Understanding the NMAP methodology — Part 2
Understanding the NMAP methodology from beginner to advance
Description:
In today’s article, we are going to learn about some advanced network mapping techniques with Nmap. If you haven’t read Part 1 then I suggest you to gone through it before reading this article.
Before you start, You can join our discord server to engage with like minded people and share everything that you can share with people to help them and get your queries answered by people.
As We have already seen some basics of network mapping in part one it is worth knowing some advanced and essential techniques to scan and map a network.
1. TCP Null Scan
As the name suggests, TCP null scan does not set any flags while sending a packet to a particular port or service. A TCP packet with no flags set will not trigger any response when it will reach an open port. That indicates that the port is open.
nmap -sN <ip>-sN: TCP null scan flag
1) NULL TCP Packet -->
(If no response, port is open/filtered)
2) NULL TCP Packet -->
RST/ACK <--
(Port closed/filtered)
If we receive a packet with RST(Reset)/ACK(Acknowledgement) that indicates the port is closed or filtered.
2. TCP FIN Scan
TCP FIN scan is the same type of scan as the TCP NULL scan. The major difference between them is TCP FIN Scan a packet is sent with the FIN(Finish) flag. Now understand, How does it work?
nmap -sF <ip>-sF: TCP FIN scan flag
If I tell you, “I am fine. Thank you.” and you didn’t ask me “How are you ?”. It’s weird. The same this happens here. FIN flag indicates the completion of communication. If we haven’t initiated any communication then how can we finish it and that’s why if the port is open it responds to our packet and it indicates that the port is open.
3. TCP XMAS Scan
TCP XMAS Scan is the same as previous scans. Instead of setting a single flag, the XMAS scan sets FIN(Finish), PSH(Push), and URG(Urgent) flags in the packet. As like FIN scan, the port responds to our packets if it is open.
nmap -sX <ip>-sX : TCP XMAS scan flag
These all three types of scans are efficient when a target is behind a stateless firewall.
Stateless firewalls will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it.
4. TCP ACK Scan
In TCP ACK Scan it will set the ACK flag only. The target would respond with RST regardless of the state of the port. But this kind of scan would be helpful if there is a firewall in front of the target. We can figure out which ports are not blocked by a firewall. It is useful to discover firewall rules and configurations.
nmap -sA <ip>-sA : Sets TCP ACK flagHow does it work?
1) ACK Packet -->
RST Packet <--
5. TCP Window Scan
TCP Windows Scan is somehow the same as TCP Window Scan. In this type of scan, the WINDOW field of the RST packet will be examined for information about the port. On some types of systems it reveals the port is open.
nmap -sW <ip># -sW : Sets TCP window flag
6. TCP Custom Scan
In TCP Custom Scan we can set flags on our own. If we wanted to test the target with different combinations of flags then it is very helpful to us. But if we set any type of combination of flags then we should have to know how a target will respond in different conditions.
nmap --scanflags RSTACK <ip># --scanflags : Set your custom flags.
This is it for today’s article. If you found it interesting and informative then share it with your friends. Thank you for reading till here. Let me know your query or topic on which you wanted to read an article in the response section. Still, one another part of the network mapping is yet to be released. Follow me and subscribe to get juicy articles on your email directly.
Part 3: https://medium.com/@sudo0x18/understanding-the-nmap-methodology-part-3-bb377b7767e0
You can follow on social media here: LinkedIn, Instagram, Twitter
