Nmap

Nmap or network mapper is an open source tool used for gathering information about a network and systems on it. Systems on a network are assigned an IP address. Much like an apartment building has a street address in a city. Applications and services that run on these systems might need to communicate with other applications or services on the same or on different networks. They do this by programmatically designating a certain part of the network packet address to a particular service. This designation is known as a port. In our apartment building example, ports are the mailboxes for all the people who live in the building. Apache, the most popular web server globally, will be monitoring or “listening” to packets addressed to port 80 and/or 443 on the machine that is hosting this application. The packets with port 80 and 443 in the destination port section of the packet are intended for Apache. All other packets with other ports in the destination address of the packet could be for another service. The packet has 16 bits for the source port and 16 bits for the destination port. That means there are 2^16-1 = 65 535 possible ports (0 is not a port, hence the minus 1) . For networks, Nmap is a good detective tool to find which ones are open or listening. The default setting of nmap is to run a scan of the first 1000 ports on the target hostname or address. If all you do is type in nmap or then it will send an empty TCP datagram with the SYN (synchronization) flag set to each of those 1000 ports. A dtagram by the way, is the formal name of a packet. If you want to scan all 65 535 ports you have to use the flag -p-. But this will take a while. The TCP header has 9 bits for flags. One is for SYN, which is set at the beginning of all legitimate communications. There are flags for ACK or acknowledgement of data and SYN requests. There are also flags for reset or RST. This is used when communications need to be tried again. The flag FIN signals the last packet sent from the sender. There are 5 more flags but these are the ones we need to know for today’s discussion. Ultimately, one of the main reasons to use Nmap is to determine which ports are open and which ones are closed. Open ports are potential attack surfaces. There are a variety of states that Nmap categorizes a port. They are open, closed, filtered, unfiltered, open|filtered and closed|filtered. Let’s talk about them, one by one. An open port is accepting connections to the service. A closed port does not have a service using it. However, the system is still required to respond to requests to it as stated in the following guidelines. This is from rfc793: “If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYN (requests) addressed to a non-existent connection are rejected by this means.” It is worth noting that the port may be opened later by a service. A filtered port generally has a firewall or some kind of rules based algorithm acting as a gateway to the service. Maybe the IP source part of the header had a blacklisted IP. If the packet is blocked in such a way, then the host behind it doesn’t have a chance to even respond with a RST packet.There is evidence of this when NMAP sends a SYN packet and there is no RST response. Another reason for a lack of response is that there was a network blip and the packet was “dropped’ or lost in the electronic void. Or perhaps there was some other device malfunction. If this occurs, sometimes the device will respond with an error message. The error comes back in the form of an internet Control Message packet or ICMP. This is the main vehicle that network devices use to communicate error or success messages back and forth. The first 32 bits of the packet are the header of the packet. The header is further broken up into an 8 bit type followed by an 8 bit code. Typically, the router or firewall that is filtering the port will send the packet with the type code set to 3 which stands for Destination protocol unreachable and Code 13 communication administratively prohibited. However, what the firewall sends back depends on the settings. It could very well send no response. An unfiltered port means that the port is accessible but NMAP is not sure if it is open or closed. A normal SYN scan will not result in this ambiguity but this arises from an ACK scan. This is a special scan used to try and slip past firewalls. To help us understand the difference between a SYN and an ACK scan, it’s a good idea to understand something called a three way handshake. Before data can be sent across a network, the systems have to shake “hands” and confirm they want to do business with one another. So, your system running nmap sends a TCP datagram with the SYN flag set and the port requested in the header. If the port is open and listening it will send its own TCP datagram with the SYN ACK (synchronization and acknowledgement) flags set. This is to say, hey, I got your request and it’s fine to do business together. There is also some other information, including how to find the data when it is eventually sent. Finally, if all looks good the system that sent the first SYN request will now send only an ACK request. Which is to say, I got your message that you got my message. To understand why NMAP reports an unfiltered port is due to the fact that the scan sent only a packet with the ACK flag set and didn’t send a SYN one. It’s like starting a conversation with, I got the message that you got the message but the other system didn’t even send a message! If a firewall or similar middle network device sees just an ACK it may not have any Access Control Rules to deal with it. The IT person may have configured it to assume that all ACK packets are part of an existing connection and therefore do nothing with them. This is a non-stateful approach to tracking these types of packets because the middle device doesn’t record the history of what is happening. The reason why NMAP is unsure if the port is open or closed is because RFC793 states that it must send a RESET response if the port is closed or open and if the ACK packet has a SEQUENCE number that is invalid for any currently ongoing communication. SEQUENCES are used by the systems to track the order of packets. So closed or open, the response could be the same. —- Nmap will classify a port as open|filtered if it is unsure if a port is open or filtered. This is mainly due to a lack of response to sent packets. A bad connection may drop packets (lose them) or a firewall might just stop them from even going through. Either way, from NMAPs point of view, is the same. A connection is attempted without any feedback at all. —- The last state that NMAP can classify a port is the closed|filtered state. This is when NMAP is unsure if the port is closed or filtered. Only the IP ID idle scan will produce this result. The idle scan is a novel way of scanning the status of a port by using another device, called a “zombie”. This host must be idle. Printers make good “zombies” but you can search the local network to find suitable targets.The script to do this is nmap --script ipidseq You could use nmaps -iR flag to randomly find a suitable zombie prospect but this could find targets that are rather far away and this could mean latency issues with your scan. It also utilizes other systems that may not be very obliging to your network scanning needs. Once you have found a suitable zombie then nmap will send a syn/ack packet to it. The zombie replies with a RST packet, because the two machines don’t have an existing three-way handshake happening therefore the machine is required by protocol to send a RST packet. The Internet Protocol (IP) packet has an ID number and it is included in the return packet. We will call this ZOMBIEID1. Nmap then sends a SYN packet to the target computer but all it’s identification information is forged to look like it is coming from the zombie host. If the port is Open on the target then the target will send a SYN/ACK packet back to the Zombie. This will probably cause the ZOMBIEID to increase by 1. Nmap now sends another syn/ack to the zombie. Again, the zombie returns with a RST packet but the ZOMBIEID is increased by 2. Nmap now knows the port is open on the target machine without the target even knowing about the attacker. If the port is closed on the target then the target sends a RST response to the zombie. The Zombie machine doesn’t increase it’s ID number. So, when NMAP probes the zombie for the second time with an unsolicited SYN/ACK packet, the zombie returns with a RST response which has an increase of only 1. If the port is filtered, the target machine will not respond at all to the zombie and therefore it too will not increase the ZOMBIEID at all. Consequently, the Nmap idle scan can not tell the difference between a filtered/closed port.