Intro
If you’re familiar with Nmap, you are probably aware of the myriad of options it has to offer. I have opted to use example scans for our purposes in hopes of being able to more easily demonstrate some of those options.
We will take a look at some of the more advanced scans (focusing on Null, Xmas, and FIN scans), and some more examples, example commands, scripts and other options. I focused on these scans as they are rather interesting once you think about how they work and interact with other systems. Also, once in a while, you might be able to completely sneak under the radar of a firewall or packet-filtering router, which we will explain how.
Scans
- Null Scan
- Xmas Scan
- FIN Scan
Examples, command-ling flags, scripts, options
- DNS brute Script
- http-errors Script
- http-waf-detect Script
- http-waf-fingerpring Script
- --script
- --reason
- -A
- Output Format
Commands
Null, Xmas and FIN Scans
These three scans rely on TCP RFC 793 to know which ports are open and which are closed. They do so by leveraging the fact that if the destination port state is closed, a RST packet is sent in response.
From the RFC:
“CLOSED… an incoming segment not containing a RST causes a RST to be sent in response.”
In such systems, any packet that does not contain a SYN, RST or ACK bit will cause an RST response, if the port is in fact closed, and no response if it is not. So long these bits are not included, any other viable combination of the remaining three (URG, PSH and FIN) should be completely fine.
The only thing Null, Xmas, and FIN scans do differently is how they set the TCP flags in the probe packets. In any case, if a RST packet finds its way back, the port would then be considered closed, while not receiving a response would imply it being open | filtered. Filtered just means that an ICMP unreachable error was received.
Xmas scan (-sX) – Sets the URG, PSH and FIN flags
Null scan (-sN) – TCP flag header is 0 / does not set any flag – all six flag bits are 0
Fin scan (-sF) – Only sets the TCP FIN bit
Null Scan
Because Null scan doesn’t set any flags and all six flag bits are zero, it won’t trigger any responses (if it were to reach an open port – since the receiving system wouldn’t know how to handle a flag-less request). This is essentially how Null scan can help us determine if the port is open. Also, since it doesn’t contain any set flags, it can (sometimes) go under a firewall or a router that would filter incoming packets with certain flags.
Thus, Nmap and Null scan ‘know’ that not getting a response would mean that the port is either blocked by a firewall or that it is open. It is invoked by adding -sN to your command.
Null scan finding7 open ports (and respective services) on the target host
No response → open port (or filtered)
RST packet in response → closed port
Xmas Scan
The Xmas scan is called that way because it sets the URG, FIN, and PSH flags at the same time. It is invoked by adding -sX to your command. Like with the FIN and Null scans, receiving an RST packet would indicate the port being closed. Otherwise, it would be shown as open | filtered.
It is called Xmas scan because when the header is filled up with FIN, PSH, and URG flags sent with Xmas scan, it looks akin to a Christmas tree.
Christmas tree header
Image showing port 5902 is open and running vnc-2
Xmas scan sets PSH, FIN, and URG flags at the same time
RST packet received- port closed
No response – open port (or filtered)
FIN Scan
Similarly to the previous two scans (Null and Xmas) FIN scan will send a TCP packet with the FIN flag set. You can do so using -sF to your command. As previously, there will be no responses sent back if the TCP port is open, so Nmap won’t be sure if the port is truly open, or if there’s a firewall rule that is blocking the traffic. But, since the system should respond with an RST if the port closed, we can further deduce the open and /or filtered ports from that fact.
Please note that some firewalls might be able to drop this traffic without actually sending RST’s.
Sets the FIN flag
No response – open port (or filtered)
RST packet received- port closed
Examples, commands, scripts, and options
Options in Nmap are usually added by specifying your option in the command (--option_name). Similarly, you can call in-built Nmap scripts by calling --script “name_of_your_script”
Here, we will quickly glance over a few more examples of options, scripts, and some additional commands.
--script
SSH2-ENUM-ALGOS script
By scanning the host using ssh2-enum-algos script from the NSE scripts library, we have found out what are the algorithms offered by this SSH2 server.
--reason
Syn-ack in the reason column indicates that the port is listening
DNS Brute Script
Dns Brute attempts to enumarate DNS hostnames by brute force guessing of common subdomains. *A and *AAAA mean IPv4 and IPv6, respectively.
Discovery of some of the scanme.nmap.org subdomains, using dns-brute NSE script
Some (of the many) interesting NSE scripts:
http-errors Script – this script crawls a site looking for any error code(s) of 400 or above, and listing them in order
Example command: sudo nmap --scripts http-errors 10.10.10.10
http-waf-detect Script – tries to determine if a web server is protected with a Web Application Firewall, IDS, or IPS, by probing it with malicious payloads and looking for changes in the response code.
Example command: sudo nmap --scripts http-waf-detect 10.10.10.10
http-waf-fingerprint Script – this script tries to find out if a Web Application Firewall (WAF) is present, and what is its version.
Example command: sudo nmap --scripts http-waf-fingerprint 10.10.10.10
Remember that by default, path to the NSE scripts is /usr/share/nmap/scripts.
Other options
-A
This command is equivalent to the -sV -O -SC -traceroute command.
-sV does service and version detection
-O does OS detection
-sC launches default NSE scripts
-traceroute – possible routes
In the screenshot above we have an excerpt from an output file we have created combining the -A command with some other switches.
- -A (or -sV -O -sC -traceroute) described above
- -T4 timing template, set to aggressive.
- -p- specifying all ports
- -oN Normal output format, with the respective path to the file that’s being written to
- -vv verbose output level 2
Output Formats
-oG
Works with grep, awk, cut, and diff, contains less information than XML format (-oX)
-oX
Can be parsed easily by free XML parsers, writes output in an XML format
-oN
Prints normal output of your scan to a file
|
Port Scan Type / Command-line flags/ Options |
Example Command |
|
TCP Null Scan |
sudo nmap -sN <target_ip> |
|
TCP FIN Scan |
sudo nmap -sF <target_ip> |
|
TCP Xmas Scan |
sudo nmap -sX <target_ip> |
|
--reason |
sudo nmap --reason <target_ip> |
|
-sC (Default Scripts ) |
sudo nmap -sC <target_ip> |
|
--script <script_name> |
sudo nmap --script “script_name” <target_ip> |
|
-sS (Stealth scan) |
sudo nmap -sS <target_ip> |
|
-sV (Version and service detection) |
sudo nmap -sV <target_ip> |
|
-A (eqiuvalent → -sV -O -sC -traceroute) |
sudo nmap -A <target_ip> |
|
-oG, -oX, -oN (Output formats) |
sudo nmap -o* <target_ip> |
|
-p- (Scan all ports) |
sudo nmap -p- <target_ip> |
Conclusion
We have covered a lot in this article, yet we haven’t scratched the surface of what Nmap can do. We barely mentioned NSE (the Nmap Scripting Engine) of which we get ~600 scripts just by installing Nmap – and there are plenty more to be found out there.
Finally, I would just like to emphasize a few more things (even though we might say they should go without saying) before concluding.
- Never do unauthorized scans, you can get in a lot of trouble for nothing.
- Know your context. (Nmap is a Swiss army knife, but you still need to choose the appropriate extension for it to function)
- Know what you’re trying to achieve. (Nmap is also a scalpel, but you need to direct it skillfully)
- Use sudo. Seriously, even though you might get by without using it, spare yourself the headache and adopt the habit of using sudo in your Nmap commands, it will function best that way. (Barring a special use case)
