In this tutorial I'll teach you some basic Nmap scans.
Before learning about the scan methods you should have a basic understanding of TCP and UDP. So I'll also cover these topics very briefly.
UDPUDP stands for
User Datagram Protocol.UDP is a
connectionless protocol i.e packets are sent from one party to another without any prior connection establishment between the two. This method of transmission doesn't guarantee that the data will reach it's destination. The packets may be delayed, arrive out of sequence or lost.
Thus we can say that UDP isn't a reliable protocol.
TCPTCP stands for
Transmission Control Protocol.TCP is a
connection oriented protocol i.e data exchange occurs between the sender and the receiver only after a connection is established between the two.
Connection is established using
three way handshake.To understand the three way handshake you have to know about the
flags field in a TCP header.
Flags field or control field is a 6 bit field and is used to relay control information between TCP peers.
The various types of flags are:
A:
SYN or synchronize flag is used to synchronize the sequence numbers.
B:
FIN or finish is used to tell the remote machine to terminate the connection.
C:
ACK or acknowledgment is the acknowledgment field significant.
D:
PSH or push flag is a notification from the sender to the receiver to pass all the data the receiver has to the receiving application.
E:
URG or urgent flag signifies that the packet contains urgent data.
F:
RST or reset flag is used to reset the connection.
With the knowledge of flags under our belt we can proceed to learn
Three -way handshake.Suppose
computer A wants to establish a connection with
computer B.
1:Firstly, computer A sends a packet with SYN flag set to computer B
2:Computer B after receiving the SYN packet sends packet with SYN-ACK flag set to computer A.
3:When computer A receives the SYN-ACK packet it sends a packet with ACK flag set to computer B.
4:Finally, when computer B receives the ACK packet the connection is established.
Computer A --------------------->SYN------------------->Computer B
Computer A<-------------------SYN-ACK<-------------------Computer B
Computer B---------------------->ACK------------------->Computer BLet's now discuss the Nmap scan methods.
The first scan we'll be talking about is the
SYN Scan or sometimes called the
half-open scan
A: SYN ScanSYN scan or half-open scan is almost like the three-way handshake except for one step.
1: Firstly Nmap sends a SYN packet to the destination port.
2: The destination post -if open- replies with a SYN-ACK packet.
3: Now Nmap doesn't wants to establish a connection and instead of sending an ACK response sends a packet with RST flag, and this is where it deviates from the normal three-way handshake.
The steps explained above were for open ports. In case of closed ports:
1:Firstly Nmap sends a SYN packet to the destination port.
2:The remote port -since it's closed- sends a RST response.
Nmap ------------------>SYN------------------->Remote port
Nmap<----------------SYN-ACK<----------------Remote port
Nmap------------------->RST------------------->Remote port
OPEN PORT
Nmap ------------------>SYN---------------->Remote port
Nmap<-------------------RST<----------------Remote port
CLOSED PORTSometimes it happens that Nmap sends a SYN packet to the remote port and gets no response. It means that a firewall is blocking the packet. Nmap declares these posts as
filteredNmap ------------------>SYN---------------->Remote port
Nmap---------------NO RESPONSE-------------Remote port
FILTERED PORTSSYN scan is the default scan if you are running as a privileged user
The syntax to run this scan in CLI is:
nmap -sS Remote I.PHere -sS is the SYN scan command and the remote I.P is the I.P address that you want to scan.
So the command looks like this:
You must be asking that if SYN scan is the default scan then for privileged users then why is it necessary to specify the SYN scan command? Well, it isn't. The scan will work perfectly by just using the command:
nmap remote I.PBut it's a good practice to specify this command in case you are'nt running privileged in which case TCP connect() scan is the default scan.
That's it for this part. I'll be taking more scans in the other parts of this tutorial.
Programming : Newbie here
Editor-In-Chief : Free Webcast: Don't Pick the Lock, Steal the Key - PW Auditing with Metasploit
Links to cool sites. : Ninja-Sec Challenge You !
Tools : Nmap 6 Released
Links to cool sites. : CODENAME: Samurai Skills Review at Darknet
