Post Wed Feb 11, 2009 12:08 am

Nmap Scans:Part 2

If you are reading this tutorial then you must have obviously read my previous tutorial on Nmap scans. If not then read it here.

B: TCP Connect() Scan
Remember the three-way handshake?I hope you do.
TCP Connet() Scan is just the normal three way handshake.

1: Firstly Nmap sends a SYN packet to the destination port.
2: The destination post -if open- replies with a SYN-ACK packet.
3: Now Nmap replies with a normal ACK packet and establishes the connection.
4: But soon after establishing the connection Nmap sends a RST packet and breaks the connection.

The steps explained above were for open ports. In case of closed ports:
1:Firstly Nmap sends a SYN packet to the destination port.
2:The remote port -since it's closed- sends a RST response.

       Nmap ------------------>SYN------------------->Remote port

       Nmap<----------------SYN-ACK<----------------Remote port

       Nmap------------------->ACK------------------->Remote port

       Nmap------------------->RST------------------->Remote port

                                  OPEN PORT

      Nmap ------------------>SYN---------------->Remote port

       Nmap<-------------------RST<----------------Remote port

                                 CLOSED PORT

Sometimes it happens that Nmap sends a SYN packet to the remote port and gets no response. It means that a firewall is blocking the packet. Nmap declares these posts as filtered

       Nmap ------------------>SYN---------------->Remote port

       Nmap---------------NO RESPONSE-------------Remote port

                               FILTERED PORTS

TCP connect() scan is the default scan if you are running as a privileged user.

The syntax for TCP connect() scan in CLI is:
nmap -sT remote I.P

Here -sT is the command for TCP connect() scan and remote I.P is the I.P address of the target machine you want to scan.

C: IDLE Scan

Idle scan depends on a Zombie and IPID no.


Zombie is an idle station that acts as an intermediate between the Nmap station and the target I.P address. The zombie station should remain idle during the duration of the scan to maintain consistency in the IPID no.
The other thing to note about zombie is that it could be any device from an idle server, a workstation or a printer.

Fyodor very briefly explained the IPID no. and I just use his definition:
Every IP packet on the Internet has a fragment identification number (IP ID).  Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.

IDLE Scan steps
Now back again to our three way handshake.
Suppose computer A instead of sending a SYN packet to computer B sends a SYN-ACK. When computer B receives this unsolicited SYN-ACK it responds with a RST packet. This concept is very cleverly used in IDLE Scan.

1: Firstly Nmap station sends a SYN0ACK packet to the zombie. Thsi unsolicited SYN-ACK is responded with a RST packet. Nmap then notes the IPID no of this RST packet.

2: Nmap then spoofs the I.P add. of the zombie and sends a SYN packet to the target device.:
  a: If the port is open it sends a SYN-ACK response to the zombie. Zombie on receiving the unsolicited SYN-ACK responds with a RST.

  b: If the port is closed then target device responds with a RST packet to the zombie. Zombie  discards the unsolicited RST.

3: Nmap the again sends a SYN-ACK to the zombie and receives
    a: In case of open ports the IPID of zombie increments by two because zombie sent two paket--one RST to the target device in response to SYN-ACK from it and another RST to the Nmap statio.

    b: In case of closed ports the IPID of zombie increments only by one because zombie sent only one RST packet to the Nmap station.

Nmap station-------------------->SYN-ACK---------------------------->Zombie
Nmap station<------------------RST (IPID=25)<------------------------ Zombie

Nmap station-------------------->SYN--------------------------->Target device
(Spoofed Zombie's
I.P add.)

Zombie<---------------------------SYN-ACK<---------------------Target device
Zombie------------------------->RST (IPID=26)----------------->Target device

                                            OPEN PORT

Zombie<-----------------------------RST<--------------------------Target device

                                                   CLOSED PORT

IDLE Scan is a very stealth scan. It's very difficult to trace the attacker in this scan.

Syntax of IDLE Scan for CLI is:
nmap  -P0 -sI  I.P add. of zombie  I.P add. of target device.

The -P0 option tells Nmap not to ping the target device otherwise target device could trace the attacker from the ping packets.
-sI  is the idle scan command.
Last edited by Xen on Wed Feb 11, 2009 4:38 am, edited 1 time in total.