In the dynamic landscape of cybersecurity, understanding the complexity of network scanning is paramount for both defenders and ethical hackers. Scanning serves as a foundational step in assessing the security posture of a system, network, or application, providing valuable insights into active hosts, ports, services, potential vulnerabilities, and hidden entry points. Among the well-developed and maintained tools available, Nmap (Network Mapper) is a versatile and powerful utility that reveals the network's topology, services, and potential risks. In this blog post, we delve into network scanning with Nmap, exploring its features, methodologies, and practical applications for security professionals and enthusiasts seeking a comprehensive understanding of their digital environments.
Objectives of Scanning Phase
The scanning phase in penetration testing serves several crucial objectives, each contributing to the overall assessment of an organization’s security posture. Here are the key objectives of the scanning phase in the penetration testing methodology:
- Determining if a system is alive. In other words, exploring live systems.
- Port scanning the system with Nmap, i.e., identifying open ports in the explored live systems.
- Utilizing the Nmap scripting engine (NSE) to investigate the target further.
- Scanning the system for vulnerabilities with Nessus. This bullet point deserves to be its own blog post, and I will not talk about it as the purpose of this blog post is to interrogate Nmap.
Lab Topology
For the sake of this blog post, I utilized two machines, one of which acts as an attacker while the other is the victim. Kali Linux is the attacker machine, whereas Metasploitable 2 is the victim machine.
IP addresses can be seen above.
Ping Sweep
A ping sweep is a network scanning technique used to discover live hosts within a specified range of IP addresses. The term “ping” refers to the Internet Control Message Protocol (ICMP) echo request and echo reply messages, commonly used to check the reachability of a host on an Internet Protocol (IP) network. A ping sweep involves sending a series of ICMP echo requests to various IP addresses to determine which hosts are online and responsive.
The primary goal of a ping sweep is to identify active hosts within a given network or IP address range. This information is crucial for network administrators, security professionals, and penetration testers to understand the scope of a network and identify potential targets for further assessment.
In a typical ping operation, a device sends an ICMP echo request to another device, and if the target device is online and reachable, it responds with an ICMP echo reply. This exchange helps determine the availability of hosts on the network.
While ping sweeps are a straightforward and commonly used method for network discovery, it’s worth noting that some hosts may be configured not to respond to ICMP echo requests for security reasons. In such cases, alternative scanning techniques, like TCP SYN scanning or UDP scanning, may be necessary to identify live hosts.
Command: nmap -sn <ip_range/subnet_range>
Below are figures regarding how Nmap identifies live hosts in a given network and its corresponding Wireshark live packet capture results. It shows that Nmap utilizes the ARP (Address Resolution Protocol) protocol when it comes to finding live hosts in the network.
Port Scanning
Port scanning is a technique to discover open ports and services on a target system or network. It is a crucial phase, providing valuable information about the available services, potential vulnerabilities, and the overall attack surface of a system.
Port scanning primarily aims to identify the open ports on a target system. Ports are communication endpoints that applications use to send and receive data. Understanding which ports are open helps assess the services running on a system and potentially uncover vulnerabilities.
Types of Ports
Ports are categorized into three main ranges:
- Well-known ports (0–1023): reserved for standard services (e.g., HTTP on port 80, HTTPS on port 443).
- Registered ports (1024–49151): Assigned to specific applications or services.
- Dynamic or private ports (49152–65535): Used for ephemeral connections.
TCP Connect Scan
In TCP Connect Scanning, the scanning tool—in our case, Nmap—actively attempts to establish a full TCP connection by completing a TCP three-way handshake (SYN, SYN-ACK, ACK) with the target’s ports.
Command: nmap -sT -p- -Pn <ip_range/subnet_range>
SYN Scan
SYN scanning, or stealth or half-open scanning, identifies open ports on a target system. It is considered a stealthier alternative to full-connect scanning (TCP Connect Scanning). SYN scanning leverages the three-way handshake process of the Transmission Control Protocol (TCP) to determine the status of ports without completing the full connection establishment, making it less detectable than other scanning methods.
Command: nmap -sS -Pn <ip_range/subnet_range>
UDP Scan
UDP scanning is a technique to identify open User Datagram Protocol (UDP) ports on a target system. Unlike Transmission Control Protocol (TCP), UDP is a connectionless protocol, making UDP scanning more challenging than TCP scanning. UDP scanning aims to discover services and applications that use UDP for communication.
Due to the unreliable nature of UDP scanning, confirming open ports may require additional testing and verification. Techniques like version detection and packet timing can enhance the accuracy of UDP scanning results.
Command: nmap -sU <ip_range/subnet_range>
XMAS Scan
This scanning method is named “Xmas” because of the way the TCP flags in the TCP header are set during the scanning process. Xmas scanning is considered a stealthy technique as it aims to avoid detection by sending unusual packets that may not trigger traditional security measures.
Xmas scanning involves sending TCP packets to target ports with specific flag combinations. The FIN, URG, and PSH flags are set simultaneously in Xmas scanning.
Command: nmap -sX -Pn <ip_range/subnet_range>
NULL Scan
This scanning method is named “NULL” because it sends TCP packets with no flags set in the TCP header. NULL scanning is considered a stealthy technique as it leverages the lack of flags to avoid triggering traditional security measures.
NULL scanning involves sending TCP packets with no flags set in the TCP header. The absence of flags makes the packet appear as if it’s in a NULL state, hence the name “NULL” scanning.
Command: nmap -sU -Pn <ip_range/subnet_range>
Nmap Scripting Engine (NSE)
Nmap scripting engine is a powerful and flexible feature that allows users to write and execute scripts to extend the capabilities of Nmap for various tasks during network reconnaissance and penetration testing. NSE scripts automate various tasks, from service version detection and vulnerability scanning to advanced host discovery and information gathering.
The Nmap Scripting Engine is a part of Nmap that enables the execution of custom scripts to automate and extend the functionality of the tool. NSE scripts are written in the Lua programming language and are designed to be highly flexible and modular.
Currently defined categories are auth, broadcast, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
Thanks for reading.
Can Özkan
