Tuesday, October 1, 2013

NMAP with Flags and kind of responds

Everybody who ever study for CEH and other books will always find information to do some stealth scan with some flags and what kind of respond, lets do some basic analysis with TCPDUMP. Yes, tcpdump Wireshark is good but we need to be familiar with other tools:

Different scan and responds:

  1. SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST in close ports and SYN/ACK in open ports, mean when we say Hi (between lips without seen the other person they can say Hi too without seen us).
  2. TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK.
  3. FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  4. XMAS - The famous Christmas scan (easy to remember the name), in this scan we send FIN, URG AND PSH all at once. We get the same respond like FIN:  in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  5. ACK  scan use the ICMP, if the scan see Destination Unreachable message will show the if the port is open in the firewall.  Now with this the open port will tell you: Wait a Minute (RST) when we begin to talk. Close ports will ignore you because they are close.
  6. NULL scan is like XMAS but without anything, like just go to a office without saying anything, depending of the OS you will get an answer. Close ports will RST/ACK
Why this type of scan

This type OS scan will help us to find out if the port is open in the firewall and also can help us to avoid detection with the IDS/IPS or any other monitoring software.


Now lest see some examples.

SYN Scan

SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST/ACK

We will scan a device with the port 22 open

root@jojo-pc:~# nmap -sS -p22 192.168.123.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 18:37 CDT
Nmap scan report for 192.168.123.1
Host is up (0.0038s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 50:3D:E5:3C:68:03 (Cisco Systems)




 Did you notice:

192.168.123.212  to 192.168.123.1 with Flag S (SYN)
192.168.123.1 to 192.168.123.212 with Flag S (SYN) and ACK -- PORT IS OPEN
192.168.123.212 to 192.168.123.1 with Flag F (FIN) - Close the connection

This was half open, the ip .1 wanted to do the full Handshake but we just close the connection with FIN.

We will scan a device with the port 23 close.

root@jojo-pc:~# nmap -sS -p25 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:11 CDT
Nmap scan report for router.Belkin (192.168.1.1)
Host is up (0.0018s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
MAC Address: 08:86:3B:D2:F9:00 (Belkin International)




 Did you notice I got from the router I got the Flag R (Reset), why? Because the port is close in that firewall and there were not any communication, it is like the router tell us: Forget it, I ignore you.

TCP Connect

TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK. In other words the full handshake.

Scan to port 3389 open

root@jojo-pc:~# nmap -sT -p3389 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:18 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0026s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)



The full TCP handshake

Now close port, in this case we simulate port 3390, I expect RST, the port is closed.

root@jojo-pc:~# nmap -sT -p3390 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:21 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0099s latency).
PORT     STATE  SERVICE
3390/tcp closed dsc
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)


FIN scan

FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking - THIS IS ONLY FOR LINUX

I am scanning a port 5800 VNC, it is open but I am sending with the FIN flag,  I got nothing.

root@jojo-pc:~# nmap -sF -p5800 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:27 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0026s latency).
PORT     STATE         SERVICE
5800/tcp open|filtered vnc-http




If I send to a close port I got RESET, mean it is closed.

root@jojo-pc:~# nmap -sF -p5820 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:30 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0033s latency).
PORT     STATE  SERVICE
5820/tcp closed unknown



This could be long blog, just keep testing and testing until you see the flags, it is a good learning process and you will be able to know what to expect with the scan.

Remember, if you have deep knowledge of your target you are increasing your success to own the box, patience is the key.



No comments:

Post a Comment