2.4 Nmap
Nmap4 is a free and open-source tool for network scanning and security. Most of the functionality can scan the TCP ports. Find out the status of the port and the service,
even the operating system, what type of packet filters/firewalls are in use, and its version.
It can scan large scale networks efficiently and works fine against a single host. Nmap can be installed on Windows, macOS, and Linux. And it is one of the built-in tools in Kali Linux.
Table 2.1 Common services and ports
Services Port (nmap), the network packet generation tool and ping utility (nping), the utility to compare the results of Nmap scans (ndiff), and the concatenate and redirect sockets (ncat). It allows user to apply the following techniques.
Table 2.2 Port Scanning Techniques
Type Detail Option Speed
SYN Stealth Scan Default scan and also called the half open scan be noticed by the target. Nmap provides the options below.
Table 2.3 Other Scanning Techniques
Type Option Detail
ACK Scan -sA
To detect whether the host is protected by the firewall. The host doesn't respond if the firewall exists. Otherwise, the host will return RST to reject the handshake.
TCP Maimon Scan -sM It’s similar to ACK scan with a FIN to determine the port activation.
TCP FIN bit) The host must follow the RFC-793.
NULL Scan -sN FIN scan and TCP flag header is 0.
Xmas Tree Scan -sX
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
IP Protocol Scan -sO To detect the support IP protocol of the host.
Ping Sweep -sP
Send the ICMP packet and TCP packet to 80 port. (Ping Scan)
FTP Bounce Attack -b Scan the host using FTP Proxy server.
Idle Scan -sI ZB-HOST
An advanced scanning technique to hide the attacker. The host will not receive ant packet.
2.4.2 Scan Performance
Nmap has the aforementioned scanning techniques, some of which need to establish a complete connection, and the scanning process is affected by the network speed.
Therefore, Nmap allows users to adjust their performance by setting the packet transmission delay. These parameters need to be adjusted according to the usage situation to scan effectively. For example, choose T3 to avoid IDS detection and short delay.
Table 2.4 Timing of TCP scan delay
Performance Option Scan delay (ms)
Paranoid -T0 300,000 involves script pre-scanning, target enumeration, host discovery, reverse-DNS resolution, port scanning, version detection, OS detection, traceroute, script scanning, and finally, output the result. In this thesis will use a customized NSE script taken by script pre-scan stage for penetration testing. In the port scanning stage, we will analyze the host's response and analyze its activation status (open, closed, filtered). It can further improve the configurability and corresponding algorithm. If any open port is found, Nmap can determine the server and its version on the remote system. It achieves this by sending various probes to open ports and matching any response to thousands of databases with more than 6,500 known service signatures. Version detection is enabled using the -sV
Fig. 2.3 Nmap scan phases
2.4.4 TCP/IP Scanning
The TCP/IP protocol is widely used on the Internet, the scan technologies are based on it as well. To probe a target, we can send ICMP packets like a ping command. But it can be blocked by the firewall, in this case, we use the TCP to perform target discovery.
Two devices must respond to each other for a stable connection. This mechanism is known as the three-way handshake. In contrast, the UDP protocol can transmit data more quickly without the handshake process. For instance, there are 2 computers want to build a connection between them. The A computer will send an SYN packet to B. Then, B will reply with the SYN+ACK to A. Finally, A send an ACK to B and finish the handshake.
The following information must be included in the header of a TCP packet. The source and destination port, sequence number, acknowledge number, window, and flags.
Fig. 2.4 IPv4 TCP header format
The sequence number is a 32 bits unsigned integer. Its role like a counter of the sender because the data can be sliced and stored in many packets. When the receiver receives the packet, it will reply ACK to the sender and record the sequence number and data length in the field of the acknowledge number. It represents the start position of the next data chunk. The maximum acceptable data length will be recorded in the field of the window. For example, if the receiver replies a packet and the value of the window is 1000.
Then the next packet sender will give cannot greater than 1000. The field of flags has 6 bits, UAPRSF, stands for urgent, acknowledgment, push, rest, synchronize and finish respectively.
2.4.5 Nmap Script Engine
For an unknown target, first of all, we need to find its vulnerability as much as possible. Nmap contains about 600 examples of NSE, the programming language used is Lua. A standard NSE structure must have Head, Rule, and Action, the libraries provided by Nmap is introduced in the Head, and the description and copyright statement are the same as Nmap itself, that is GNU (General Public License), version 2. The NSE example covers the detection, analysis, even cracking, and attack of various common protocols. It has 14 categories. When performing Nmap test on a target, multiple scripts can also be selected by passing category parameters.