POST CATEGORY : Nmap

Understanding Guide for Nmap Ping Scan (Firewall Bypass)

In this article we are going to scan the target machine with different Nmap ping scans and the response packets of different scans can be confirmed by analysis of Nmap traffic through Wireshark.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default send the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

Nmap scans changes their behavior according to the network they are scanning.

  • Scanning Local Network with Nmap where nmap sends an ARP packet with every scan
  • If an external network is to be scanned; Nmap sends following request packets:
  1. ICMP echo request
  2. ICMP timestamp request
  3. TCP SYN to port 443
  4. TCP ACK to port 80

In this article we are using —disable-arp-ping attribute for changing the behavior of nmap scans to treat a local network as a public network.

Let’s Start!!

Ping Sweep

In order to identify live host without using ARP request packet Nmap utilize –sP option which is known as Ping Sweep Scan. We can use –sn flag which means no port scan also known as ping scan.

From given below image you can observe it found 1 Host is up. Since we have disabled Arp request packet for local network scans by using parameter –disable-arp-ping therefore here it will treat it as an external network and behave accordingly that as discussed above.

Demonstrating working of Ping Sweep using Wireshark

From given below image you can observer following packet of request and reply between both network IP

  1. ICMP echo request
  2. TCP SYN to port 443
  3. TCP ACK to port 80
  4. ICMP timestamp request
  5. ICMP echo reply
  6. TCP RST, ACK to port 443
  7. TCP RST to port 80
  8. ICMP Timestamp Reply

Block Ping Sweep Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan

Now repeat again ping sweep scan for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Again demonstrating request packets of Ping Sweep scan with Wireshark and if you notice given below image then you will found that this time it has not received any reply packet.

Bypass Ping Sweep Filter using TCP SYN Ping

Now, we’ll try to bypass the firewall rules by using ping scan with TCP SYN packets, for that we’ll use –PS attribute. –PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like -PS443.

From given below image you can observe that observe it found 1 Host is up.

From given below image you can observe that it is showing the result which similar to NMAP stealth scan. Here it is following TCP Half connection mechanism where SYN packet is sent on port 80 and received SYN, ACK from port 80 and then RST packet for reset connection

The difference between –sP packet on port 80 and –PS packet on port 80 is as following:

  • Ping sweep scan [-sP] send TCP ACK packet on port 80 and hex value of ACK flag is 10, as the reply from host machine it receives RST packet whose hex value is 4.
  • TCP SYN Ping scan send TCP SYN packet on port 80 and its hex value is 2, as a reply it received SYN, ACK packet whose value is some of their hex value i.e. 2 + 10 = 12 and able to bypass above firewall rule applied on port 80 for TCK ACK packet.

Block TCP SYN Ping Scan

Sometimes network admin applies the filter as given below using Iptables on TCP SYN packet to drop all SYN packet to initiate TCP connection with all TCP Port in their network.

As result, it blocks the NMAP TCP SYN Ping probes so that it could not identify the state of the live host.

Now repeat again TCP SYN Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass TCP SYN Ping using TCP ACK Ping

In order to bypass this, we’ll use ping scan using TCP ACK packets, for that we’ll use –PA attribute. –PA sends TCP ACK packet on port 80 by default, we can change it by specifying the ports with it, like -PA443

From given below image you can observe that it has found 1 Host is up.

When you will notice given below packets captured by Wireshark you will found that here ACK packet is sent on port 80 as reply received RST packet from port 80.

Block TCP ACK Ping Scan

Sometimes network admin applies the filter as given below using iptables on TCP ACK packet to drop all ACK packet to established TCP connection with all TCP Port in their network.

As result, it blocks the NMAP TCP ACK Ping probes so that it could not identify the state of the live host.

Now repeat again TCP ACK Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass TCP ACK Ping using ICMP Echo

In some scenarios network, admin apply firewall filter on TCP flag to resist unwanted TCP communication in the network, here let’s consider that network admin had blocked TCP communication by applying the filter on SYN as well on ACK flag.

In order to bypass this rule, we’ll use ping scan with ICMP packets, for that we’ll use –PE attribute. –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet [ICMP type 0].

From given below image you can observe that observe it found 1 Host is up.

Block ICMP Echo Ping Scan

Usually, most of the network admin apply ICMP filter on their network so that other system or network cannot able to Ping their network.

As result, it blocks the NMAP ICMP echo Ping probes so that it could not identify the state of the live host.

Now repeat again TCP ICMP Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Demonstrating NMAP ICMP echo Ping with Wireshark shows only ICMP request packet in the network and didn’t receive any reply packet from the host network as shown in the given below image.

Bypass ICMP Echo Ping using ICMP Timestamp Ping

In order to bypass this rule, we’ll use ping scan with ICMP packets, for that we’ll use –PP attribute. –PP sends ICMP timestamp request packet [ICMP type 13] and received ICMP timestamp reply packet [ICMP type 14].

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP ICMP timestamp Ping with Wireshark shows ICMP timestamp request packet send in the network and received any timestamp reply packet from host network as shown in given below image.

Block ICMP Ping Scan

It might be possible that network admin had block entire types ICMP message by dropping all ICMP packets using following iptables filter.

As result, it blocks the NMAP ICMP Ping probes so that it could not identify the state of the live host.

Now repeat again ICMP Ping either –PP or PE for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass ICMP Ping Scan using UDP Ping

We have seen multiple ways to check if the system is live. Now, you can determine whether a system is up or not whether it is on the local network or public network.

We had observed that ping scan with ICMP ping is not working or even if TCP packet filter is also enabled in host network then it becomes difficult to identify the live host, now to bypass such types of rules we’ll use ping scan with UDP packets, for that we’ll use –PU attribute.

 –PU sends UDP packet when no ports are specified, the default is 40125, a reply received ICMP message such as “ICMP destination unreachable” which means the host is live.

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP UDP Ping with Wireshark shows UDP request packet sent on 40125 in the network and received ICMP destination unreachable as reply packet from host network as shown in given below image.

Block UDP and Ping Sweep

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet. Might be network admin had blocked entire TCP packet.

As result, it will resist NMAP for making TCP Ping, ICMP Ping, and UDP ping so that it could not identify the state of the live host.

Now repeat again UDP Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass UDP and Ping Sweep using Protocol Scan

Using Protocol Ping scan we can identify live host when ICMP, TCP, and UDP has been blocked, for that we’ll use –PO attribute. –PO sends IP packet with the particular protocol number place in their IP header, If no protocols are precise, the default is to send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).

From given below image you can observe that observe it found 1 Host is up.

From given below image of Wireshark we can observe the following mechanism followed by Protocol ping scan.

  • Send ICMP Echo to host network
  • Send IGMP query to host network
  • Send IPv4 (IP-in-IP) to host network
  • Received ICMP Destination unreachable as the reply from Host

Block IP Protocol Ping Scan

Now let’s put some firewall rules in iptables to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet and IP protocol too in the network to prevent the network from any kind of Ping scan. Might be network admin had blocked entire TCP packet.

As result, it will resist NMAP for making TCP Ping, ICMP Ping, UDP ping and Protocol ping so that it could not identify the state of the live host.

Now repeat again Protocol Ping for identifying the state of the live host. From given below image you can observe this time it shows that 0 host is up which means the firewall has blocked packets send by this scan.

Bypass IP protocol Ping using No Ping Scan

Now when above all Ping scan get failed to identify the state of Host is up or down then we choose the last and best option “No Ping” for we will use –PN/-P0/-Pn and basically perform TCP port scan for top 1000 ports.

 If you want to prevent Port scan and ping scan use sweep ping with no ping as given below to identify the state of the host is up or down.

From given below image you can observe that observe it found 1 Host is up.

Author:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

Comprehensive Guide on Nmap Port Status

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.

Let’s Begin

Requirement

  • Attacker’s IP:  192.168.1.109 [Kali Linux]
  • Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:

  1. Open:  This state means that an application on the target machine is listening for connections/packets on that port.
  2. Closed: This state means ports have no application listening on them, though they could open up at any time.
  3. Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.
  4. Unfiltered: ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed.
  5. Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.
  6. Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Open Port

In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.

We take a look at wireshark and find that 3 way-handshake occurs as given below.

  • Nmap sends SYN packet on port 80
  • Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.
  • Nmap sends RST packet

Closed Port

In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet

Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.

We will check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.

  • Nmap sends SYN packet on port 80
  • Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.

Filtered Port

In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Let’s use iptables to drop TCP packets on the target machine.

Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.

From given below image you can observe that it is now showing state “filtered” for port 80.

Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.

Unfiltered Port

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

We use iptables to drop any TCP packet coming to port 80 in target machine.

Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.

As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.

We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.

Open|Filtered Port 

In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Let’s use nmap Xmas scan to scan the target machine.

As we can see the nmap scan shows us the port to be open | filtered.

We will check wireshark to analyze the packets sent by nmap and we can see we don’t get a reply even if the port is open.

Closed|Filtered Port

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

We use iptables on our target machine to drop incoming TCP packets on the target machine.

We will do an IP ID idle scan on the target machine using 192.168.1.107 as our zombie.

As we can see in idle scan the zombie it is showing state closed|filtered for port 80.

An idle scan consists of three steps that are repeated for each port:

  1. Probe the zombie’s IP ID and record it.
  2. Forge a SYN packetfrom the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
  3. Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.

We check Wireshark and find that find the entire process.

Source: //nmap.org/book/man.html

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Nmap Scans using Hex Value of Flags

In this article, we are going to scan the target machine by sending TCP flags through their hexadecimal value and the actual Flag name can be confirmed by analysis of Nmap traffic through Wireshark.

Let’s have a look over Hex value of TCP Flag in given below table which we are going to use in Nmap for port enumeration.

NULL Scan

In this scan, we are sending the NONE flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get a packet for TCP-NONE flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-NONE packet for hex value 0x00 coming from 192.168.1.104 on port 21 as shown in given below image. 

FIN Scan

TCP-FIN flag always used for finishing the communication with the target network. In this scan, we are sending the FIN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get a packet for TCP-FIN flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-FIN packet for hex value 0x01 coming from 192.168.1.104 on port 21 as shown in given below image. 

SYN Scan

TCP-SYN flag always initiates communication to establish a connection with the target network. In this scan, we are sending the SYN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have successfully found port 21 open.

When network admin will capture the incoming traffic he will get a packet for TCP-SYN flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-SYN packet for hex value 0x02 coming from 192.168.1.104 on port 21 as shown in given below image. 

Reset Scan

RST flag is used to reset the connection between the sender machine and the target machine. In this scan, we are sending the RST flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get a packet for TCP-RST flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-RST packet for hex value 0x04 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH Scan

In this scan, we are sending the PSH flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get a packet for TCP-PSH flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-PSH packet for hex value 0x08 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH flag is used to push the process priority higher of the packet to the target machine.

ACK Scan

Ack flag is used to acknowledge the sender machine whether the packet is received or dropped by the target. So that the sender again sends the lost or dropped packet on the target network to complete the communication process. Here we are sending the ACK flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 closed.

When network admin will capture the incoming traffic he will get a packet for TCP-ACK flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-ACK packet for hex value 0x10 coming from 192.168.1.104 on port 21 as shown in given below image. 

Open and closed ports will both return an RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered. (From Nmap.org)

Urgent Scan

URG flag is used to set the high process priority of the packet to the target. So that target machine stops processing the current packet and process the URG Flag packet. In this scan, we are sending the Urg flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get a packet for TCP-URG flag, here we have used Wireshark for network packet analysis and we found that it is showing TCP-URG packet for hex value 0x20 coming from 192.168.1.104 on port 21 as shown in given below image. 

XMAS Scan

In this scan, we are sending the combination of the hexadecimal value of the different flag on the target machine. As we know in Xmas scan combination of three TCP-flags [FIN, PSH, URG] are used to enumerate state of the port.

By adding the value of the flag, which is equal to the hexadecimal value of the sender’s hexadecimal value as described in given below the table.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get packet for TCP flags [FIN, PSH, URG] here we have used Wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, PSH, URG for hex value 0x29 coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, PSH]

Let have a quick review over decimal to hexadecimal conversion with the help of the following table:

Now repeat the same methodology by changing the combination of the flag to enumerate the state of any port.  For example, we want to scan any port by sending a combination of three flags [FIN, SYN, and PSH] so let identify hex value for the sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get packet for TCP flags [FIN, SYN and PSH] here we have used Wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN,PSH for hex value 0x0B coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, RST, PSH]

Now repeat the same methodology by changing the combination of the flag to enumerate the state of any port.  For example, we want to scan any port by sending a combination of three flags [FIN, RST, and PSH] so let identify hex value for the sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get packet for TCP flags [FIN, RST, and PSH] here we have used Wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, RST,PSH for hex value 0x0D coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, RST, PSH]

Now repeat the same methodology by changing the combination of the flag to enumerate the state of any port.  For example, we want to scan any port by sending a combination of four flags [FIN, SYN, RST, and PSH] so let identify hex value for the sum of four flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

From given below image you can observe we have found port 21 filtered.

When network admin will capture the incoming traffic he will get packet for TCP flags [FIN, SYN, RST, and PSH] here we have used Wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN, RST, PSH for hex value 0x0F coming from 192.168.1.104 on port 21 as shown in given below image. 

AuthorRahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBERSECURITY).    Contact Here

Forensic Investigation of Nmap Scan using Wireshark

Today we are discussing how to read hexadecimal bytes from an IP Packet that helps a network admin to identify various types of NMAP scanning. But before moving ahead please read our previous both articles “Network packet forensic” and “NMAP scanning with Wireshark” it will help you in a better understanding of this article.

Requirement

Attacking Tool: Nmap

Analysis Tool: Wireshark

We are going to calculate hexadecimal bytes of Wireshark using given below table and as we know Wireshark capture network packet mainly of 4 layers which are described below in table as per OSI layer model and TCP/IP layer model.

Nmap ARP Scanning

Let ’s start!!

Hopefully, the reader must be aware of basic NMAP scanning techniques if not then read it from here, now open the terminal and execute given below command which known as “HOST SCAN” to identify a live host in the network.

Nmap uses the –sP/-sn flag for host scans and broadcasts ARP request packet to identify which IP is allocated to the particular host machine. From given below image you can observe that “1 host up” message.

Working of ARP Scan for Live Host

  1. Send ARP request for MAC address
  2. Receive MAC address through ARP Reply packet

Step to Identify Nmap ARP Scan

  • Collect Ethernet Header details

Here we used Wireshark to capture the network packet coming from victim’s network and in order to analysis only ARP packet we have applied filter “ip.addr == VICTIM IP || arp” as shown in given below image. Here you will find 2 arp packets, basically, the 1st arp packet is broadcasting IP for asking MAC address of that network and the 2nd packet is unicast contains Answer of IP query.

Now let’s read Hex value of Ethernet header for identifying source and destination Mac addresses along with that we can also enumerate the bytes used for an encapsulated packet, in order to identify Ether type is being used here.

Hence from Ethernet header, we can conclude it as ARP broadcast packet asking for destination Mac address. There shouldn’t be any uncertainty in concern with source Mac address who is responsible for sending packet but if we talk about Destination Mac address then we got ff:ff:ff:ff:ff:ff:ff which means exact Destination is the machine is not available here. Further moving ahead we found Ether type 0x0806 highlighted in yellow colour is used for ARP protocol.

Collect ARP Header (Request/Reply)

In order to identify ARP scan, you need to investigate some important parameters which could help a network admin to make a correct assumption in concern of ARP scan.

Try to collect the following details as given below:

  • Opcode (Request/Reply)
  • Source Mac
  • Source IP
  • Destination MAC
  • Destination IP

Now with help of the following table, you can read the hex value highlighted in above and below image for ARP Request and Reply packets respectively.

Nmap ICMP Scanning

Now execute given below command which known as “HOST SCAN” to identify a live host in a network by sending Ping request with the help of ICMP packet.

Now above command will send ICMP request packet instead of ARP request for identifying the live host in a network.

Working of NMAP ICMP Ping when a host is live:

  1. Send ICMP echo request packet.
  2. Receive ICMP echo reply.
  • Send TCP SYN packet on any TCP port (this port must be rarely blocked by network admin).
  1. Receive TCP RST-ACK from target’s Network.

As a result, NMAP gives “HOST UP” message as shown in given below image.

Step to Identify NMAP ICMP Scan

  • Collect IP Header Details for Protocol version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Since we know ICMP is Layer 3 protocol according to the OSI model, therefore, we need to focus on following details for ICMP forensic with help of IP Header of a packet.

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (01 for ICMP)
  3. Source IP
  4. Destination IP

From given below image you can observe Hexadecimal information of IP header field and using the given table you can study these value to obtain their original value.

The IP header length is always given in form of the bit and here it is 5 bit which is also minimum IP header length and to make it 20 bytes multiple 5 with 4 i.e. 5*4 bytes =20 bytes.

Identify ICMP Message type  (Request /Reply)

Now we had discussed above according to Nmap ICMP scanning technique the 1st packet is should be ICMP echo request packet and a 2nd packet is should be of ICMP echo reply packet.

Now with help of the following table, you can read hex value highlighted in above and below image for ICMP Request and Reply packets respectively.

Identify TCP Flags

AS discussed above after ICMP reply, the 3rd packet should be of TCP-SYN packet and 4th should be of TCP-RST/ACK.  We had seen in our previous article the hex value of all TCP-Flags are different from each other, so if we are talking for TCP-SYN flag then its Hex value should 0x02.

From given below table you can observe the sequence of TCP flag and how bits of these flags are set for sending the packet to the destination port.

For example, if you found TCP SYN packet then the bit for SYN flag is set 1 for which the binary value will be 000000010 and its hexadecimal will be 0x02.

NS CWR ECE URG ACK PSH RST SYN FIN
0 0 0 0 0 0 0 1 0

Sometime you will get the combination of two or more flag in TCP header, so in that scenario take the help of the following table to read the Hex value of such packet to identify TCP flags bits are being set 1.

For example, if you found TCP SYN/ACK packets then indicates that SYN & ACK flags are set 1 for which the binary value will be 000010010 and its hexadecimal will be 0x12

NS CWR ECE URG ACK PSH RST SYN FIN
0 0 0 0 1 0 0 1 0

Therefore I design below table to let you know more about of Hex value when two or more than two flags are set 1.


The image given above contains the hex value of TCP-SYN packets and the image given below contains the hex value of TCP-RST/ACK packet from which we can calculate the source port and the destination port of the packet respectively like one given below.


Conclusion! So as stated above regarding the working of NMAP ICMP scan, we had obtained the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that Someone has Choose NMAP ICMP scan for Network enumeration.

Default NMAP Scan (Stealth Scan)

Here we are going  with the default scan method to enumerate the “open” state of any specific port

Working of Default Scan for open port:

  1. Send TCP-SYN packet
  2. Receive TCP-SYN/ACK
  3. Send TCP-RST packet

It is also known as half Open TCP Scan as it does not send ACK packet after receive SYN/ACK packet.

Step to Identify NMAP Default Scan (Stealth Scan)

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (6 for TCP)
  3. Source IP
  4. Destination IP

From given below image you can observe Hexadecimal information of the IP header field and using the given table you can study these value to obtain their original value.

Analysis TCP Header  Details

 

Since from the above image we had to obtain Source and Destination IP and protocol used for communication i.e. TCP, now we need to identify the source and Destination port and TCP Flag used for establishing the connection between two systems.

In the image we have highlighted source port in “Light brown” colour and destination port in “yellow colour”, you can use given below table to read the hex value of the given image.


So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been sending from port 80.

Take the help given above table to read the hex value of the given image. Hex value 12 for TCP flag is used for SYN + ACK as explained above,  and we get 0x12 by adding Hex value “ 0x02 of SYN” and “0x10 of ACK”. 

In the image given below, we come to know that TCP-RST packet is used for sending Reset connection to Port 80.


Conclusion! So as declared above regarding the working of NMAP default scan or NMAP stealth scan we had to obtain the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

Nmap TCP Scan

Here we are going  with TCP scan to enumerate state of any specific port

Working of Default Scan for open port:

  1. Send TCP-SYN packet
  2. Receive TCP-SYN/ACK
  1. Send TCP-ACK packet
  2. Send TCP-RST/ACK packet

Step to Identify NMAP TCP Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect the following details as given below:

  1. Ip header length 20 bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP stealth Scan and using a given table you can study these values to obtain their original value.

  • Analysis TCP Header  Details

NMAP TCP Scan follows 3-way handshake of TCP connection for enumeration open port. Identifying source and destination port along with Flag hex value (TCP-SYN) are similar as above.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been sent via port 80.


The only difference between Stealth Scan and TCP scan is that here a packet of ACK flag is sent by source machine who initiate the TCP communication.  Again we read next packet then here we found hex value 0x10 indicates that TCP- ACK has been sent via port 80.


Conclusion! So as stated above regarding the working of NMAP TCP scan, we had obtained the hex value for every packet in the same sequence. Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NOTE:  For  packet TCP-RST/ACK the hex value will be “ 0x14” send by the attacker machine

Nmap FIN Scan

Here we are going with TCP-FIN scan to enumerate “OPEN” state of a particular port in any Linux based system, therefore, execute given below command.

Working of FIN Scan for open port: Send  2 packets of TCP-FIN on a specific port

FIN is part TCP flag and NMAP used FIN flag to initiate TCP communication instead of following three-way handshake communication.

Step to Identify NMAP FIN Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5 bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using given below table you can study these values to obtain their original value.

  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-FIN) is similar as above.

So through given below image and with help of a table, we came to know that here TCP-FIN packet is used for sending connection request on Port 22.

Conclusion: So as declared above regarding the working of NMAP FIN scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that Someone has Choose NMAP FIN scan for Network enumeration.

NOTE: If you found 1st FIN packet (0x01) and 2nd RST packet (0x04) then indicates “Closed Port” on the targeted network.

Nmap NULL Scan

Here we are going with TCP Null scan to enumerate “OPEN” state of any specific port in any Linux based system.

Working of Null Scan for open port: Send  2 packets of TCP-NONE on a specific port

Here NMAP used NONE flag  (No flag) to initiate TCP communication and bit of each flag is set “0” instead of following three-way handshake communication.

Step to Identify NMAP Null Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using the given table you can study these values to obtain their original value.


  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-NONE) is similar as above.

So through given below image and with help of a table, we come to know that here TCP-NONE packet is used for sending connection request on Port 22.

Conclusion: So as stated above regarding the working of NMAP NONE scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives an indication to the Penetration tester that someone has Chosen NMAP NONE scan for Network enumeration.

NOTE: If you found 1st NONE packet (0x00) and 2nd RST packet (0x04) then indicates “Closed Port” on the target network.

Nmap XMAS Scan

Here we are going with XMAS scan to enumerate “OPEN” state of any specific port in any Linux based system

Working of XMAS Scan for open port: Send 2 packets of TCP Flags in a combination of FIN, PSH, URG on the specific port.

Here NMAP used 3 TCP flags (FIN, PSH, and URG) to initiate TCP communication and bit of each flag is set “1” instead of following three-way handshake communications.

Step to Identify NMAP XMAS Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5bits*4=20 bytes)
  2. Protocol (06 for TCP)
  3. Source IP
  4. Destination IP

It is quite similar to NMAP above Scan and using the given table you can study these values to obtain their original value.


  • Analysis TCP Header  Details

Now lets Identifying the source and destination port along with Flag hex value (TCP-XMAS) is similar as above.

So through given below image and with help of the table, we come to know that here TCP flags {FIN, PSH, URG} packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP XMAS scan, we had obtained the hex value for every packet in the same sequence.

Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that someone has Choose NMAP XMAS scanned for Network enumeration.

NOTE: 

  • If you found 1st {FIN, PSH, URG} packet (0x29) and 2nd RST packet (0x04) then indicate “Closed Port” on targeted network.
  • NMAP FIN, NMAP NULL, and NMAP XMAS scan are only applicable on Linux based system

Nmap UDP Scan

Here we are going  with XMAS scan to enumerate state of any specific port in any Linux based system

Working of XMAS Scan for open port: Send  2 packets of UDP on a specific port

It is quite different from the TCP communication process because here no Flag is used for establishing a connection or initiate a connection request with the target’s network.

Step to Identify NMAP UDP Scan  

  • Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect the following details as given below:

  1. Ip header length 20 Bytes (5 bits*4=20 bytes)
  2. Protocol (11 for UDP)
  3. Source IP
  4. Destination IP

It is quite similar as NMAP above Scan as “IP header” and “Ethernet header” information will be same either is TCP communication or UDP communication and using the given table you can study these values to obtain their original value.

Basically, 11 is hex value use for UDP protocol which is quite useful in identify NMAP UDP scan from remanding scanning method.

  1. Analysis UDP Header  Details

Now lets Identifying the source and destination port an as done above in TCP Scanning.

Conclusion! Obtaining the hex value for every packet in such sequence gives the indication to the Penetration tester that Someone has Choose NMAP UDP scan for Network enumeration.

NOTE: If you found 1st UDP packet and 2nd UDP with ICMP Message Port is unreachable then indicates “Closed Port” on the target network.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here