In this article, you will learn how to capture network packet using Wireshark when an attacker is scanning target using NMAP port scanning method. Here you will notice that how Wireshark captured different network traffic packet for open and close ports.

Note: We perform the Below Practical with the same IP address (192.168.1.102), which you will notice is common for our Windows and Linux Machine; you may differentiate them by their MAC addresses in this case.

Let’s start!!!

TCP Scan

Tcp scan will scan for TCP port like port 22, 21, 23, 445 etc and ensure for listening port (open) through 3-way handshake connection between the source and destination port. If the port is open, then the source makes a request with a SYN packet, the destination responds by sending a SYN, ACK packet, and then the source sends ACK packets; at last, the source again sends RST, ACK packets.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sT -p 445 192.168.1.102

From the given image you can observe the result that port 445 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark.

You will notice that it has captured the same sequence of the flag as described above:

• Source sent SYN packet to the destination
• Destination sent SYN, ACK to source
• Source sent ACK packet to the destination
• Source again sent RST, ACK to destination

Let’s figure out network traffic for the close port. The image shows that if the scanning port is closed. The source and destination cannot establish a 3-way handshake connection.

The source sends a SYN packet. If the port is closed, the receiver responds with an RST-ACK packet.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sT -p 3389 192.168.1.102

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark.

You will notice that it has captured the same sequence of the flag as described above:

• Source sent SYN packet to the destination
• Destination sent RST, ACK packet to the source

Stealth Scan

SYN scan is the default and most popular scan option for good reasons. You can perform it quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively typical and stealthy since it never completes TCP connections.

If the system receives an SYN packet (without the ACK flag) in response. We also consider the port open.

People often refer to this technique as half-open scanning because you don’t open a full TCP connection. You send an SYN packet as if you are going to open a real connection and then wait for a response. An SYN, ACK indicates the port is listening (open)

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sS -p 22 192.168.1.102

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent SYN packets to the destination
• Destination sent SYN, ACK packets to the source
• Source sent RST packets to the destination

Now figure out traffic for close port using stealth scan. If the source sends a SYN packet on the specific port, the port is closed. The destination replies by sending an RST packet.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sS -p 3389 192.168.1.102

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent SYN packets to the destination
• Destination sent RST, ACK packets to the destination

Fin Scan

A device uses a FIN packet to terminate the TCP connection between the source and destination port typically after the data transfer is complete. In place of an SYN packet, Nmap starts a FIN scan by sending a FIN packet. If the port is open, the destination port will not respond when the source port sends a FIN packet.

Fin-Scan are only workable in Linux machines and does not work on the latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sF -p 22 192.168.1.102

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent FIN packets to the destination
• Destination sent no reply to the source

Similarly, if you perform a Fin scan against any close, then the source port will send a FIN packet to a specific port, and the destination will reply by sending RST and ACK packets.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sF -p 3389 192.168.1.102

From the given image you can observe the result that port 3389 is closed.

Examine the sequence of packet transfer between source and destination that Wireshark captured.

• Source sent SYN packets to the destination
• Destination sent RST packets to the destination

Null Scan

An attacker sends a Null Scan by transmitting a series of TCP packets with a sequence number of ‘zeros’ (0000000). Because none of the flags are set, the destination cannot determine how to reply to the request. The destination discards the packet and sends no reply, which indicates that the port is open.

Null Scan is only workable in Linux machines and does not work on latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sN -p 22 192.168.1.102

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent Null packets to the destination
• Destination sent no reply to the source

If the port is closed, the Destination will send an RST, ACK packet in response when it receives null packets from the source on a specific port.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sN -p 3389 192.168.1.102

From the given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent Null (none) packets to the destination
• Destination sent RST, ACK to source

UDP Scan

UDP scan works by sending a UDP packet to every destination port; it is a connectionless protocol. For some common ports such as 53 and 161, they send a protocol-specific payload to increase the response rate, and a service responds with a UDP packet, proving that it is open. If they do not receive a response after retransmissions, they classify the port as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sU -p 161 192.168.1.119

From the given image you can observe the result that port 161 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent UDP packets to the destination
• Destination sent UDP packet with some data to the source

Similarly, if source sent UDP packet on a close port to the destination then destination sent a reply with ICMP packet port unreachable with an appropriate error.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sU -p 53 192.168.1.119

The given image shows that port 53 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent UDP packets to the destination
• Destination sent ICMP packet port unreachable to the source

Xmas Scan

These scans manipulate the PSH, URG, and FIN flags of the TCP header, setting the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to a specific port and if the port is open then destination will discard the packets and will not send any reply to the source.

Xmas Scan is only workable in Linux machines and does not work on the latest version of windows

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sX -p 22 192.168.1.102

From the given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent FIN, PUSH and URG packets to the destination
• Destination sent no reply to the source

The source sends FIN, PUSH, and URG packets to a specific port. If the port is closed, the destination responds by sending RST and ACK packets.

Type following NMAP command for TCP scan as well as start Wireshark on another hand to capture the sent Packet.

nmap -sX -p 3389 192.168.1.102

The image shows that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through Wireshark

• Source sent FIN, PUSH and URG packets to the destination
• Destination RST, ACK packet to the source

To learn more on Nmap. Follow this Link.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here