Nmap is a popular open source
network exploration tool. It is a ton of features that are very useful to
anyone trying to scan, even enumerate and look for vulnerabilities on a host or
network.
Starting with the very basics;
when scanning you are usually looking for the ports that are open on the live
hosts and the services that are running on them.
There are 6 states a port can be
but we will look only at the 2 main states: Open and Closed.
Open port: This means that an
application is listening for connections on the is port. This is good, as it
tells you that you can interact with it.
Closed port: This means that there
is no application listening on this port. And you cannot talk to a closed port.
Let’s start looking at open ports
on our victim machines.
From previous articles you learnt
about a ICMP ping sweep scan with Nmap. Here we look at a TCP SYN ping scan.
TCP SYN Ping Scan
Input the command: nmap -PS <<target
IP address>>
This command with the “-PS” flag
tells nmap to send a SYN packet to the target and listen for a response. This
command comes in handy for when your target system is configured to block ICMP
ping sweeps.
Stealth Scan
Input the command: nmap -sS <<target
IP address>>
This command with the “-sS” flag
tells nmap to initiate a three-way handshake with the target but do not
complete the hand shake.
This was useful in the past when
firewalls dint used to log incomplete handshakes with the computer’s port.
However with the latest firewalls, even an incomplete handshake is logged and
thus not so stealth anymore.
Full Nmap Scan
Input the command: nmap -sV -O<<target
IP address>>
With this command nmap scans the
first 1000 ports on the target, with the “-sV” flag to find out the version of
the services running on the open ports and with the “-O” flag to find out the
operating system running on the target.
Look through the results and see if
you can locate the OS details and the version numbers of any services
discovered.
Now you must be wondering why put all different flags while you can just run a full scan and get the same results? The answer is noise.
Running a full scan over the network makes too much noise and the network admins can get alerted and can even blacklist your attacker machine. So we resort to running specific scans to find out specific bits of information while make less noise.
-Jayesh Kerai (@secjay)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.