Nmap Kungfu Part 1 - Basic Scanning
Do you like this story?
Nmap is by far the most popular port scanner available. You
can download it from http://www.insecure.org/,
and it compiles and installs in a breeze on most Windows and Unix operating
systems including Mac OS X (via configure, make, make
install). You can download Windows binaries (along with the required
Winpcap) from http://www.insecure.org/.
One reason why nmap is so useful is that it offers many
different scanning techniques from which you can choose. You can scan for hosts
that are up, TCP ports, UDP ports, and even other IP protocols.
Before we get deep into this Nmap, lets take a look on the basics of Scanning [How scanning is actually done].
When a TCP connection is made to a port, the client sends a TCP
packet with the SYN flag set to initiate the connection. If a server is
listening on that port, it sends a packet with both the SYN and ACK flags set,
acknowledging the client’s request to connect while asking to make a return
connection. The client will then send a packet with the ACK flag set to
acknowledge the server’s SYN. This is referred to as the TCP
three-way handshake. When one side is done talking to the other, it will
send a FIN packet. The other side will acknowledge that FIN and send a FIN of
its own, waiting for the other side to acknowledge before the connection is
truly closed. A RST packet can be sent by either side at any time to abort the
connection. A sample TCP conversation between a client and server is shown
here:
Three way handshake process
-
Client sends SYN to Server: “I want to connect.”
-
Server sends SYN/ACK to Client: “Okay; I need to connect to you.”
-
Client sends ACK to Server: “Okay.”
-
Client and Server send information back and forth, acknowledging each other’s transmissions with ACKs. If either side sends a RST, the connection aborts immediately.Formal Shutdown Process
-
Client has finished the conversation; Client sends FIN to Server: “Goodbye.”
-
Server sends ACK to Client (acknowledging Client’s FIN). Server then sends a separate FIN to Client: “Okay. Goodbye.”
-
Client sends ACK to Server (acknowledging Server’s FIN): “Okay.”
Keep this information in mind while reading through the next few
sections. It will help you to get a better grasp on how nmap and other port
scanners get their information.
Scanning for Hosts
If you care only about determining which hosts on a network
are up, you can use the Ping scanning method (-sP). It
works similarly to fping in that it sends Internet Control Message
Protocol (ICMP) echo requests to the specified range of IP addresses and awaits
a response. However, many hosts these days block ICMP requests. In this case,
nmap will attempt to make a TCP connection to port 80 (by default) on the host.
If it receives anything (either a SYN/ACK or a RST), the host is up. If it
receives nothing at all, the host is assumed to be down or not currently on the
network. If you want only a list of hostnames for the IP range you’ve specified,
try a list scan (-sL).
Flag
|
Description
|
|---|---|
SYN
|
Used to indicate the beginning of a TCP
connection
|
ACK
|
Used to acknowledge receipt of a previous packet or
transmission
|
FIN
|
Used to close a TCP connection
|
RST
|
Used to abort a TCP connection abruptly
|
The basic method of TCP port scanning is to do a TCP connect()
(-sT) to a port to see whether anything responds. This is the same thing
any TCP client would do to make a connection (complete the three-way handshake),
except nmap will disconnect by sending a RST packet as soon as the handshake is
complete. If you want to, you can use an version scan (-sV)
to scan every open port for banner grabbing. Moreover you can use (-O) for detection of Operating system. Following are
some examples of these types of scans:
Default Scan [ -sT]
Version Detection [banner grabbing] using -sV
Operating system Detection [using -O]
In
case you forgets all these switches, don't panic. Just hitting "nmap"
without any switch will pop your screen with complete list of these
switches.
The following table indicates how the –sT, -sV, and
–O scans operate:
Nmap Sends to Host Port
|
Nmap Receives from Host Port
|
Nmap Responds
|
Nmap Assumes
|
|---|---|---|---|
SYN
|
SYN/ACK
|
ACK followed by RST
|
Port is open; host is up.
|
SYN
|
RST
|
–
|
Port is closed; host is up.
|
SYN
|
–
|
–
|
Port is blocked by firewall or host is
down.
|
This is great, but since you’re just making basic TCP connections,
your connection most likely gets logged by the service that answers. Sometimes
you want to be a bit quieter.
For getting more deeper with silent scans, wait for Nmap Kung Fu - Part 2.
Enjoy Hacking, Enjoy Hackplanet.
Video for this part is available at : http://videos.hackplanet.in/2011/11/nmap-kungfu-part-1-basic-scanning.html
Subscribe to:
Post Comments (Atom)
Posts
1 Responses to “Nmap Kungfu Part 1 - Basic Scanning”
January 15, 2012 at 2:10 AM
hello sir i have to check the accurate full version of ftp of any site or ip than how to do this for knowing ftp version of any site or ip in backtrack5
plss rply me at kulashri.amit@gmail.com
thnkss in advance
Post a Comment