Nmap Scans: Part 1

<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Mon Feb 09, 2009 5:08 am

Nmap Scans: Part 1

In this tutorial I'll teach you some basic Nmap scans.

Before learning about the scan methods you should have a basic understanding of TCP and UDP. So I'll also cover these topics very briefly.

UDP

UDP stands  for User Datagram Protocol.
UDP is a connectionless protocol i.e packets are sent from one party to another without any prior connection establishment between the two. This method of transmission doesn't guarantee that the data will reach it's destination. The packets may be delayed, arrive out of sequence or lost.
Thus we can say that UDP isn't a reliable protocol.

TCP
TCP stands for Transmission Control Protocol.
TCP is a connection oriented protocol i.e data exchange occurs between the sender and the receiver only after a connection is established between the two.
Connection is established using three way handshake.

To understand the three way handshake you have to know about the flags field in a TCP header.

Flags field or control field is a 6 bit field and is used to relay control information between TCP peers.
The various types of flags are:
A: SYN or synchronize flag is used to synchronize the sequence numbers.

B:FIN or finish is used to tell the remote machine to terminate the connection.

C:ACK or acknowledgment is the acknowledgment field significant.

D:PSH or push flag is a notification from the sender to the receiver to pass all the data the receiver has to the receiving application.

E:URG or urgent flag signifies that the packet contains urgent data.

F:RST or reset flag is used to reset the connection.

With the knowledge of flags under our belt we can proceed to learn Three -way handshake.

Suppose computer A wants to establish a connection with computer B.
1:Firstly, computer A sends a packet with SYN flag set to computer B
2:Computer B after receiving the SYN packet sends packet with SYN-ACK flag  set to computer A.
3:When computer A receives the SYN-ACK packet it sends a packet with ACK flag set to computer B.
4:Finally, when computer B receives the ACK packet the connection is established.

Computer A --------------------->SYN------------------->Computer B

Computer A<-------------------SYN-ACK<-------------------Computer B

Computer B---------------------->ACK------------------->Computer B



Let's now discuss the Nmap scan methods.

The first scan we'll be talking about is the SYN Scan or sometimes called the half-open scan

A: SYN Scan

SYN scan or half-open scan is almost like the three-way handshake except for one step.
1: Firstly Nmap sends a SYN packet to the destination port.
2: The destination post -if open- replies with a SYN-ACK packet.
3: Now Nmap doesn't wants to establish a connection and instead of sending an ACK response sends a packet with RST flag, and this is where it deviates from the normal three-way handshake.

The steps explained above were for open ports. In case of closed ports:
1:Firstly Nmap sends a SYN packet to the destination port.
2:The remote port -since it's closed- sends a RST response.

Nmap ------------------>SYN------------------->Remote port

Nmap<----------------SYN-ACK<----------------Remote port

Nmap------------------->RST------------------->Remote port

                            OPEN PORT



Nmap ------------------>SYN---------------->Remote port

Nmap<-------------------RST<----------------Remote port

                           CLOSED PORT


Sometimes it happens that Nmap sends a SYN packet to the remote port and gets no response. It means that a firewall is blocking the packet. Nmap declares these posts as filtered

Nmap ------------------>SYN---------------->Remote port

Nmap---------------NO RESPONSE-------------Remote port

                        FILTERED PORTS



SYN scan is the default scan if you are running as a privileged user

The syntax to run this scan in CLI is:
nmap -sS Remote I.P

Here -sS is the SYN scan command and the remote I.P is the I.P address that you want to scan.

So the command looks like this:
Image
You must be asking that if SYN scan is the default scan then for privileged users then why is it necessary to specify the SYN scan command? Well, it isn't. The scan will work perfectly by just using the command: 
nmap remote I.P

But it's a good practice to specify this command in case you are'nt running privileged in which case TCP connect() scan is the default scan.

That's it for this part. I'll be taking more scans in the other parts of this tutorial.
Last edited by Xen on Fri Feb 13, 2009 8:33 am, edited 1 time in total.
<<

pibe86

Newbie
Newbie

Posts: 7

Joined: Sun Feb 08, 2009 10:10 pm

Location: Medellín Colombia

Post Mon Feb 09, 2009 10:30 am

Re: Nmap Scans: Part 1

nice, i am goint to install BACK TRACK after that  i will try this tutorial


thanks

just a question, where do u work men?
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue Feb 10, 2009 7:52 am

Re: Nmap Scans: Part 1

nice, i am goint to install BACK TRACK after that  i will try this tutorial

There' a windows version of Nmap too.

pibe86 wrote:just a question, where do u work men?



I'm a second year computer science engineering student.
Last edited by Xen on Tue Feb 10, 2009 8:46 am, edited 1 time in total.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Tue Feb 10, 2009 1:24 pm

Re: Nmap Scans: Part 1

You can find the various version of Nmap, as well as the source code here:

http://nmap.org/download.html
<<

pibe86

Newbie
Newbie

Posts: 7

Joined: Sun Feb 08, 2009 10:10 pm

Location: Medellín Colombia

Post Sat Feb 14, 2009 1:46 am

Re: Nmap Scans: Part 1

i dont like using windows, i rather using gnu/linux as my O.S

i have installed BT4 and it works better than  i thoght

now let's try nmap tutorials

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software