“Every expert is once a beginner”
Nmap is undoubtedly the best scanning tool ever but only if you know how to use it. I have already shared you performing a simple
nmap scan on any device. Here I am going to share the best beginner scans and first scans a pen-tester will do when he is pen-testing any network.
In this article, I will say you how these
nmap scans will work when they are trying to access available, unavailable, filtered ports.
Must Read: Performing simple
List of scans
- Ping Scan(-sP)
- UDP Scan(-sU)
These four types of scans will give you very great information on the target. After learning these scans you will never run
nmapwith default options.
TCP SYN Scan(-sS):
TCP SYN Scan syntax for the scan is
Nmap –sS [Destination]
Example: nmap –sS 192.168.1.1
How does this work?
Available Port: whenever
TCP SYN Scan is trying to access available port, for example, let us consider port 80, which is open in all the servers for open traffic.
Nmap will send SYN request to the destination. As the port was open it will get ACK reply with the corresponding SYN packet, SYN/ACK. Nmap again sends RST, reset request to stop 3 way
TCP handshake. This process will be repeated around 1500 times. The best thing is that this request won’t keep any load on the server.
Unavailable port or closed port: When
nmap tries to access closed port the conversation between them is much shorter.
Nmap sends SYN packet or request then destination sends RST frame to stop a conversation. As
nmap didn’t get any reply from the server it confirms that as closed one
Filtered ports: When nmap tries to open TCP session to the port which is filtered using firewall or packet filters then the conversation is shortest. Nmap sends SYN request and won’t get any reply then
nmapconfirms that port as filtered but there is a glitch here. We can’t determine whether the port is filtered or there is any packet loss or something. In maximum situations, there won’t be any packet loss.
- Never creates a session
- Never appears in the log because it didn’t create any session
- Needed Administrative or root access
- A large number of reset, RST frames will be sent
- Due to the sudden increase of RST frames if target members may monitor your IP due to sudden unusual traffic
This scan only detects the ports but if you want the operating system, version number on the target then you need to switch to another scan.
TCP Scan is the best alternative to SYN scan because this doesn’t need any privileged access.
The syntax for
TCP Scan is
Nmap –sT [IP address]
Example nmap-sT 192.168.1.1
Available Port: When
nmaptries to open
TCPsession to available port then it opens full connection called 3-way handshake. If you don’t know what is
TCP3-way handshake you can read it over here.
Must Read: What is
TCP 3 Way Handshake
After establishing a connection it will send RST(Reset) frame to terminate the connection and this process is repeated for all the open
Unavailable or closed port: If
nmap tries to open
TCP a session for any closed port then
nmap gets RST frame as a reply because that port is not available
Filtered port: For filtered port, the conversation is only a single frame. When Nmap sends SYN frame it won’t get any reply and it confirms that the port is filtered by the firewall or some other packet blockers
- No need of any privileges, you can run on any user account
- Very noisy.
As it opens
TCP the session you will be on the log
Read the second part here