- Nmap Network Scanning
- Chapter5.Port Scanning Techniques and Algorithms
- Custom Scan Types with --scanflags
Truly advanced Nmap users need not limit themselves to thecanned scanned types. The --scanflags
option allowsyou to design your own scan by specifying arbitrary TCP flags. Letyour creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!
The --scanflags
argument can be a numericalflag value such as 9 (PSH and FIN), but using symbolic names iseasier. Just mash together any combination of URG
,ACK
, PSH
,RST
, SYN
, andFIN
. For example, --scanflagsURGACKPSHRSTSYNFIN
sets everything, though it's not veryuseful for scanning. The order these are specified in isirrelevant.
In addition to specifying the desired flags, you can specify aTCP scan type (such as -sA
or -sF
).That base type tells Nmap how to interpret responses. Forexample, a SYN scan considers no-response indicative of afiltered
port, while a FIN scan treats the same asopen|filtered
. Nmap will behave the same way itdoes for the base scan type, except that it will use the TCP flags youspecify instead. If you don't specify a base type, SYN scan isused.
Custom SYN/FIN Scan
One interesting custom scan type is SYN/FIN. Sometimes afirewall administrator or device manufacturer will attempt to block incomingconnections with a rule such as “drop any incoming packets withonly the SYN flag set”. They limit it toonly the SYN flag because they don't want toblock the SYN/ACK packets which are returned as the second step of anoutgoing connection.
The problem with this approach is that most end systems willaccept initial SYN packets which contain other (non-ACK) flags as well.For example, the Nmap OS fingerprinting system sends a SYN/FIN/URG/PSHpacket to an open port. More than half of the fingerprints in thedatabase respond with a SYN/ACK. Thus they allow port scanning withthis packet and generally allow making a full TCP connection too.Some systems have even been known to respond with SYN/ACK to a SYN/RSTpacket! The TCP RFC is ambiguous as to which flags are acceptable inan initial SYN packet, though SYN/RST certainly seems bogus.
Example5.13 shows Ereet conducting a successful SYN/FIN scan of Google. He is apparently getting bored with scanme.nmap.org.
Example5.13.A SYN/FIN scan of Google
krad# nmap -sS --scanflags SYNFIN -T4 www.google.com
Starting Nmap ( https://nmap.org )Warning: Hostname www.google.com resolves to 4 IPs. Using 74.125.19.99.Nmap scan report for cf-in-f99.google.com (74.125.19.99)Not shown: 996 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed auth179/tcp closed bgp443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 7.58 seconds
Similar scan types, such as SYN/URG or SYN/PSH/URG/FIN willgenerally work as well. If you aren't getting through, don't forgetthe already mentioned SYN/RST option.
PSH Scan
the section called “TCP FIN, NULL, and Xmas Scans (-sF, -sN, -sX)” noted thatRFC-compliant systems allow one to scan ports using any combination ofthe FIN, PSH, and URG flags. While there are eight possiblepermutations, Nmap only offers three canned modes (NULL, FIN, andXmas). Show some personal flair by trying a PSH/URG or FIN/PSH scaninstead. Results rarely differ from the three canned modes, but thereis a small chance of evading scan detection systems.
To perform such a scan, just specify your desired flags with--scanflags
and specify FIN scan(-sF
) as the base type (choosing NULL or Xmas wouldmake no difference). Example5.14 demonstrates a PSHscan against a Linux machine on a local network.
Example5.14.A custom PSH scan
krad# nmap -sF --scanflags PSH para
Starting Nmap ( https://nmap.org )Nmap scan report for para (192.168.10.191)(The 995 ports scanned but not shown below are in state: closed)PORT STATE SERVICE22/tcp open|filtered ssh53/tcp open|filtered domain111/tcp open|filtered rpcbind515/tcp open|filtered printer6000/tcp open|filtered X11MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)Nmap done: 1 IP address (1 host up) scanned in 5.95 seconds
Because these scans all work the same way, I could keep just oneof -sF
, -sN
, and-sX
options, letting users emulate the others with--scanflags
. There are no plans to do this becausethe shortcut options are easier to remember and use. You can still try theemulated approach to show off your Nmap skills. Execute nmap-sF --scanflags FINPSHURG target rather than the moremundane nmap -sX target.
Warning | |
---|---|
In my experience,needlessly complex Nmap command-lines don't impress girls. They usuallyrespond with a condescending sneer, presumably recognizingthat the command is redundant. |