Nmap Basic Port Scanning

You are here: SecurityOwned Home » Penetration Testing Toolkit » Nmap » Nmap Basic Port Scanning

16Jun/090

By default, Nmap performs a TCP SYN scan (-sS) against the specified target, when run with root or administrator privileges. SYN scanning is quick and provides reliable results for open, closed, and filtered ports. SYN scanning was once considered a stealthy scan method, however, most host- and network-based intrusion detection systems can now detect SYN scans. Ports are considered open if the port responds to the SYN packet with a SYN/ACK packet, and ports are closed if the system responds with a RST packet. A filtered port indicates an ICMP unreachable error or no response was received. Although Nmap performs a SYN scan by default, you can also perform it with the following command-line option:

# nmap -sS 192.168.2.3

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 09:46 Eastern

Standard Time

Interesting ports on 192.168.2.3:

Not shown: 1707 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

3389/tcp open ms-term-serv

8081/tcp open blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 26.248 seconds

What we are interested in here is the ports table, which includes the port number and protocol, the state, and the service. Unless you are using version detection, the service that is displayed is just a guess since it is pulled from the nmap-services file, a list of well know services and the ports they run on.

If a user doesn't have root or administrator privileges, Nmap will perform the TCP connect scan (-sT ) by default. This is because Nmap uses the underlying OS to establish a connection with the target instead of using its built-in ability to create and send raw packets. This scan method tends to be less efficient since Nmap has less control than it does when creating raw packets. TCP connect scans are more likely to be logged since they complete a full TCP connection. System administrators should monitor logs for a large number of connection attempts to multiple ports, since this activity may indicate a port scan. TCP connect scans can also cause unwanted effects, such as causing DoS conditions for systems that do not efficiently close TCP connections. In our example, running a TCP connect scan against the same target detects additional open ports:

# nmap -sT 192.168.2.3

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 09:52 Eastern

Standard Time

Interesting ports on 192.168.2.3:

Not shown: 1704 closed ports

PORT STATE SERVICE

21/tcp open ftp

25/tcp open smtp

110/tcp open pop3

135/tcp open msrpc

139/tcp open netbios-ssn

3389/tcp open ms-term-serv

8081/tcp open blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 365.014 seconds

This may be because the target host is running a host-based firewall that may have been interfering with the results of the SYN scan method.

Many notable exploits (SQL slammer worm) have occurred because of security weaknesses on UDP services. UDP is used by many popular services including DNS, Simple Network Management Protocol (SNMP), Trivial File Transfer Protocol (TFTP), NFS, DHCP, Kerberos, and Syslog. The Nmap UDP scan (-sU) sends an empty UDP header to the target port. The target responds with an ICMP port unreachable error if the port is closed. Other ICMP errors indicate that the port is blocked by a packet filter. UDP services on open ports will respond with a UDP packet, however, some UDP services will not send a response. Because of this lack of response, Nmap performs several retries, which makes UDP scanning very slow. If Nmap cannot determine if the port is blocked by a packet filter it will indicate open|filtered for the port status. In this case, try performing a version scan (-sV ) to gather additional information to determine if the port is actually open. The following is an example of a UDP scan and associated output:

# nmap -sU 192.168.2.3

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 10:04 Eastern Standard

Time

All 1488 scanned ports on 192.168.2.3 are open|filtered (1334) or closed (154)

Nmap done: 1 IP address (1 host up) scanned in 20.670 seconds

In this case, the UDP port scan may be filtered by the host-based firewall, or there may not be any open UDP ports. Let's scan another target and view the results:

# nmap -sU 192.168.100.4

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 10:15 Eastern

Standard Time

Interesting ports on 192.168.100.4:

Not shown: 1483 closed ports

PORT STATE SERVICE

123/udp open|filtered ntp

259/udp open|filtered fi rewall1-rdp

427/udp open|filtered svrloc

631/udp open|filtered unknown

5353/udp open|filtered zeroconf

MAC Address: 00:30:65:0D:28:32 (Apple Computer)

Nmap done: 1 IP address (1 host up) scanned in 56.742 seconds

This is more of what we are looking for. There are five UDP services that may be open on this target. You need to perform additional testing, with the version detection (-sV ) and other manual tests, to determine actual open services and versions.

Nmap provides the ability to analyze IP protocols with the IP protocol scan (-sO). This isn't technically a port scan, however, it does use the same underlying port scan engine and reports its results in the port table. The IP protocol scan allows you to see which IP protocols are supported by the target system. The response to this scan is an ICMP protocol unreachable for unsupported protocols. Other ICMP responses cause the protocol to be reported as filtered, and no response is reported as open|filtered. The following is an example of an IP protocol scan and associated output:

# nmap -sO 192.168.2.3

Starting Nmap 4.50 (http://insecure.org) at 2007-12-28 12:24 EST

Interesting protocols on 192.168.2.3:

Not shown: 250 closed protocols

PROTOCOL STATE SERVICE

1 open icmp

2 open|filtered igmp

6 open|filtered tcp

17 open udp

47 open|filtered gre

50 open|filtered esp

MAC Address: 00:11:25:D6:DA:C7 (IBM)

Nmap done: 1 IP address (1 host up) scanned in 1.649 seconds