Nmap: SYN Scans, UDP Scans.

-

Nmap SYN Scans

A SYN scan, also known as a half-open scan, is a popular network scanning technique. SYN scans are designed to determine which ports on a target system are open, closed, or filtered without completing a full TCP connection.

Here's how a SYN scan works in Nmap:

1. TCP Three-Way Handshake: In a normal TCP connection, a three-way handshake occurs. The client sends a SYN (synchronize) packet to the server, the server responds with a SYN-ACK (synchronize-acknowledgment) packet, and the client completes the handshake with an ACK (acknowledgment) packet.

2. SYN Packet: In a SYN scan, Nmap sends a TCP SYN packet to the target system for each port it wants to scan. This is just the first step of the three-way handshake. If the port is open, the target system should respond with a SYN-ACK packet. 

3. Nmap analyzes the responses it receives:

  • If the target system responds with a SYN-ACK, Nmap considers the port open.
  • If the target system responds with a RST (reset) packet, Nmap considers the port closed.
  • If there's no response or an ICMP unreachable message is received, Nmap may consider the port filtered, as it couldn't determine the state.
4. Stealthy: SYN scans are often used because they are relatively stealthy. Since they don't complete the full three-way handshake and instead send only a SYN packet, they are less likely to trigger intrusion detection systems (IDS) or firewall rules that are set to react to complete connections.

5. Incomplete Connection: One of the advantages of SYN scans is that they don't complete the connection, which can be beneficial in situations where you want to minimize your footprint or avoid leaving logs on the target system.

To perform a SYN scan with Nmap, you can use the following command:

nmap -sS target_ip 

     Replace target_ip with the IP address or hostname of the system you want to scan. You can also specify a range of ports to scan, like so:

nmap -sS -p 1-100 target_ip


Keep in mind that SYN scans are considered stealthy but not as much as nowadays, some firewalls and other security solutions may still detect them.

Question 1: There are two other names for a SYN scan, what are they?
Answer: Half-Open, Stealth

Question 2: Can Nmap use a SYN scan without Sudo permissions?
Answer: No.

Nmap UDP Scans

UDP (User Datagram Protocol) scans in Nmap are a valuable feature for network security professionals and system administrators to discover open UDP ports on a target system.

Scanning UDP ports can be challenging because many UDP services do not respond when a port is closed, making it more difficult to determine their state.

    1. UDP Packet Transmission:

  • When you initiate a UDP scan using Nmap, the tool sends UDP packets to the target system's UDP ports.

  • Each packet contains a UDP header with the source and destination port numbers, along with some payload data.

  • Nmap sends these packets without establishing a connection or waiting for a response, which is characteristic of UDP.

    2. Response Analysis:

  • If the target system responds with an ICMP "Port Unreachable" message, Nmap interprets the port as closed.

  • If the target system responds with any other UDP packet (indicating that the port is open), Nmap interprets the port as open or filtered, depending on the specific response.

  • If Nmap receives no response to its UDP probe, it may consider the port to be either open or filtered. This is because it cannot definitively determine if the lack of response is due to the port being open or blocked by a firewall.

    3. Time-Consuming:

  • UDP scanning can be more time-consuming than TCP scanning because Nmap has to wait for potential responses from each probed port.

  • Some UDP services may take longer to respond or may not respond at all, further extending the scan time.

    4. Common UDP Services:

  • DNS (Domain Name System) Port: 53 Purpose: DNS is used for translating human-friendly domain names into IP addresses.

  • DHCP (Dynamic Host Configuration Protocol) Port: 67 (Server) and 68 (Client) Purpose: DHCP is used to dynamically assign IP addresses and network configuration information to devices on a network.

  • TFTP (Trivial File Transfer Protocol) Port: 69 Purpose: TFTP is a simple file transfer protocol used for transferring files, often used in network device configuration.

  • SNMP (Simple Network Management Protocol)Port: 161 (SNMP) and 162 (SNMP Trap) Purpose: SNMP is used for monitoring and managing network devices and their functions.

  • Syslog, Port: Typically 514 | Purpose: Syslog is a standard for message logging on Unix-based systems and network devices.

  • NTP (Network Time Protocol) Port: 123 | Purpose: NTP is used for time synchronization between devices on a network.

  • NetBIOS Name Service Port: 137 | Purpose: NetBIOS Name Service is used for name resolution in Windows networks.

  • NetBIOS Datagram Service Port: 138 | Purpose: NetBIOS Datagram Service is used for datagram-based communication in Windows networks.

  • NetBIOS Session Service Port: 139 | Purpose: NetBIOS Session Service is used for establishing and maintaining sessions in Windows networks.

  • RADIUS (Remote Authentication Dial-In User Service) Port: 1812 (Authentication) and 1813 (Accounting) | Purpose: RADIUS is used for centralized authentication, authorization, and accounting for network access.

  • SMB (Server Message Block) Port: 137-139 (NetBIOS over TCP/IP) and 445 (Direct SMB) | Purpose: SMB is used for file and printer sharing in Windows networks.

  • SNTP (Simple Network Time Protocol) Port: Typically 123 | Purpose: SNTP is a simplified version of NTP used for time synchronization.

  • RIP (Routing Information Protocol) Port: 520 | Purpose: RIP is a routing protocol used for exchanging routing information in IP networks.

  • RIPng (RIP Next Generation) Port: 521 | Purpose: RIPng is an extension of RIP designed for IPv6 networks.

  • BFD (Bidirectional Forwarding Detection) Port: Typically 3784 | Purpose: BFD is used for rapid detection of network path failures.
It's important to note that these services and their port assignments can vary based on network configurations and applications.

To perform a UDP scan with Nmap, you can use the -sU option followed by the target IP address or hostname. 

You can also specify a range of UDP ports to scan using the -p option, similar to TCP scans. For example:

nmap -sU target_ip
nmap -sU -p 53,67-69 target_ip

It's crucial to note that UDP scanning can be less reliable than TCP scanning due to the lack of guaranteed responses from closed ports and the possibility of packet loss or filtering.

Some network security devices, such as firewalls and other security solutions, may also block or limit UDP traffic, affecting the accuracy of scan results.
-----------------------------------------------------------------------------------------------------------------------------
Question 1: If a UDP port doesn't respond to an Nmap scan, what will it be marked as?
Answer: open|filtered

Question 2: When a UDP port is closed, by convention the target should send back a "port unreachable" message. Which protocol would it use to do so?
Answer: ICMP
-----------------------------------------------------------------------------------------------------------------------------
Thank you so much for reading, don't forget to take notes. 

Roger - Ozz961.

Comments

Post a Comment

Popular posts from this blog

Common Network Commands: Ping

-
Ping Command Overview The `ping` command is a fundamental utility used in network diagnostics. It checks the reachability of a host on an Internet Protocol (IP) network and measures the round-trip time for messages sent from the originating host to a destination computer. The command uses the Internet Control Message Protocol (ICMP) to send echo request packets and listens for echo replies. Origin and Development The `ping` command was developed in 1983 by Mike Muuss as a diagnostic tool for the ARPANET. Since then, it has become a standard utility available on most operating systems, including Linux, Windows, and macOS, making it an essential tool for network administrators and users. Basic Functionality The `ping` command serves several functions: - Tests connectivity to a specified host. - Measures the time taken for packets to travel to the destination and back. - Provides statistics about packet loss and round-trip time. Key Command Syntax 1. Basic Syntax:    ```    ping [options]
Read more

Common Network Commands: Route

-
Route Command Overview The route command is a part of the older net-tools package used in Linux systems for viewing and manipulating the IP routing table. It provides information about how packets are routed through the network and allows for the addition, deletion, and modification of routes. Origin and Development Historically, the route command has been a primary tool for managing network routing in Linux. However, it has largely been replaced by the ip command from the iproute2 package, which offers more advanced features and capabilities. Despite this, route is still commonly used in many Linux distributions for its simplicity and familiarity. Basic Functionality The route command serves several functions: - Displays the current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Display Routing Table:    ```    route -n    ```    The -n option prevents DNS
Read more

John The Ripper

-
John the Ripper  Is one of the most well known, well-loved and versatile hash cracking tools out there. It combines a fast cracking speed, with an extraordinary range of compatible hash types. This room will assume no previous knowledge, so we must first cover some basic terms and concepts before we move into practical hash cracking. A hash is a way of taking a piece of data of any length and  representing it in another form that is a fixed length. This masks the original value of the data. This is done by running the original data through a hashing algorithm. There are many popular hashing algorithms, such as MD4,MD5, SHA1 and NTLM. Lets try and show this with an example: If we take "polo", a string of 4 characters- and run it through an MD5 hashing algorithm, we end up with an output of: b53759f3ce692de7aff1b5779d3964da a standard 32 character MD5 hash. Likewise, if we take "polomints", a string of 9 characters- and run it through the same MD5 hashing algorithm, w
Read more