Saturday, 24 September 2016

Type of NMAP Scans and using them

Nmap scan type Description -

TCP connect -

The attacker makes a full TCP connection to the target system. The most reliable scan type but also the most detectable. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.

XMAS tree scan-

The attacker checks for TCP services by sending XMAS-tree packets, which are named as such because all the “lights” are on, meaning the FIN, URG, and PSH flags are set (the meaning of the flags will be dis- cussed later in this chapter). Closed ports reply with a RST flag.

SYN stealth scan-

This is also known as half-open scanning. The hacker sends a SYN packet and receives a SYN-ACK back from the server. It’s stealthy because a full TCP connection isn’t opened. Open ports reply with a SYN/ACK while closed ports reply with a RST/ACK.

Null scan-

This is an advanced scan that may be able to pass through firewalls undetected or modified. Null scan has all flags off or not set. It only works on Unix systems. Closed ports will return a RST flag.

Windows scan-

This type of scan is similar to the ACK scan and can also detect open ports.

ACK scan-

This type of scan is used to map out firewall rules. ACK scan only works on Unix. The port is considered filtered by firewall rules if an ICMP destination unreachable message is received as a result of the ACK scan.

The nmap command has numerous switches to perform different types of scans. The common command switches are listed
Common nmap command switches-

nmap command switch Scan performed

-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
nmap command switch Scan performed
-sO Protocol scan
-sA ACK scan
-sW Windows scan
-sR RPC scan
-sL List/DNS scan
-sI Idle scan
-Po Don’t ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB TCP and ICMP ping
-PB ICMP timestamp
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Paranoid Serial scan; 300 sec between scans
-T Sneaky Serial scan; 15 sec between scans
-T Polite Serial scan; .4 sec between scans
-T Normal Parallel scan
-T Aggressive Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane Parallel scan, 75 sec timeout, and .3 sec/probe

To perform an nmap scan, at the Windows command prompt type Nmap IPaddress followed by any command switches used to perform specific type of scans. 
For example, to scan the host with the IP address using a TCP connect scan type, enter this command:

Nmap –sT

No comments:

Post a Comment