Presentation on theme: "NMAP Scanning Options. EC-Council NMAP Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org), it."— Presentation transcript:
NMAP Scanning Options
EC-Council NMAP Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org), it was featured in the Matrix Reloaded movie.
EC-Council SYN Scanning Syn scanning, a technique that is widely across the Internet today. The syn scan, also called the "half open" scan, is the ability to determine a ports state without making a full connection to the host. Many systems do not log the attempt, and discard it as a communications error. You must first learn 3-way handshake to understand the Syn scan.
EC-Council TCP Communication Flags Standard TCP communications are controlled by flags in the TCP packet header. The flags are as follows: Synchronize - also called "SYN” –Used to initiate a connection between hosts. Acknowledgement - also called "ACK” –Used in establishing a connection between hosts Push - "PSH” –Instructs receiving system to send all buffered data immediately Urgent - "URG” –States that the data contained in the packet should be processed immediately Finish - also called "FIN" –Tells remote system that there will be no more transmissions Reset - also called "RST” –Also used to reset a connection.
EC-Council Three Way Handshake Computer AComputer B : syn > : :2342 < syn/ack : : ack > :80 Connection Established The Computer A ( ) initiates a connection to the server ( ) via a packet with only the SYN flag set. The server replies with a packet with both the SYN and the ACK flag set. For the final step, the client responds back the server with a single ACK packet. If these three steps are completed without complication, then a TCP connection has been established between the client and server.
EC-Council Stealth Scan Computer AComputer B : syn > : :2342 < syn/ack : : RST > :80 Client sends a single SYN packet to the server on the appropriate port. If the port is open then the server responds with a SYN/ACK packet. If the server responds with an RST packet, then the remote port is in state "closed” The client sends RST packet to close the initiation before a connection can ever be established. This scan also known as “half-open” scan.
EC-Council Xmas Scan Computer AComputer B Xmas scan directed at open port: : FIN/URG/PSH > : :4031 < NO RESPONSE :23 Xmas scan directed at closed port: : FIN/URG/PSH > : :4031< RST/ACK :23 Note: XMAS scan only works OS system's TCP/IP implementation is developed according to RFC 793 Xmas Scan will not work against any current version of Microsoft Windows. Xmas scans directed at any Microsoft system will show all ports on the host as being closed.
EC-Council FIN Scan Computer AComputer B FIN scan directed at open port: : FIN > : :4031 < NO RESPONSE :23 FIN scan directed at closed port: : FIN : :4031< RST/ACK :23 Note: FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793 FIN Scan will not work against any current version of Microsoft Windows. FIN scans directed at any Microsoft system will show all ports on the host as being closed.
EC-Council NULL Scan Computer AComputer B NULL scan directed at open port: : NO FLAGS SET > : :4031 < NO RESPONSE :23 NULL scan directed at closed port: : NO FLAGS SET : :4031< RST/ACK :23 Note: NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793 NULL Scan will not work against any current version of Microsoft Windows. NULL scans directed at any Microsoft system will show all ports on the host as being closed.
EC-Council IDLE Scan Almost four years ago, security researcher Antirez posted an innovative new TCP port scanning technique. Idlescan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address.
EC-Council IDLE Scan: Basics Most network servers listen on TCP ports, such as web servers on port 80 and mail servers on port 25. A port is considered "open" if an application is listening on the port, otherwise it is closed. One way to determine whether a port is open is to send a "SYN" (session establishment) packet to the port. The target machine will send back a "SYN|ACK" (session request acknowledgment) packet if the port is open, and a "RST" (Reset) packet if the port is closed. A machine which receives an unsolicited SYN|ACK packet will respond with a RST. An unsolicited RST will be ignored. Every IP packet on the Internet has a "fragment identification" number. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.
EC-Council IDLE Scan: Step 1 Choose a "zombie" and proble for its current IPID number
EC-Council Fragmentation scanning Instead of just sending the probe packet, you break it into a couple of small IP fragments. You are splitting up the TCP header over several packets to make it harder for packet filters and so forth to detect what you are doing. The -f switch instructs the specified SYN or FIN scan to use tiny fragmented packets.
EC-Council ICMP echo scanning This isn't really port scanning, since ICMP doesn't have a port abstraction. But it is sometimes useful to determine what hosts in a network are up by pinging them all. nmap -P cert.org/ /16