In part three of the Nmap: Scan all the things post, I am going to go over Nmap and its potential uses. I will cover try to provide an extensive analysis of Nmap's port scanning capabilities. I will briefly touch on what ports are and the purpose of port scanning. I will also cover port scanning techniques and port scan timing as it relates to Nmap. And finally I will also discuss Nmap's port options and port scan types. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch, for more informative content. You can watch the video here (https://youtu.be/91qb5-TtEZM Part four of Nmap: Scan All the Things, is planned and will be released in a few weeks hopefully.
What are Ports?
Ports are used to differentiate between different communication channels, similar to how IP addresses identify hosts on a network. Ports help to identify specific applications running on a host. For example, when you browse to a website via an HTTP URL, it will use TCP port 80 by default. If you specify the secure HTTPS protocol instead, the browser will attempt to connect to port 443 by default.
In general the most popular services are usually registered to well-known port numbers. This makes it often possible to guess which services are running on the open ports. Nmap includes an nmap-services file that contains information about registered ports and protocols. It also contains common ports for trojan backdoors and other applications that do not register with the Internet Assigned Numbers Authority (IANA). After a scan Nmap will print these service names for with the port number for reference.
The ephemeral port range is a pool of ports that are dynamically assigned by the system as needed. When an application specifies port zero (meaning "any port"), the system selects a port from this range. The specific range varies depending on the operating system and can usually be configured, but it should include a sufficient number of ports (at least a few thousand) to prevent running out of available ports when multiple concurrent connections are open. Nmap's Connect scan uses hundreds of ports simultaneously as it scans each specified port on each target machine. On Linux, you can view or modify the range by accessing the file /proc/sys/net/ipv4/ip_local_port_range.
The IANA has an authoritative port list can be found at http://www.iana.org/assignments/port-numbers and divides the port space into three classes:
Well-known ports: These are reserved ports within the range of 1 to 1,023, as discussed above. They have been registered with the IANA for a specific service. Examples of well-known ports are 22, 25, and 80 for SSH, SMTP, and HTTP, respectively.
Registered ports: These ports fall within the range of 1,024 to 49,151 and have been registered with the IANA in the same way as well-known ports. Most of these ports are not as commonly used as the well-known ports. The key difference is that unprivileged users can bind to these ports and run services on their registered port. In contrast, users cannot do so on most platforms for well-known ports, since they are reserved.
Dynamic and/or private ports: The IANA reserves port numbers from 49,152 through 65,535 for dynamic uses, such as those discussed in the ephemeral ports section. Proprietary services that are only used within a company may also use these ports.
A Purpose for Port Scanning
Port scanning has several practical benefits, the most important of which is security. Reducing the number and complexity of services offered is a central tenet of network security because most remote network compromises result from exploiting a server application listening on a TCP or UDP port. Often, the exploited application isn't even used by the targeted organization but was enabled by default when the machine was set up. Had that service been disabled or protected by a firewall, the attack would have been thwarted.
Attackers frequently scan targets, taking inventory of all open ports to compare them with their list of favorite exploits for vulnerable software. It takes only one match to compromise a machine, creating a foothold that is often used to infest the whole network. Attackers who are less discriminate about who they target often scan for just the default port of an exploitable application. While these attackers are often derided as "script kiddies," they can be quite a nuisance and often drive organizations to patch systems quickly, reducing the likelihood of more serious, targeted attacks succeeding.
An important defense against such attackers is for systems administrators to scan their own networks regularly using tools like Nmap. Administrators should take the list of open ports, shut down any unused services, ensure that critical services are fully patched and are on the vendor's security notification list, and add firewall rules where possible to limit access to legitimate users. Hardening instructions for most popular applications are available on the web, which can further reduce the attacker's opportunity. While Nmap creates the list of available services, it cannot do most of the above tasks for administrators. Some administrators use netstat, but that doesn't scale well and requires access to every machine, which can be challenging for mobile machines. Also, it's not possible to run netstat on wireless access points, VoIP phones, or printers. Moreover, a compromised machine may have a trojaned netstat, providing false information. Most modern rootkits installed by attackers include this functionality. Relying solely on Nmap is also a mistake. A combination of careful design, configuration auditing, and regular scanning is advisable.
While security is the most common reason for port scanning, administrators may find that it suits other purposes as well, such as creating an inventory of machines and the services they offer, which can be useful for asset tracking, network design, policy compliance checks, software license tracking, availability testing, and network debugging.
Port Scanning Techniques
Port scanning is a technique used to remotely test the status of multiple ports on a target machine. The primary objective is to identify open ports, which indicate that an application is actively listening and accepting connections on that port. Different methods are available for conducting port scans.
While many port scanners simply categorize ports as open or closed, Nmap is much more sophisticated. It divides ports into six distinct states that describe how Nmap perceives them. For instance, an Nmap scan from the same network as the target may show port 135/tcp as open, whereas a scan at the same time from across the Internet using the same options might show the same port as filtered.
The six port states recognized by Nmap are:
: An application is actively accepting TCP connections or UDP packets on this port. This state is of particular interest for security-minded individuals since each open port represents a potential avenue for attack. Attackers and penetration testers aim to exploit open ports, while administrators strive to close or protect them with firewalls without hindering legitimate users. Open ports are also useful for non-security scans because they reveal available services on the network. However, it's essential to note that an open port does not necessarily mean the application is vulnerable, as it may be protected with TCP wrappers (tcpd), or the application itself may be configured to only accept connections from approved client IP addresses. Even so, open ports still leave more attack surface than closed ports.
: A closed port is accessible, meaning that it receives and responds to Nmap probe packets, but there is no application listening on it. Closed ports are useful for showing that a host is online and using an IP address (host discovery or ping scanning) and can aid in OS detection. Since closed ports are reachable, they may be worth scanning later in case some open up. Administrators may choose to block closed ports with a firewall so that they appear in the filtered state, which we will discuss next.
: Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. Packet filtering may occur from a dedicated firewall device, router rules, or host-based firewall software. Filtered ports provide minimal information, frustrating attackers. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but more often, filters simply drop probes without responding, causing Nmap to retry several times in case the probe was dropped due to network congestion rather than filtering. This type of filtering significantly slows down scans.
: The unfiltered state means that a port is accessible, but Nmap cannot determine whether it is open or closed. This state only arises when using the ACK scan, which is used to map firewall rulesets. Scanning unfiltered ports with other scan types, such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.
Open|filtered: Nmap places ports in this state when it cannot determine whether a port is open or filtered. This occurs when open ports give no response. The lack of response could mean that a packet filter dropped the probe or any response it elicited. Therefore, Nmap cannot be sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
Closed|filtered: This state arises when Nmap cannot determine whether a port is closed or filtered. This state is unique to the IP ID Idle scan discussed in the "TCP Idle Scan (-sI)" section.
Port Scan Timing
Port scanning is an essential part of an Nmap scan that can be time-consuming, particularly when combined with other types of scans like OS detection, version detection, and NSE scripts. While Nmap is designed to be quick and efficient by default, manual optimization can improve scan times significantly. Nmap offers dozens of options to tailor scan intensity and speed to meet specific needs, making it a powerful tool for optimizing port scans.
To optimize port scan times, it's crucial to understand the most important options available in Nmap. These options allow users to fine-tune scan parameters and achieve optimal results. Some options take time in seconds by default, but users can append ms (milliseconds), s (seconds), m (minutes), or h (hours) to the value for greater flexibility. By leveraging Nmap's powerful options for port scanning, users can obtain faster and more accurate results, leading to better resource allocation and improved network security.
Timing Template (-T0 through -T5) - Nmap's timing templates provide a convenient way to adjust the overall speed of an Nmap scan by affecting many variables. These templates range from very slow (-T0) to extremely aggressive (-T5), allowing users to tailor their scans to their needs. Timing templates can be combined with more granular options that are described below, and the most detailed option takes precedence.
Minimum Timeout (--min-rtt-timeout) - Specifies the minimum amount of time that Nmap will wait for a response before moving on to the next port scan probe. On slow or congested networks, increasing this value can help ensure that all necessary responses are received, but it may also increase the overall scan time.
Maximum Timeout (--max-rtt-timeout) - Specifies the maximum amount of time that Nmap will wait for a response before moving on to the next port scan probe. Increasing this value can help to avoid false negatives, but may also increase the scan time.
Initial Timeout (--initial-rtt-timeout) - Sets the initial amount of time that Nmap will wait for a response before adjusting the timeout based on subsequent probe responses. This option can be useful for scans of complex networks with varying response times.
Minimum Probe Rate (--min-rate) - Sets the lower limit of the number of packets sent per second, ensuring that the scan is not slowed down by a low packet rate.
Maximum Probe Rate (--max-rate) - Sets the maximum number of packets sent per second. This option can be useful for preventing network congestion or to avoid being flagged as an attacker by intrusion detection systems.
Minimum Parallelism (--min-parallelism) - Sets the minimum number of port scan probes that can be active simultaneously during a scan. This option can help ensure that the scan is not slowed down by too few active probes.
Maximum Parallelism (--max-parallelism) - Sets the maximum number of port scan probes that can be active simultaneously during a scan. This option can be useful for preventing network congestion or overloading target systems with too many simultaneous probes.
Minimum Scan Delay (--scan-delay) - Specifies the minimum amount of time Nmap waits between sending probes to any individual host. By increasing the scan delay, Nmap can avoid network congestion, reduce the chance of being detected as a threat, and optimize the scan speed.
Maximum Scan Delay (--max-scan-delay) - Sets the maximum amount of time Nmap will wait between sending probes to an individual host. By capping the maximum delay, users can prevent Nmap from being detected as a threat and avoid unnecessarily long scan times.
Port Options
Nmap's port registration file, called nmap-services, is a valuable resource that contains empirical data on the frequency of open TCP and UDP ports. This data has been collected by scanning millions of internet addresses and combining the results with internal scan data from large enterprises. By default, Nmap scans the 1,000 most popular ports of each protocol, but users can specify the -F option to scan only the 100 most common ports or use the --top-ports option to specify any desired number of ports to scan.
For users who require a more customized port scan, the -p option allows for an arbitrary list of port numbers to be specified on the command-line. Although the syntax of the -p option can be complex, it can be best understood through examples. By leveraging the power of nmap-services, users can more efficiently scan for open ports and improve their network security.
> (e.g. -p 445)
> (e.g. -p telnet)
multiple port #'s> (e.g. -p 21,22,23)
port range> (e.g. -p 1000-1400)
port type mix> (e.g. -p 445,1500-2000)
(all 65,535 ports)
TCP/UDP port mix> (e.g. -pT:21,22,445,U:20,53)
port number and wildcard> (e.g. -p http* - This will include http, https, http-proxy, etc...)
Port Scan Types
Nmap provides several scan types, each with its own purpose and level of value depending on the specific use case. Each scan type has its advantages and limitations, and the value depends on the specific goals and context of your network scanning activity. It's important to consider the target environment, network infrastructure, and any security measures in place when selecting the appropriate Nmap scan type.
TCP Syn Scan "Stealth Scan" (-sS): The most widely used scanning technique for identifying open ports is undoubtedly the TCP SYN scan. This approach offers the benefit of speed, as it quickly scans the most popular protocol (TCP) ports. Moreover, compared to the connect scan, TCP SYN scan is less detectable and can be used against any operational TCP stack. This makes it an attractive option for both attackers and defenders alike, as it allows for efficient and effective scanning of network assets while minimizing the risk of detection. In a SYN scan, the scanner sends a SYN packet to the target port and waits for a response. If the target system responds with a SYN-ACK packet, it means that the port is open and accepting connections. However, the scanner does not complete the connection by sending an ACK packet, so the connection is not established. This is why SYN scans are also referred to as "half-open" scans.
SYN scans can be useful for identifying open ports on a target system, as they can be completed quickly and with minimal network traffic. Additionally, SYN scans are less likely to be detected by intrusion detection systems or firewalls than full Connect scans, as they involve only sending a SYN packet to the target system rather than establishing a full connection.
TCP Connect Scan (-sT) The Connect scan technique employs the "connect" system call to scan network hosts, rather than relying on raw packets like other scanning methods. This approach is commonly used by unprivileged users, as it provides a simple and efficient way to identify open ports. The scanner sends a SYN packet to the target port and waits for a response. If the port is open and accepting connections, the target system will respond with a SYN-ACK packet, indicating that it is ready to establish a connection. The scanner then sends an ACK packet to complete the connection process, and the connection is immediately closed. Connect scan is often used against IPv6 targets where the SYN scan technique may not be effective. Despite its benefits, Connect scan can be easily detected by intrusion detection systems, making it a less stealthy option compared to other scanning techniques. Additionally, Connect scans may be easily detected by intrusion detection systems or firewalls, as they involve attempting to establish a full connection with the target system. Therefore, it's important to use this technique judiciously and in conjunction with other scanning methods to ensure comprehensive results.
UDP Scan (-sU) Unlike TCP, UDP is a connectionless protocol, which means that it does not involve establishing a full connection between the scanner and the target system. In a UDP scan, the scanner sends a UDP packet to the target port and waits for a response. If the target system responds with an ICMP packet the scanner can assume that the port is closed. However, if the target system does not respond then the port may be open. Additional testing will be required to determine whether the port is truly open. UDP scans can be useful for identifying open UDP ports on a target system, which are often used for services like DNS, DHCP, and other network protocols. However, UDP scans can be less reliable than TCP scans, as the lack of a connection-oriented protocol means that responses may not always be consistent or predictable. Additionally, UDP scans may be more easily detected by intrusion detection systems or firewalls, as they involve sending packets to the target system without establishing a full connection. Therefore, it's important to use this technique judiciously and in conjunction with other scanning methods to ensure comprehensive results.
TCP FIN Scan (-sF) It's a specialized scanning technique that can be useful for identifying open ports while avoiding detection by firewalls. However, this technique relies on target behavior that may not be exhibited by all systems, particularly some Windows variants. As a result, its effectiveness can be limited in certain environments. In a FIN scan, the scanner sends a TCP FIN packet to the target port and waits for a response. If the target system responds with an RST packet, it means that the port is closed and no service is running on that port. However, if the target system does not respond at all, it means that the port is open or filtered by a firewall. FIN scans are not always reliable, as some systems may respond with an RST packet regardless of whether the port is open or closed.
TCP XMAS Scan (-sX) It's a port scanning technique that involves sending a TCP packet with the URG, PUSH, and FIN flags all set to "on" (or "1"). The resulting packet is sometimes referred to as an "XMAS packet" due to the festive connotation of the name. It can be useful for identifying open ports while attempting to evade detection by firewalls. In a TCP XMAS scan, the scanner sends an XMAS packet to a target port and waits for a response. If the port is open, the target system may respond with a RST packet, indicating that the port is closed. Alternatively, if the port is closed or the firewall is blocking traffic to that port, the target system may not respond at all, which can help the scanner identify potential areas of vulnerability.
TCP Null Scan (-sN) It's a port scanning technique that involves sending a TCP packet with all flags set to "off" (or "0"), including URG, ACK, PSH, RST, SYN, and FIN. This creates a "null" packet, which is sometimes referred to as an "invisible" packet because it contains no flag information that could be used to indicate its purpose. TCP Null scans can be useful for identifying open ports while attempting to evade detection by firewalls or intrusion detection systems. In a TCP Null scan, the scanner sends a null packet to a target port and waits for a response. If the port is open, the target system may not respond at all, which can indicate a potential area of vulnerability. Alternatively, if the port is closed or the firewall is blocking traffic to that port, the target system may respond with a RST packet, indicating that the port is closed. It's also worth noting that some network security systems may be configured to block null packets, which could limit the effectiveness of this technique.
TCP ACK Scan (-sA) It's a commonly used port scanning technique that can be useful for mapping out firewall rulesets. This technique involves sending an ACK packet to a target port and observing the response. In particular, it can help identify whether firewall rules are stateful or not, which can be useful for understanding network security configurations. However, it's important to note that the ACK scan cannot distinguish between open and closed ports. This is because an ACK packet is typically used to acknowledge the receipt of data, rather than to initiate a connection. Therefore, while the ACK scan can be useful for gathering information about firewall configurations, it may not be the best option for identifying open ports or potential vulnerabilities. It's important to use this technique in conjunction with other scanning methods to ensure comprehensive results.
TCP Window scan (-sW) It's a port scanning technique that is similar to the ACK scan, with one key difference: it is able to detect open versus closed ports against certain machines. This technique involves sending a TCP packet with the ACK flag set to "on" (or "1") and the window size set to zero. In a Window scan, the scanner sends the modified TCP packet to a target port and observes the response. If the port is open, the target system may respond with a TCP packet that has the ACK and Window flags both set to "on," indicating that the port is open and ready to receive data. Alternatively, if the port is closed or the firewall is blocking traffic to that port, the target system may respond with a RST packet, indicating that the port is closed.
Idle Scan (-sI) It's a stealthy scanning technique that involves using a so-called "zombie host" as a proxy to send packets to the target system. This type of scan is considered one of the most stealthy scanning methods available, as it leaves behind little to no trace and can often evade detection from firewalls and other network security measures. One of the advantages of the Idle Scan is that it can exploit trusted IP address relationships, making it possible to scan a target system without arousing suspicion or triggering alarms. However, this type of scanning technique can be slow and complex, as it requires the use of a specific type of idle host with a predictable IP ID sequence.
IP Protocol Scan (-sO) It's a unique scanning technique used to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by a target machine. Unlike traditional port scans, which cycle through TCP or UDP port numbers, the Protocol Scan uses IP protocol numbers to identify which protocols are supported by the target. Despite not technically being a port scan, the Protocol Scan still uses the same underlying scan engine and reports its results in the familiar port table format. It also utilizes the "-p" option to select scanned protocol numbers, making it similar enough to a port scan that it is often included in discussions of port scanning methods. One of the advantages of the Protocol Scan is that it can provide valuable insights into the target system's network stack, helping to identify potential vulnerabilities and security risks.
Thank you for reading part three of Nmap: Scan All the Things! I covered the port scanning capabilities of Nmap and I hope you found this beneficial and instructive. Nmap is a very powerful tool and with the right foundational base of knowledge will assist you immensely. The final post in my Nmap series is in the works and will hopefully be published in a few weeks. I will cover version detection, OS detection, Nmap Scriptin Engine, Firewall/IDS evasion, and Nmap output functions. I may also record a demonstration of Nmap.
If you are interested in cybersecurity and cybersecurity news and trends, be sure to visit Cyb3r-S3c frequently and check out my YouTube channel, Cyb3r-0verwatch. All of the information presented in my post is based on my own research and my 22 years of IT/Cybersecurity experience, so please use it in a way that is most helpful to you. If you have any questions, please feel free to reach out to me using the Cyb3r-S3c Contact Form. Thank you again for visiting Cyb3r-S3c, keep learning - the only way to improve is to keep acquiring knowledge!
/Signing Off
Pragmat1c_0n3
