Standard TCP communications are controlled by flags
in the TCP packet header.
The flags are as follows:

TCP/IP Three Way ...
TCP FIN (-sF)                                                          Send FIN

                                         ...
TCP ACK (-PT)                                             Send ACK. Firewall test to verify packet filter or
             ...
-sT (TcpConnect)sending ack
-sS (SYN scan)
-sF (Fin Scan)
-sX (Xmas Scan)
-sN (Null Scan)
-sP (Ping Scan)
-sU (UDP scans)
...
NMAP Timing Options:
-T Paranoid – serial scan & 300 sec wait
-T Sneaky - serialize scans & 15 sec wait
-T Polite - serial...
• Once we get what ports are running on target hosts we can begin
  Hacking/Exploit/ perform Vulnerability check:

•   We ...
Upcoming SlideShare
Loading in...5
×

Open Results in New Window

663

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
663
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open Results in New Window

  1. 1. Standard TCP communications are controlled by flags in the TCP packet header. The flags are as follows: TCP/IP Three Way Handshake 192.168.1.2:2342 ------------syn----------->192.168.1.3:80 192.168.1.2:2342 <---------syn/ack----------192.168.1.3:80 192.168.1.2:2342-------------ack----------->192.168.1.3:80 Connection Established Also known as: (TCP Connect / Full Open Scan) • Synchronize - also called "SYN” – Used to initiate a connection between hosts. • Acknowledgement - also called "ACK” – Used in establishing a connection between hosts • Push - "PSH” – Instructs receiving system to send all buffered data immediately • Urgent - "URG” – States that the data contained in the packet should be processed immediately • Finish - also called "FIN" – Tells remote system that there will be no more transmissions • Reset - also called "RST” – Also used to reset a connection Scan type and NMAP Option Description TCP Connect (-sT) Full three-way handshake (SYN,SYN/ ACK,ACK). () port scan (default for unprivileged users) Is it UP / What port are opened? Better for a Venerability check then A Pen test (detected by IDS). TCP SYN (i.e, half-open) (-sS) It is often referred to as half open scan because it doesn’t open a full TCP connection TCP SYN stealth port scan (default d First a SYN packet is sent to a port of the if privileged (root)) machine, suggesting a request for connection, and 192.168.1.2:2342 ------------syn----------->192.168.1.3:80 the response is awaited 192.168.1.2:2342 <---------syn/ack----------192.168.1.3:80 t If the port sends back a SYN/ACK packet, then it 192.168.1.2:2342-------------RST----------->192.168.1.3:80 is inferred that a service at the particular port is listening. Client sends a single SYN packet to the server on the If an RST is received, then the port is not appropriate port. active/listening. As soon as the SYN/ACK packet is received an RST packet is sent, instead of an ACK, a If the port is open then the server responds with a to tear down the SYN/ACK packet. Connection C The key advantage of this scan is that fewer sites S If the server responds with an RST log this packet, then the remote port is in state "closed” p The client sends RST packet to close the initiation before a connection can ever be established. b This scan also known as “half-open” scan.
  2. 2. TCP FIN (-sF) Send FIN If Return A RST response=port close. (Unix Only). Stealth FIN- It is referred to as "halfopen" scanning, as a full TCP connection is not opened FIN scan directed at open port: 192.5.5.92:4031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 FIN scan directed at closed port: 192.5.5.92:4031 -------------FIN------------------192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 1 Note: FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793 i FIN Scan will not work against any current version of Microsoft Windows. o FIN scans directed at any Microsoft system will show all ports on the host as being closed. TCP Xmas Tree (-SX) Send FIN, URG,Push, The attacker checks for TCP Note: every time you get RST response back it means that the =port closed services By sending "Xmas-tree" packets Xmas scan directed at open port: If you get a No Response back that means that the 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 port is open. 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 Xmas scan directed at closed port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 1 Note: XMAS scan only works OS system's TCP/IP implementation is developed according to RFC 793 i Xmas Scan will not work against any current version of MicrosoftWindows. v Xmas scans directed at any Microsoft system will show all ports on the host as being closed. TCP Null (-sN) It’s an advanced scan that may be able to pass through firewalls unmolested No flags. RST response=port closed. NULL scan directed at open port: 192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23 NULL scan directed at closed port: 192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23 192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23 1 Note: NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793 i NULL Scan will not work against any current version of MicrosoftWindows. M NULL scans directed at any Microsoft system will show all ports on the host as being closed.
  3. 3. TCP ACK (-PT) Send ACK. Firewall test to verify packet filter or stateful firewall. used to map out firewall rulesets. Windows scan: It is similar to the ACK This scan is very much similar to the ACK scan, scan and can also detect open ports except that it can sometimes detect open ports as well as filtered/unfiltered ports due to an anomaly in the TCP window size reporting by some operating systems. SYN/FIN scanning using IP fragments It is not a new scanning method but a modification of earlier methods. I The TCP header is split up into several packets so that the packet filters are not able to detect what the packets intend to do. Links:http://members.dodo.net.au/~ps2man/Nmap/nmap.html The following nmap command help will be in the exam: Nmap –PT –sT –V-V <IP Address> Nmap –sN –P0 –v –v <Ip Address> (Stealthy way not to be noticed)=long time scan nmap –sT –P0 -0 –v –v <ip> (-0 =detect OS) nmap –P (This type of scan simply generates and prints a list of IPs/Names without actually pinging or port scanning them. A DNS name resolution will also be carried out).
  4. 4. -sT (TcpConnect)sending ack -sS (SYN scan) -sF (Fin Scan) -sX (Xmas Scan) -sN (Null Scan) -sP (Ping Scan) -sU (UDP scans) -sO (Protocol Scan) -sI (Idle Scan) -sA (Ack Scan) -sW (Window Scan) -sR (RPC scan) -sL (List/Dns Scan) -P0 (don’t ping) ( -PT (TCP ping) -PS (SYN ping) -PI (ICMP ping) -PB (= PT + PI) -PP (ICMP timestamp) -PM (ICMP netmask) -oN(ormal) -oX(ml) -oG(repable) -oA(ll) -v Verbose. Its use is recommended. Use twice for greater effect.
  5. 5. NMAP Timing Options: -T Paranoid – serial scan & 300 sec wait -T Sneaky - serialize scans & 15 sec wait -T Polite - serialize scans & 0.4 sec wait -T Normal – parallel scan -T Aggressive- parallel scan & 300 sec timeout & 1.25 sec/probe -T Insane - parallel scan & 75 sec timeout & 0.3 sec/probe --host_timeout --max_rtt_timeout (default - 9000) --min_rtt_timeout --initial_rtt_timeout (default – 6000) --max_parallelism --scan_delay (between probes) NMAP Options: --resume (scan) --append_output -iL <targets_filename> -p <port ranges> -F (Fast scan mode) -D <decoy1 [,decoy2][,ME],> -S <SRC_IP_Address> -e <interface> -g <portnumber> --data_length <number> --randomize_hosts -O (OS fingerprinting) -I (dent-scan) -f (fragmentation) -v (verbose) -h (help) -n (no reverse lookup) -R (do reverse lookup) -r (dont randomize port scan) -b <ftp relay host> (FTP bounce) # nmap Nmap 3.30 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -6 scans via IPv6 rather than IPv4 -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
  6. 6. • Once we get what ports are running on target hosts we can begin Hacking/Exploit/ perform Vulnerability check: • We have discovered all the common open/Closed ports, what about the ports that were changed? Port 80 changed to 2275 nmapnmap.exe -P0 -sT -sV --version-light -O -v -v (domain) =will scan uncommon ports

×