Please enable JavaScript.
Coggle requires JavaScript to display documents.
Nmap scans - Coggle Diagram
Nmap scans
TCP connect scan -sT
-
(2: RST response mean that port is closed , or the firewall is configured to response with RST "iptables -I INPUT -p tcp --dport <port> -j REJECT --reject-with tcp-reset" )
(3: no response mean that the port is protected by a firewall or maybe something else and nmap consider this port as filtred)
-
-
UDP scan -sU
-
-
due to the UDP protocol nature this scan can be very long (20min for 1000 port) , resulting that the best behaviour is to run it with top ports command :
-
Null, Fin,xmas
TCP xmas scan -sX
-
-
malformed TCP packet : PSH(push),URG(urgent)and FIN(fin) flags
-
-
-
can't determine UDP , or a firewalled port status
-
The defult is to respond with RST TCP packet for malformed packets , but windows and sisco always respond with RST to any TCP malformed packet so nmap identify this port as close
The goal is firewall evasion because some firewalls blocked any SYN packet
but on modern system IDS also can block this scan methodes
ICMP scan
-
send an ICMP packet to all possible IPs within the network bacause of the -sn switch and when it recives a response it marked the IP alive
-
rely primary on ICMP echo packets (if it recives response with the echo packet then it can calculate also the speed of the network ), and with arp protocol to local network (adress resolution protocol) if it runs with sudo
Because of the -sn switch nmap send aTCP SYN at the port(443:https) and a TCP ACK to port(80:http) if it runs as root or TCP SYN as a user
Firewall evasion
-
-
i should use -Pn switch for scanning when the ICMP protocol is being blocked like on windows host machines
We can also use -f (fragment) to split the packet into a small pieces in order to skip firewalls ans IDS systems
-
-
--data-length add a random bytes to nmap scan packets (payload) for evading firewalls and ids configured to drop any empty( zero bytes packets)
-