Scanning ports and finding network vulnerabilities using nmap

Reconnaissance is one of the basic and most important stages of penetration testing. It helps us gain information that may be crucial for us. Reading articles from bugbounty, for example, we may come across mentions of port scanning - nmap is most commonly used for this. Few people know, however, that this is just the tip of the iceberg of possibilities that the tool offers us. In this article we will take a slightly closer look at them.

Types of port statuses

Before we get started, a little basic theory that we will use when working with nmap. When we scan, we will get information about ports. Some of them will be open (open), others will be unfiltered, and others will have both states. What does this mean for us?

• open - the application listens for TCP connections or UDP packets on the indicated port,
• closed - the port is available, receives and responds to nmap packets, but there is no application serving the connection,
• filtered - nmap is unable to determine whether the port is open. The reason is network filtering with firewall systems by the network administrator,
• unfiltered - the port is open, but nmap is unable to determine whether it is closed or open. This state of the port can only be determined by ACK scanning. When scanning unfiltered ports, we should use Windows, SYN or FIN scanning,
• open / filtered - port state determined when the tool is unable to determine whether it is open or closed. This happens when the port does not give an answer,
• closed / filtered - the state determined for ports for which nmap does not know whether the port is closed or filtered.

The most important types of scans

Scanning the operating system

To start with something simple - operating system scanning. Nmap sends UDP and TCP packets and, based on the return response, analyzes and matches them to those held records in its database. Based on this, an estimation is made as to which system is likely to be used by the host.

┌──(figaro㉿kali)-[~/Desktop]
└─$ sudo nmap -O 142.250.203.131                                                                  1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-10 12:36 EST
Nmap scan report for waw07s06-in-f3.1e100.net (142.250.203.131)
Host is up (0.0034s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|switch|phone
Running (JUST GUESSING): Linux 1.0.X (87%), Cisco embedded (87%), Nokia Symbian OS (86%)
OS CPE: cpe:/o:linux:linux_kernel:1.0.9 cpe:/h:cisco:catalyst_1900 cpe:/o:nokia:symbian_os
Aggressive OS guesses: Linux 1.0.9 (87%), Cisco Catalyst 1900 switch (87%), Nokia 3600i mobile phone (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.67 seconds

TCP SYN scan (-sS).

This is the default and most commonly used port scan. SYN scanning is characterized by the fact that the connection is never fully opened, making it quite discrete. Incomplete opening is that after a SYN packet is sent and a response is received, no further ACK segment is sent. You can read more about how TCP works here.

The status of the port is determined by the response it receives. If a SYN-ACK segment is received, the port is open. If the response is an RST packet - the port is closed. If there is no response or an ICMP error message, the port gets a filtered status.

┌──(figaro㉿kali)-[~/]
└─$ sudo nmap -sS google.com
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-12 10:58 EST
Nmap scan report for google.com (142.250.203.142)
Host is up (0.0064s latency).
Other addresses for google.com (not scanned): 2a00:1450:401b:80e::200e
rDNS record for 142.250.203.142: waw07s06-in-f14.1e100.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds

The scan above shows that the open ports are port number 80 and 443.

TCP connect() (-sT) scan.

If the user does not have permission to send raw packets or scan IPv6 networks, a TCP connect query is sent by default. It converts low-level references into high-level ones - the same ones used by min. web browsers. For network scanning, this method should be avoided because nmap has less control over it than with the SYN method. In addition, compared to it, with TCP connect() there is a full connection, which implies longer time and leaves a larger trail of connection attempts.

UDP scan (-sU).

Because scanning ports using UDP is heavier and takes more time, security researchers often ignore it. This is a mistake. UDP scanning (by adding the -sU parameter) involves nmap sending empty UDP packets to the target ports. If a response in the form of a UDP packet is received, the port is classified as open. If an ICMP message (error) is received, the port gets a closed or filtered status. No response means open/filtered status.

TCP Null, FIN and Xmas (-sN, -sF, -sX) scans.

All three scans differ only in the flags set in the packet. If there is no response, it means the port is open. In the case of closed ports, we get an RST/ACK packet in response. These scans work only on systems with a TCP/IP implementation that complies with RFC 793. In addition, each of the scans does not work on any version of Windows. What flags differ between the Xmas, FIN and Null scans?

• Xmas - transmits a packet with FIN, URG and PSH flags set,
• FIN - transmits a packet with FIN flags set,
• Null - transmits a packet with no flags set

TCP ACK scan (-sA).

The TCP ACK scan is different from the previous ones. This is because its purpose is not to determine the statuses of ports, but to check whether they are filtered by a stateful firewall. The way it looks is that, as with a standard scan, an ACK packet is sent. If any of the ports return an RST packet, it means to nmap that the ports are not filtered.

┌──(figaro㉿kali)-[~/Desktop/3rdtools/sherlock/sherlock]
└─$ sudo nmap -sA google.com
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-12 11:01 EST
Nmap scan report for google.com (142.250.203.142)
Host is up (0.0025s latency).
Other addresses for google.com (not scanned): 2a00:1450:401b:80e::200e
rDNS record for 142.250.203.142: waw07s06-in-f14.1e100.net
All 1000 scanned ports on google.com (142.250.203.142) are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

As you can see, the ports are not filtered.

TCP Window scan (-sW).

This scan involves the same thing as the TCP ACK scan. The only difference is that on received packets, RST checks their TCP Window Size field to determine if the port is open or not. This is due to the fact that some operating systems return an add value in the TCP Window Size field when a packet is sent back from an open port. For closed ports, the value is negative.

Maimon TCP Scan (-sM).

This is a scan from the Null, FIN and Xmas family. It differs only in that it uses FIN/ACK flags. For this combination of flags, the RST return packet should be generated regardless of whether the port is open or closed. It happens that some BSD-based systems (a variation of the Unix operating system) skip responses if the port is open.

Nmap also provides the ability to define custom flags, scan IP protocols, Idle and more. However, these are slightly more complicated scans that are not used on a daily basis. We refer you to the tool's documentation here.

Finding vulnerabilities with nse scripts

Few people know that nmap is not just for reconnaissance work. Among other things, it allows finding vulnerabilities based on scripts prepared by the community and the tool's developers. Examples include nmap-vulners, vulscan or already prepared scripts that are installed along with nmap.

Before starting the scan, the mentioned scripts should be dropped (if you don't want to use the ones installed by default) into the scripts directory, which is located at the nmap installation location. For the kali system, the target path will be /usr/share/nmap/scripts. There are 604 scripts available in the base, and you can read more about them here. For example, to use the vulners.nse script, we will type:

nmap scanme.nmap.org --script=vulners.nse -sV

The example uses one script. To run a larger number of them, we would specify several names in succession separated only by a comma. Also, if we wanted to check scripts starting with a given phrase (e.g. "ftp"), we would use the command:

nmap scanme.nmap.org --script "ftp-*" -sV  

Similarly, if we wanted to run all available scripts, we would put .nse in quotation marks. However, I don't recommend doing this - some of the scripts require that additional arguments or external API keys be provided for them to work properly.

Sources

https://github.com/vulnersCom/nmap-vulners
https://github.com/scipag/vulscan
https://securitytrails.com/blog/nmap-vulnerability-scan
https://www.halolinux.us/firewalls-attack-detection/tcp-ack-scans.html
https://nmap.org/man
https://linuxhint.com/nmap_xmas_scan/