.
Next is the -sT option, to perform a TCP connect scan. This is the default for non-root users (so you’re probably already running this kind of scan). It will attempt to connect to the target without any stealthy modes. To do this one, type: nmap -sT 10.73.31.145. You’ll notice when running this that sometimes, our first option, -sS for SYN packets is much faster.
Another option would be the -sU option for scanning with UDP (user datagram protocol).
Type: sudo nmap -sU 10.73.31.145 for this one, and a TCP NULL scan, with the -sN option. TCP NULL is used to trick a target into thinking nothing is probing it with TCP, so it still generates a response. Before we take a break, the last option I wanted to share is the -sF option, for a TCP FIN scan. This is used to solicit a TCP ACK (for acknowledge) packet from a target. It can also be used on a target protected by a firewall.
Let’s take a quick break, but we’ll be right back.
We’re back with some more advanced scanning options, and we have just a few more to share. First off is the -sX option, which looks like this: sudo nmap -sX 10.73.31.145. It’ll “light up the packet like a Christmas tree”, hence the name. Nmap sends packets with URG (urgent), FIN (closes a connection), and PSH (push) active. Next we have a fun one called –scanflags. This will let you run a custom scan with your own choices of packets. You can use SYN, ACK, PSH, URG, RST (for reset), and FIN. It would look like this: nmap –scanflags ACKPSH 10.73.31.145.
TCP ACK scans are simply used by adding -sA to your command (and this is useful to find out if the target is protected by a firewall). If you see a line in your output that says [number] filtered ports, chances are those ports are protected by a firewall.
Unsure which scan to use? Start with an IP Protocol scan, to show you what protocols are available on the target. Type nmap -sO 10.73.31.145 and your target will show the protocol, state, and service it’s running. Remember that handy table we linked to last week that shows all the popular protocols and their most common associated numbers.
There is a way to send raw ethernet packets too, if you’re interested. These are sent with nmap –send-eth 10.73.31.145, which is naturally implied. Lastly, you can also send raw IP packets with nmap –send-ip 10.73.31.145, which is also automatically implied, so it’s rare you’d actually have to write it out.
What would you like to see next about NMAP? Send me a comment below or email us at [email protected] If you like NMap, perhaps you’ll enjoy our new show, Metasploit Minute with Mubix, airing every Monday at hak5.wpengine.com. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.