Understanding Guide for Nmap Timing Scan (Firewall Bypass)

In this article we are going to scan the target machine with normal Nmap scan along with the Timing template and the time between packets can be confirmed by analysis of Nmap traffic through Wireshark.

Timing template in the nmap is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default, all nmap scans run on –T3 timing template. Timing template in Nmap is used to optimize and improve the quality and performance of the scan to get desired results.

Let’s start!!

Nmap Insane (-T5) Scan

This template is used for sending packets insanely fast and waits only 0.3 seconds for the response. The time difference between the two packets sent is up to 5 milliseconds. This timing template makes the scan superfast but the accuracy is sacrificed sometimes. Nmap gives-up on a host if it couldn’t complete the scan within 15 minutes. Other than that, -T5 should be used only on a fast network and high-end systems as sending packets this fast can affect the working of the network or system and can result in system failure.

For using timing template use the attribute –T<0-5> after Nmap while scanning a target network

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 04:41:04.557153433

Packet 2 has Arrival Time of 04:41:04.557225304

The difference between the arrival time of Packet 1 and Packet 2 is about 0.07 milliseconds.

Nmap Aggressive (-T4) Scan

This template is used for sending packets very fast and waits only 1.25 seconds for the response. The time difference between the two packets sent is up to 10 milliseconds. Nmap official documentation recommends using –T4 for “reasonably modern and reliable networks”.

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 05:58:34.636899267

Packet 2 has Arrival Time of 05:58:34.637122896

The difference between the arrival time of Packet 1 and Packet 2 is about 0.2 milliseconds.

Nmap Normal (-T3) Scan

This is the default nmap timing template which is used when -T argument is not specified.

Packet 1 has Arrival Time of 06:01:12.574866212

Packet 1 has Arrival Time of 06:01:12.575059033

The difference between the arrival time of Packet 1 and Packet 2 is about 0.1 milliseconds.

Nmap Polite (-T2) Scan

This template is used for sending packets quickly then –T0 and –T1 but still slower than a normal scan. The time difference between the two packets sent is 0.4 seconds.

Packet 1 has Arrival Time of 06:07:38.139876513

Packet 2 has Arrival Time of 06:01:38.540686453

Nmap Sneaky (-T1) Scan

This template is used for sending packets quickly but still slower than a normal scan. The time difference between the two packets sent is 15 seconds.

Packet 1 has Arrival Time of 06:17:02.354879724

Packet 2 has Arrival Time of 06:17:17.371063606

The difference between the arrival time of Packet 1 and Packet 2 is about 15 seconds.

Nmap Paranoid (-T0) Scan

This template is used for sending packets very slowly as only one port is scanned at a time. The time difference between the two packets sent is 5 minutes.

Packet 1 has Arrival Time of 06:32:25.043303267

Packet 2 has Arrival Time of 06:37:25.080804929

The difference between the arrival time of Packet 1 and Packet 2 is about 5 minutes.

Evading Time-Based Firewall rules using timing templates

Block Insane T5 scan

Even though we can speed up the scan by –T5 and –T4 templates, there are chances that the target system is using some kind of firewall rules to secure itself. Here are some examples of the firewall rules and methods to bypass them.

This rule will block TCP packets from an IP address if the packet count goes more than 1. In other words, only the first packet will be responded from an IP address in 1 second.

If you’re scanning more than 1 port on a target system having above rule, the result will not be as desired. Like if we use -T5 or -T4 in nmap scan, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T5 has also –max-retries set to 2 means it will retry to get the reply from ports 2 more times hence there will be 3 out 5 ports with accurate open/close status and the rest 2 with the filtered status

From given below image you can observe that it has shown 3 ports are open and 2 ports are filtered.

The packet transfer between the target and the victim is captured through Wireshark, it clearly shows that the TCP SYN packets are sent multiple times on ports 22 and 23 and didn’t receive any reply packet for those request packet.

Bypass Insane T5 Firewall filter

1st method

Use –max-retries argument to increase the –max-retries value so that each retry gives the accurate status of one port at a time. Execute given below command for increasing maximum retries with T5 scan here I had 4 you can modify it as per your requirement.

now if you notice from given below image you can observe that it has shown all 5 ports are open.

Here, the packet transfer shows that in each retry one different port sends the reply in order to confirm its status as shown in the given below image.

2nd Method

The second method is to use a timing template which has a greater time difference between the packets like here we can use the timing template below T5 i.e. from T4 to T0 to bypass above rule.

Here, the packet transfer shows that each port has sent the reply but the first reply was instantly and other ports replied one by one after some time.

Block Aggressive T4, Normal T3 & Polite T2 Scan

Now given below rules will block TCP packets from an IP address if the packet count goes more than 1. In other words, only the first packet will be responded from an IP address in 3 seconds.

Here we are using -T4 for scanning 5 ports, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T4 has also –max-retries set to 6 means it will retry to get the reply from ports 6 more times but as the time limit exceeds the total time taken by all retries it will show all ports filtered

The Result of T4, T3, and T2 scan can be as either all port will be filtered or anyone port can show open/closed state. From given below image you can observe that it has shown all 5 ports are filtered.

Here we can see that none of the packets got the reply

Bypass Aggressive T4, Normal T3 & Polite T2 Firewall filter

To bypass this kind of rule we have to use a Timing Template which is slower than -T4

Here we can see that all the packets got a reply because the time interval in T1 is almost 15 seconds.

Block Sneaky (-T1) Scan

Now, this rule is to block TCP packets from an IP address if the packet count goes more than 1. In other words, only the first packet will be responded from an IP address in 200 seconds.

Now repeat the T1 scan again as given below and this time you will found that firewall is blocking our Nmap probes for identifying the open/closed state of any port.

Results of T1 scan can be as either all port will be filtered or anyone port can show open/closed state. From given below image you can observe that it has shown all 4 ports are filtered.

Here we can see that only one of the packets got the reply rest are drop by the firewall.

Bypass Sneaky (-T1) Scan

To bypass this kind of rule we have to use a Timing Template which has time difference in packets for more than 200 seconds, therefore use paranoid time scan because the time difference between two packets is near about 5 mints as discussed above.

From given below image you can observe that it has taken 1813.61 sec which is close to 30 mints for scanning 5 ports and found open state for all 5 ports.

Here we can see that we have got the response of every packet even though the firewall had the security rules set.

To evade any type of IPS or Firewall, you need to remember that it will take much longer time than usual to scan the target system using a slower timing template. So try to specify a small number of ports, where the slow scans don’t take time to scan the ports that you don’t intend to.

Author:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

Understanding Guide for Nmap Ping Scan (Firewall Bypass)

In this article we are going to scan the target machine with different Nmap ping scans and the response packets of different scans can be confirmed by analysis of Nmap traffic through Wireshark.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default send the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

Nmap scans changes their behavior according to the network they are scanning.

  • Scanning Local Network with Nmap where nmap sends an ARP packet with every scan
  • If an external network is to be scanned; Nmap sends following request packets:
  1. ICMP echo request
  2. ICMP timestamp request
  3. TCP SYN to port 443
  4. TCP ACK to port 80

In this article we are using —disable-arp-ping attribute for changing the behavior of nmap scans to treat a local network as a public network.

Let’s Start!!

Ping Sweep

In order to identify live host without using ARP request packet Nmap utilize –sP option which is known as Ping Sweep Scan. We can use –sn flag which means no port scan also known as ping scan.

From given below image you can observe it found 1 Host is up. Since we have disabled Arp request packet for local network scans by using parameter –disable-arp-ping therefore here it will treat it as an external network and behave accordingly that as discussed above.

Demonstrating working of Ping Sweep using Wireshark

From given below image you can observer following packet of request and reply between both network IP

  1. ICMP echo request
  2. TCP SYN to port 443
  3. TCP ACK to port 80
  4. ICMP timestamp request
  5. ICMP echo reply
  6. TCP RST, ACK to port 443
  7. TCP RST to port 80
  8. ICMP Timestamp Reply

Block Ping Sweep Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan

Now repeat again ping sweep scan for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Again demonstrating request packets of Ping Sweep scan with Wireshark and if you notice given below image then you will found that this time it has not received any reply packet.

Bypass Ping Sweep Filter using TCP SYN Ping

Now, we’ll try to bypass the firewall rules by using ping scan with TCP SYN packets, for that we’ll use –PS attribute. –PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like -PS443.

From given below image you can observe that observe it found 1 Host is up.

From given below image you can observe that it is showing the result which similar to NMAP stealth scan. Here it is following TCP Half connection mechanism where SYN packet is sent on port 80 and received SYN, ACK from port 80 and then RST packet for reset connection

The difference between –sP packet on port 80 and –PS packet on port 80 is as following:

  • Ping sweep scan [-sP] send TCP ACK packet on port 80 and hex value of ACK flag is 10, as the reply from host machine it receives RST packet whose hex value is 4.
  • TCP SYN Ping scan send TCP SYN packet on port 80 and its hex value is 2, as a reply it received SYN, ACK packet whose value is some of their hex value i.e. 2 + 10 = 12 and able to bypass above firewall rule applied on port 80 for TCK ACK packet.

Block TCP SYN Ping Scan

Sometimes network admin applies the filter as given below using Iptables on TCP SYN packet to drop all SYN packet to initiate TCP connection with all TCP Port in their network.

As result, it blocks the NMAP TCP SYN Ping probes so that it could not identify the state of the live host.

Now repeat again TCP SYN Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass TCP SYN Ping using TCP ACK Ping

In order to bypass this, we’ll use ping scan using TCP ACK packets, for that we’ll use –PA attribute. –PA sends TCP ACK packet on port 80 by default, we can change it by specifying the ports with it, like -PA443

From given below image you can observe that it has found 1 Host is up.

When you will notice given below packets captured by Wireshark you will found that here ACK packet is sent on port 80 as reply received RST packet from port 80.

Block TCP ACK Ping Scan

Sometimes network admin applies the filter as given below using iptables on TCP ACK packet to drop all ACK packet to established TCP connection with all TCP Port in their network.

As result, it blocks the NMAP TCP ACK Ping probes so that it could not identify the state of the live host.

Now repeat again TCP ACK Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass TCP ACK Ping using ICMP Echo

In some scenarios network, admin apply firewall filter on TCP flag to resist unwanted TCP communication in the network, here let’s consider that network admin had blocked TCP communication by applying the filter on SYN as well on ACK flag.

In order to bypass this rule, we’ll use ping scan with ICMP packets, for that we’ll use –PE attribute. –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet [ICMP type 0].

From given below image you can observe that observe it found 1 Host is up.

Block ICMP Echo Ping Scan

Usually, most of the network admin apply ICMP filter on their network so that other system or network cannot able to Ping their network.

As result, it blocks the NMAP ICMP echo Ping probes so that it could not identify the state of the live host.

Now repeat again TCP ICMP Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Demonstrating NMAP ICMP echo Ping with Wireshark shows only ICMP request packet in the network and didn’t receive any reply packet from the host network as shown in the given below image.

Bypass ICMP Echo Ping using ICMP Timestamp Ping

In order to bypass this rule, we’ll use ping scan with ICMP packets, for that we’ll use –PP attribute. –PP sends ICMP timestamp request packet [ICMP type 13] and received ICMP timestamp reply packet [ICMP type 14].

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP ICMP timestamp Ping with Wireshark shows ICMP timestamp request packet send in the network and received any timestamp reply packet from host network as shown in given below image.

Block ICMP Ping Scan

It might be possible that network admin had block entire types ICMP message by dropping all ICMP packets using following iptables filter.

As result, it blocks the NMAP ICMP Ping probes so that it could not identify the state of the live host.

Now repeat again ICMP Ping either –PP or PE for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass ICMP Ping Scan using UDP Ping

We have seen multiple ways to check if the system is live. Now, you can determine whether a system is up or not whether it is on the local network or public network.

We had observed that ping scan with ICMP ping is not working or even if TCP packet filter is also enabled in host network then it becomes difficult to identify the live host, now to bypass such types of rules we’ll use ping scan with UDP packets, for that we’ll use –PU attribute.

 –PU sends UDP packet when no ports are specified, the default is 40125, a reply received ICMP message such as “ICMP destination unreachable” which means the host is live.

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP UDP Ping with Wireshark shows UDP request packet sent on 40125 in the network and received ICMP destination unreachable as reply packet from host network as shown in given below image.

Block UDP and Ping Sweep

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet. Might be network admin had blocked entire TCP packet.

As result, it will resist NMAP for making TCP Ping, ICMP Ping, and UDP ping so that it could not identify the state of the live host.

Now repeat again UDP Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass UDP and Ping Sweep using Protocol Scan

Using Protocol Ping scan we can identify live host when ICMP, TCP, and UDP has been blocked, for that we’ll use –PO attribute. –PO sends IP packet with the particular protocol number place in their IP header, If no protocols are precise, the default is to send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).

From given below image you can observe that observe it found 1 Host is up.

From given below image of Wireshark we can observe the following mechanism followed by Protocol ping scan.

  • Send ICMP Echo to host network
  • Send IGMP query to host network
  • Send IPv4 (IP-in-IP) to host network
  • Received ICMP Destination unreachable as the reply from Host

Block IP Protocol Ping Scan

Now let’s put some firewall rules in iptables to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet and IP protocol too in the network to prevent the network from any kind of Ping scan. Might be network admin had blocked entire TCP packet.

As result, it will resist NMAP for making TCP Ping, ICMP Ping, UDP ping and Protocol ping so that it could not identify the state of the live host.

Now repeat again Protocol Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass IP protocol Ping using No Ping Scan

Now when above all Ping scan get failed to identify the state of Host is up or down then we choose the last and best option “No Ping” for we will use –PN/-P0/-Pn and basically perform TCP port scan for top 1000 ports.

 If you want to prevent Port scan and ping scan use sweep ping with no ping as given below to identify the state of the host is up or down.

From given below image you can observe that observe it found 1 Host is up.

Author:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

Comprehensive Guide on Nmap Port Status

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.

Let’s Begin

Requirement

  • Attacker’s IP:  192.168.1.109 [Kali Linux]
  • Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:

  1. Open:  This state means that an application on the target machine is listening for connections/packets on that port.
  2. Closed: This state means ports have no application listening on them, though they could open up at any time.
  3. Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
  4. Unfiltered: ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed.
  5. Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
  6. Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Open Port

In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.

We take a look at wireshark and find that 3 way-handshake occurs as given below.

  • Nmap sends SYN packet on port 80
  • Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.
  • Nmap sends RST packet

Closed Port

In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet

Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.

We will check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.

  • Nmap sends SYN packet on port 80
  • Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.

Filtered Port

In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Let’s use iptables to drop TCP packets on the target machine.

Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.

From given below image you can observe that it is now showing state “filtered” for port 80.

Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.

Unfiltered Port

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

We use iptables to drop any TCP packet coming to port 80 in target machine.

Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.

As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.

We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.

Open|Filtered Port 

In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Let’s use nmap Xmas scan to scan the target machine.

As we can see the nmap scan shows us the port to be open | filtered.

We will check wireshark to analyze the packets sent by nmap and we can see we don’t get a reply even if the port is open.

Closed|Filtered Port

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

We use iptables on our target machine to drop incoming TCP packets on the target machine.

We will do an IP ID idle scan on the target machine using 192.168.1.107 as our zombie.

As we can see in idle scan the zombie it is showing state closed|filtered for port 80.

An idle scan consists of three steps that are repeated for each port:

  1. Probe the zombie’s IP ID and record it.
  2. Forge a SYN packetfrom the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
  3. Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.

We check Wireshark and find that find the entire process.

Source: https://nmap.org/book/man.html

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here