Nmap: Introduction, Nmap switches and TCP Connect Scans.

-

Introduction

Don't forget to read everything there, and if you have any questions around nmap, please drop them in the comments below, as well as to any other posts i make. Thank you. 

Question 1: What networking constructs are used to direct traffic to the right application on a server?
Answer: Ports

Question 2: How many of these are available on any network-enabled computer?
Answer: 65535 

Question 3: How many of these are considered "well-known"?
Answer: 1024

--------------------------------------------------------------------------------------------------------

Nmap Switches

- Nmap can be accessed by typing nmap into the terminal command line.

* To check the help section 
    1. nmap -h 
    2. man nmap 

Question: What is the first switch listed in the help menu for a 'Syn Scan'?
Answer: -sS

Question: Which switch would you use for a "UDP scan"?
Answer: -sU

Question If you wanted to detect which operating system the target is running on, which switch would you use?
Answer: -O

Question: Nmap provides a switch to detect the version of the services running on the target. What is this switch?
Answer: -sV

Question: The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
Answer: -v

Question: Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
Answer: -vv 

Question: What switch would you use to save the nmap results in three major formats?
Answer: -oA

Question: What switch would you use to save the nmap results in a "normal" format?
Answer: -oN 

Question: A very useful output format: how would you save results in a "grepable" format?
Answer: -oG

Question: How would you activate this setting? The "aggressive mode" which includes: service detection, operating system detection, a traceroute and common script scanning.
Answer: -A 

Question: How would you set the timing template to level 5?
Answer: -T5

Question: How would you tell nmap to only scan port 80?
Answer: -p 80

Question: How would you tell nmap to scan ports 1000-1500?
Answer: -p 1000-1500

Question: How would you tell nmap to scan all ports?
Answer: -p- 

Question: How would you activate a script from the nmap scripting library?
Answer: --script

Question: How would you activate all of the scripts in the "vuln" category?
Answer: --script=vuln

Extras: 
When port scanning with Nmap, there are three basic scan types. 
        These are:
                1. TCP Connect Scans (-sT)
                2. SYN "Half-open" Scans (-sS)
                3. UDP Scans (-sU)
                4. TCP Null Scans (-sN)
                5. TCP FIN Scans (-sF)
                6. TCP Xmas Scans (-sX)
-------------------------------------------------------------------------------------------------------------

TCP Connect Scans

What is a TCP Connect Scan?

A TCP Connect Scan, often referred to as a "Full Open Scan," is one of the simplest and most direct scanning methods employed by Nmap. It involves attempting to establish a full TCP connection to each target port on the specified target host. To do this, Nmap sends a TCP SYN packet to the target port and waits for a response. If the port is open and accepting connections, it will respond with a TCP SYN-ACK packet, indicating that the connection can be established. Nmap then sends an RST (reset) packet to tear down the connection.

How TCP Connect Scan Works:

1. Nmap selects a range of ports to scan on the target system.

2. For each port in the range, Nmap sends a TCP SYN packet to the target system's IP address and the port number.

3. If the port is open, the target system responds with a TCP SYN-ACK packet.

4. Nmap acknowledges the response by sending an RST packet to close the connection.

5. If the port is closed, the target system responds with a TCP RST (reset) packet, indicating that the port is closed.

6. Nmap records the results, indicating whether each scanned port is open, closed, or filtered (unreachable).

Advantages:     

  • TCP Connect Scans are relatively stealthy and can often bypass intrusion detection systems because they behave similarly to legitimate connection attempts.

  • They provide accurate information about the state (open or closed) of the scanned ports.

Disadvantages:        

  • They are slower than other scan types, such as SYN scans, because they involve establishing a full connection for each port.

  • They may leave more traces in log files on the target system, potentially raising suspicions.

  • They require root or administrator privileges on the scanning machine because raw socket access is needed to establish connections.

When to Use TCP Connect Scans:

    TCP Connect Scans are useful in scenarios where stealth and accuracy are more important than speed. They are often used when scanning a trusted network for security assessment or when you need to confirm the state of specific ports.

    In summary, a TCP Connect Scan in Nmap is a method for discovering open ports on a target system by attempting to establish a full TCP connection to each port. It provides accurate results but is slower and may be more visible in logs compared to other scanning techniques.
---------------------------------------------------------------------------------------------------------------
Question 1: Which RFC defines the appropriate behaviour for the TCP protocol?
Answer: RFC 9293

Question 2: If a port is closed, which flag should the server send back to indicate this?
Answer: RST
---------------------------------------------------------------------------------------------------------------
Thank you for reading. 

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: Ping

-
Ping Command Overview The `ping` command is a fundamental utility used in network diagnostics. It checks the reachability of a host on an Internet Protocol (IP) network and measures the round-trip time for messages sent from the originating host to a destination computer. The command uses the Internet Control Message Protocol (ICMP) to send echo request packets and listens for echo replies. Origin and Development The `ping` command was developed in 1983 by Mike Muuss as a diagnostic tool for the ARPANET. Since then, it has become a standard utility available on most operating systems, including Linux, Windows, and macOS, making it an essential tool for network administrators and users. Basic Functionality The `ping` command serves several functions: - Tests connectivity to a specified host. - Measures the time taken for packets to travel to the destination and back. - Provides statistics about packet loss and round-trip time. Key Command Syntax 1. Basic Syntax:    ```    ping [options]
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ```    The -n option prevents DNS
Read more

John The Ripper

-
John the Ripper  Is one of the most well known, well-loved and versatile hash cracking tools out there. It combines a fast cracking speed, with an extraordinary range of compatible hash types. This room will assume no previous knowledge, so we must first cover some basic terms and concepts before we move into practical hash cracking. A hash is a way of taking a piece of data of any length and  representing it in another form that is a fixed length. This masks the original value of the data. This is done by running the original data through a hashing algorithm. There are many popular hashing algorithms, such as MD4,MD5, SHA1 and NTLM. Lets try and show this with an example: If we take "polo", a string of 4 characters- and run it through an MD5 hashing algorithm, we end up with an output of: b53759f3ce692de7aff1b5779d3964da a standard 32 character MD5 hash. Likewise, if we take "polomints", a string of 9 characters- and run it through the same MD5 hashing algorithm, w
Read more