Port Scanning with Nmap
I know what you did last summer
Nmap is one of the many network tools that make you feel powerful as a network admin or a penetration tester. Nmap is generally known as a port-scanning tool; but it can do much more than that. The core usage of Nmap is to scan for open ports on a target destination. Why is it powerful? — Well, that’s because most network applications run on some specific TCP/UDP port numbers; and port scanning allows us to get insights into what services that are running on a server, or in a network.
Over the years, Nmap has developed new skill sets like OS fingerprinting and host scanning. Nmap is legal; we just need to learn the right tricks to use it for the right cause.
In one line, Nmap can tell us about who (as in device types) is in our network and what this device is doing (as in service type). This picture sums up what Nmap can do.
Challenge of the day
Suppose that you configured a server that to host multiple services. It could be a web server, a DHCP server, a DNS server or a game server. If you are like me, you will probably forget what you did 10 mins ago. Now you are asking yourself what server is this?
There are actually several ways to find out:
(A) active fingerprinting
If you want to know the girl’s name, you asked! That is what an alpha male would do. This is similar to active fingerprinting. Here, the ‘scanner’ sends active probes to the target device (server in our case) to ‘crawl’ for useful information. This requires the receiver to respond to some queries sent by the scanner. It does not always works; if the receiver choose not to respond, or if the probes are blocked by firewall before reaching the target host. This method is more intrusive but there are less guess work to do.
(B) passive fingerprinting
If you are the shy guy, you’ve probably wait for other to ask the girl’s name while you are listening. This is similar to passive scanning method. Here, the scanner do not send any probes; instead it LISTENS on some specific interfaces (a switch mirror port, or a dedicated monitoring port). The scanner then have to guess and analyse the data (network packets) to uncover useful information. Passive monitoring is less intrusive, and has higher success rate since the listening action is not blocked by the firewall. In some cases, the target host are not aware that they are being monitored. Wireshark is a popular network sniffer for passive monitoring.
(C) Dashboard Monitoring
Or, you can simply go to the ‘server manager’ console that are built-in into most modern Server based Operating System. All running services should be visible in the dashboard (that is assuming you have access to the server).
How does Port Scanning Works?
We need a scanner and one or more target. The scanner systematically sends multiple TCP 3 way handshakes to the target. The scanner starts the handshake (SYN=1) from port#0 up to port#65535, incrementally. When the receiver gets the handshake request; it checks if the particular port is opened. For example, in the first probe:
(1) The scanner send a TCP SYN to the target to start a connection on port#0. (2a) If this port is opened on the target, it will reply TCP SYN+ACK back to the scanner. From here, the scanner knows that this port#0 is opened on the target host. (2b) If the port is not opened, the target host sends RST back to the scanner. From here, the scanner knows that this port#0 is closed.(3) Regardless of what target host replies, the scanner always sends RST back to the target to cancel the handshake (since it has never intended to start a real connection in the first place). (4) The scanner repeats steps 1->3 for port#2, port#3...until the last available port number is scanned.
Here’s the visualization of the process; where the scanner is trying to check if port#22 and port#113 is open.
Port Scanning with Nmap
There are two ways to use Nmap; (a) the command line version or the (b) GUI version called Zenmap. We will demonstrate Zenmap here. You can download Zenmap from this link.
Our goal is to find out what are the services that are hosted in the Eagle server as shown in the topology below.
Nmap is installed in the ‘network scanner’ node with IP 192.168.238.1. The Eagle server is assigned the IP 192.168.238.200. Both of the scanner and the server is in the same LAN.
To scan open ports with Zenmap, we simply type the target IP address in the ‘target’ field on the UI. Here, the target is the Eagle server’s IP address, which is 192.168.238.200. On the ‘profile’ option, we use ‘intense scan’ to scan for some common TCP ports. Intense scan is good choice because it is fairly quick and only scan for popular ports like port 80 for HTTP, port 21 for FTP, port 23 for Telnet etc so we can get a hit quickly.
If you want to experiment with other scan profile; this table describes each of the available options:
After 10–20 seconds, we will get the scan results as shown. The results are grouped into several categories. Let’s examine the output from the first tab in ‘Nmap Output’.
Nmap only shows the opened ports. The first line indicates that 21/tcp is opened. The ‘service’ field shows the service name of port 21/tcp; which is FTP. We can continue to analyse in this way to find out what services are running in the Eagle server. If you need more information about any of the services, refers to the IANA port number table here.
From the scan reports; we can imply that Eagle server can be a:
FTP server, SSH server, TELNET server, SMTP server, DNS server, WEB server, IRC server and many more.
This means that the ‘normal user’ in the network can use the FTP service on the Eagle server by typing ftp://192.168.238.200 on a browser like Chrome. 23/tcp or 443/tcp
The user can also open a Telnet or SSH connection to Eagle server by typing 192.168.238.200 using putty.exe. 80/tcp
If the user want to see the website hosted in Eagle server, he can type http://192.168.238.200 on a web browser. 6667/tcp
The user can even chat to some other hosts using the IRC service hosted in Eagle server using the IRC client.25/tcp
Another service that is supported is email service. The user can sends an email to Eagle server (SMTP server). If the receiver is also in the Eagle server domain, then he can receive this email.
So, we can conclude that this server is jack of all trades. Talks about putting all the eggs in one basket.
What Exactly Happened?
In this example, we use Zenmap running on a scanner to scan eagle server. The scanner sends TCP probes for all the popular TCP ports to check if these ports are opened. If we found that port 21/tcp is opened; we can guess that this server is probably a TELNET server.