Port Scanning

Port Scanning, Version Detection & Firewall Evasion Techniques in Nmap which can be used along with other scan options in Nmap.

Fast Scanning

nmap -F [target] | nmap -F

The -F option reduces that number to 100. This can dramatically speed up scanning while still representing the majority of commonly used ports.

Scan Specific Ports

nmap -p [port] [target] | nmap -p 80
nmap [port1,port2,etc|range of ports] [target] | nmap -p 20,50,70-100

Scan Ports by Name

nmap -p [port name(s)] [target] | nmap -p smtp,http

Executing nmap -p “http*” would scan for all ports that start with http.

Scan Ports by Protocol

nmap -p U:[UDP ports],T:[TCP ports] [target] | nmap -sU -sT -p U:53,T:25

Using the syntax -p U:53,T:25 instructs Nmap to perform a UDP scan on port 53 and a TCP scan on port 25.

Scan All Ports

nmap -p “*” [target]

Scan Top Ports

nmap --top-ports [number] [target] | nmap --top-ports 10

Using the –top-ports option, you can specify any number of top ranked ports to scan.

Sequential-Port Scan

nmap -r [target] | nmap -r

Nmap’s default scanning algorithm randomizes the port scan order. This is useful for evading firewalls and intrusion prevention systems. The -r parameter overrides this functionality and instructs Nmap to sequentially search for open ports in numerical order.



Operating System and Service Detection

The process of identifying a target’s operating system and software versions is known as TCP/IP fingerprinting.

Operating System Detection

nmap -O [target] | nmap -O

Operating system detection is performed by analyzing responses from the target for a set of predictable characteristics which can be used to identify the type of OS on the remote system.

When scanning multiple targets, the –osscan-limit option can be combined with -O to instruct Nmap not to OS scan hosts that do not meet this criteria.

Submitting TCP/IP Fingerprints

nmap -O

If Nmap is unable to determine the operating system on a target, it will provide a fingerprint which can be submitted to Nmap’s OS database at www.nmap.org/submit/. By submitting the fingerprint generated and correctly identifying the target system’s operating system, you can help improve the accuracy of Nmap’s OS detection feature in future releases.

Attempt to Guess an Unknown Operating System

If Nmap is unable to accurately identify the OS, you can force it to guess by using the –osscan-guess option.

nmap -O --osscan-guess [target] | nmap -O --osscan-guess

The –fuzzy option is a synonym that can be used as an easy to remember shortcut for the –osscan-guess feature.

Service Version Detection

nmap -sV [target] | nmap -sV

The -sV option will attempt to identify the vendor and software version for any open ports it detects.

Nmap version detection purposely skips some problematic ports (specifically 9100-9107). This can be overridden by combining the –allports parameter with -sV which instructs Nmap not to exclude any ports from version detection.

Troubleshooting Version Scans

nmap -sV --version-trace [target] | nmap -sV --version-trace

The –version-trace option can be helpful for debugging problems or to gain additional information about the target system.

RPC Scan

nmap -sR [target] | nmap -sR

RCP is most commonly associated with Unix and Linux systems specifically for the NFS (Network File System) service.

Firewall Evasion Techniques

Fragment Packets

nmap -f [target] | nmap -f

The -f option is used to fragment probes into 8-byte packets. The -f option instructs Nmap to send small 8-byte packets thus fragmenting the probe into many very small packets. This option isn’t particularly useful in everyday situations; however, it may be helpful when attempting to evade some older or improperly configured firewalls. Some host operating systems may require the use of –send-eth combined with -f for fragmented packets to be properly transmitted.

Specify a Specific MTU

The MTU must be a multiple of 8 (example 8, 16, 24, 32, etc). The –mtu option is similar to the -f option except it allows you to specify your own MTU to be used during scanning. This creates fragmented packets that can potentially confuse some firewalls.

nmap --mtu [number] [target] | nmap --mtu 16

Use a Decoy

When performing a decoy scan Nmap will spoof additional packets from the specified number of decoy addresses. This effectively makes it appear that the target is being scanned by multiple systems simultaneously. Using decoys allows the actual source of the scan to “blend into the crowd” which makes it harder to trace where the scan is coming from.

nmap -D [decoy1,decoy2,etc|RND:number] [target] | nmap -D RND:10

nmap -D RND:10 instructs Nmap to generate 10 random decoys. You can also specify decoy addresses manually using the following syntax: nmap -D decoy1,decoy2,decoy3, etc. Using too many decoys can cause network congestion and reduce the effectiveness of a scan. Additionally, some internet service providers may filter spoofed traffic which will reduce the effectiveness of using decoys to cloak your scanning activity.

Idle Zombie Scan

The -sI option is used to perform an idle zombie scan. The idle zombie scan is a unique scanning technique that allows you to exploit an idle system and use it to scan a target system for you. The scan works by exploiting the predictable IP sequence ID generation employed by some systems. In order for an idle scan to be successful, the zombie system must truly be idle at the time of scanning. 

nmap -sI [zombie host] [target] | nmap -sI

With this scan no probe packets are sent from your system to the target; although an initial ping packet will be sent to the target unless you combine -PN with -sI.

Manually Specify a Source Port Number

nmap --source-port [port] [target] | nmap --source-port 53 divyendra.com

The –source-port option is used to manually specify the source port number of a probe. Every TCP segment contains a source port number in addition to a destination. By default, Nmap will randomly pick an available outgoing source port to probe a target. The –source-port option will force Nmap to use the specified port as the source for all packets. This technique can be used to exploit weaknesses in firewalls that are improperly configured to blindly accept incoming traffic based on a specific port number. Port 20 (FTP), port 53 (DNS), and 67 (DHCP) are common ports susceptible to this type of scan.

Append Random Data

nmap --data-length [number] [target] | nmap --data-length 25

Nmap transmits packets which are generally a specific size. Some firewall vendors know to look for this type of predictable packet size. The –data-length option adds the specified amount of additional data to probes in an effort to circumvent these types of checks.

Randomize Target Scan Order

The –randomize-hosts option is used to randomize the scanning order of the specified targets.

nmap --randomize-hosts [targets] | nmap --randomize-hosts

The –randomize-hosts option helps prevent scans of multiple targets from being detected by firewalls and intrusion detection systems. This is done by scanning them in a random order instead of sequential.

Spoof MAC Address

The –spoof-mac is used to spoof the MAC (Media Access Control) address of an ethernet device.

nmap --spoof-mac [vendor|MAC|0] [target] | nmap -sT -PN --spoof-mac 0

Nmap is instructed to forge a randomly generated 3com MAC address. This makes your scanning activity harder to trace by preventing your MAC address from being logged on the target system.

Port Scanning, Version Detection & Firewall Evasion

Send Bad Checksums

The –badsum option is used to send packets with incorrect checksums to the specified host.

nmap --badsum [target] | nmap --badsum

The TCP/IP protocol uses checksums to ensure data integrity. Crafting packets with bad checksums can, in some rare occasions, produce a response from a poorly configured system.

Only a poorly configured system would respond to a packet with a bad checksum. Nevertheless, it is a good tool to use when auditing network security or attempting to evade firewalls.