Linux 101 : Overview of some of the Nmap scanning techniques
To override this behavior, we could specify out "top" ports to be scanned using the "--top-ports number" parameter.
In the below example, we use the default number "1000":
We can also specify the ports we want to scan using the "-p" parameter.
We could also tell nmap what type of ports to scan - TCP, UDP -.
The below parameters tell nmap to scan the port TCP:25 and the UDP ports from 120 to 130:
SYN/ACK response from the target to a SYN packets tells us that the port is open.
A closed port means that no program is listening on incoming connections on that port.
An RST packet response from the target host to a SYN packet, means that the port is closed.
Below are some types of nmap scans.
TCP CONNECT SCAN:
The TCP connect is the default scanning mode.
This scan does a full TCP three-way handshake with the target and and establishes a connection.
A TCP connect is slower and consumes more resources than other types of scans.
-Pn : assumes all hosts are running without doing host discovery.
-sT : refers to the TCP connect scan.
-p : port number to scan.
-p : port number to scan.
-n : tells nmap to skip DNS resolution.
Nmap sends a SYN packet to the target on TCP port 22, the target answers with a SYN/ACK packet.
Nmap then sends an ACK packet as a response to the to SYN/ACK packet, and the connection is established.
After the connection gets established, nmap sends a RST to end the connection.
TCP SYN SCAN:
SYN scans are faster than the TCP connect scans. They only establish a "half" connection to the target port.
SYN scans go only through the first "half" of the three-way handshake, they send an RST packet before the connection is established.
-n : skips DNS resolution
-Pn : assumes all hosts are running without doing host discovery.
-sS : SYN scan
-p : port number to scan.
Nmap sends a SYN packet to the target host on port 22, the target host answers with a SYN/ACK - means port is open -, then nmap sends with an RST packet to stop the exchange.
The ACK scan is used to show filtered ports rather than open ports.
It tells us if a firewall is "stateful" - if it monitors whole connections instead of analyzing individual packets -.
It use the "-sA" parameter.
TCP FIN scan:
The TCP FIN scan is designed to see if ports are closed. Usually hosts respond to unexpected packets with an RST packets.
It use the "-sF" parameter.
XMAS scan:
The XMAS scan sets the the FIN, PSH, and URG flags on the TCP packet.
Below is a short description of each of these flags:
- PSH: this flag tells the destination that the data must be sent immediately to the target program - listening on the destination port -.
- URG: This flag specifies that the packets are urgent and must be prioritized.
- FIN: FIN packets like RST packets terminate a connection, but FIN packets wait for an acknowledgment to end the connection.
Below are the different responses to a XMAS scan:
- No response : means that the port may be either open or blocked by a firewall.
- RST packet : means that the port is closed.
- ICMP error : means that the port is blocked by a firewall.
Comments