Nmap Footprinting tool for ethical hacking and Penetration Testing Defined in Detail-Part One

nmap toolsSo, here we are with another interesting post which is in category of footprinting any available machine with a public IP address we mean which is accessible with from your machine. And you want to audit that completely, like open ports, OS which is running on the machine, Its security, version of the OS, a map of the server, like this it supports a large number of variety scanners. We have already posted a lists of tools which can be used in hacking, But now its time to give their introduction and use to the new-bies so that they may take benefit. Our previous post is here:-

10 Best Security Testing Tools For Linux and Windows

Download Nmap (Linux, Mac and Windows):-

Nmap Defined in Detail:-

I’ll surely divide every type of scanning technique using Nmap in categories and will give you are brief introduction also, So lets start:-

TCP Connect:-

It is quite effective scan. Which results in information regarding open and close ports which may be present in any machine i-e server. It will scan for all the port numbers and will then determine the ports present in the machine after that it will find out that whether these ports are open or not, if these ports are open then surely you will be notified “Open” in front of the port number and if its closed then “close” will be shown.

There is one drawback of this kind of scan that if a firewall is running in the victim system then it will surely notify the admin that someone is trying to scan and reach the ports to read whether these are opened for public access or not. And even some advanced firewalls may note the accessing IP address and will also note that which ports have been scanned by using that IP address. So, A new scan form was developed which was stealth.

SYN (Synchronize) Stealth Scan For ports:-

Whenever a TCP connection is created the system sends three packets to the machine to which it wants to be connected.Now talking bit technically the TCP packet has a section header which has flags field which tell us about receiving and about type of the packets. We,ll discuss three flags below:-

SYN (Synchronize):-

SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication.

ACK (Acknowledge):-

It is set of Packets.

FIN (Finished):-

It is meant and is sent when the communication process has been closed.

RST (Reset):-

This is sent when the communication has to be reset that means when it’s closed immediately.

Working Scheme:-

To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.

The stealth scanning basically makes use of this scheme that it sends the SYN packets which is a flag and is well explained above. If SYN/ACK packet is sent back then it means that the tried port is open and at the same time I may call in no time the RST is used and thus connection is tear down and closed immediately. Which will often help you that a log can’t be save at the remote machine in mean time due to RST.

In other case if the SYN packet is dropped and RST is sent this doesn’t mean that the port is open it can be assumed that port is closed for other IP’s but it is open to certain IP’s of the administrators. Thus we can do further footprinting to check out how to open them.

This scan can still be logged but with the help of other options of Nmap we can make it fully undetectable which will be explained later like altering timing etc.

Fin, Null and Xmas Tree Scans (Denoted in Nmap As –sF, –sN and –sX):-

These three types of scan can be useful, The scheme is this:-

  • Closed port must respond with RST upon receiving packets.
  • Open ports must drop packet and it can be called as “Listening to SYN”

So in this way you don’t mean to create a connection and you don’t send a SYN basically. These scan types will work against any system where the TCP/IP implementation follows RFC 793. As Microsoft windows doesn’t follow it so we can make use of this in detecting OS running on the machine which is being scanned. Windows will ignore these scan types even on the closed ports too. For example:-

You ran a SYN scan along with any one of the –sF, –sN and –sX scan and SYN shows open ports but not these scan types then surely you are footprinting a machine with Windows OS running.

But OS fingerprinting is the most reliable and trustable way to find the OS running on the machine.

Ping Scan (Denoted in Nmap As –sP):-

This type of scan can tell you that which computer is online and which is not that is its purpose rather then to tell which ports are open or not. In Nmap four types of pinging methods are present.

Scheme of Ping Scan:-

First method sends a ICMP ECHO REQUEST (i-e Ping request) if it is received then it means that the remote machine is up and if its lost then Nmap will try for TCP ping as likely the ICMP may be blocked at remote system. As we can get sure that whether the host machine is really offline or else ICMP is being blocked. Then TCP ping sends SYN and ACK packets to any port (Default 80) Now as described above if these packets are returned then remote system is online.If again in case there is no response then it means that the system’s post under footprinting is filtered.The ICMP scan type can be disabled by setting –P0 (its P zero).

UDP Scan (Denoted in Nmap as –sU):-

In this scan Nmap sends a 0byte packet to the target port and return receipt of ICMP Port Unreachable determines that the port is closed otherwise it is known that the port is open.

Microsoft Windows running on Host do not limit the Port Unreachable error generation frequency, and thus it is easy to scan a Windows machine’s 65,535 UDP Ports in very short time. UDP Scanning is not usually useful for most types of attack, but it can give you information about services or Trojans which depend on UDP, for example SNMP, NFS, the Back Orifice Trojan backdoor and many other exploitable services.

To be Continued Wait for next part and subscribe to HT……!