[End]Network Vulnerability and Scanning: Other NMAP Scans (NULL,FIN,XMAS,ACK,IDLE)
There are some other scanning techniques in Nmap which are not used as much as the one mentioned in previous lessons. However in some cases, you may need to find some other ways to be able to discover the sensitive hosts in a network.
📜 In the figure above, there are three types of scans which is the null scan, fin scan and xmas scan. The common feature of these three scanning methods is that they send packets to the target systems in which SYN, ACK and RST flags are not set.
▶️ Null scan (-sN) does not set any bits. For instance, TCP flag header is 0.
▶️ Fin scan (-sF) sets just the TCP FIN bit.
▶️ Xmas scan (-sX) sets the FIN, PSH/Push , and URG flags lighting up the packet like a Christmas tree.
📁There are two rules defined in RFC standards about such packets:
- The first rule is if the destination port state is CLOSED, and incoming segment not containing a RST causes a RST to be sent in response.
- The second rule is packets sent to OPEN ports without the SYN, RST or ACK bits set are dropped.
These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. Responses are treated as shown in Figure above.
If the RST packet is received, the port is considered closed. While no response means that it is open or filtered. In addition, if an ICMP unreachable error is received, the port is marked as filtered. Thus, with the result from these types of scans, you can find out if a port is closed or not.
ACK Scan (-sA):
⭐️This scan is different than others discussed so far. It never determines open and open|filtered ports. It is used to map out firewall rule sets. This is done to determine whether the port are stateful or not and which ports are filtered.
⭐️The ACK scan probe packet has only ACK flag set.When scanning unfiltered systems, both open and closed port will return a RST packet. Nmap then labels them as unfiltered.
⭐️This mean that the ports are reachable by the ACK packet. However, whether they are open or closed is undetermined.
⭐️Ports that don’t respond or send certain ICMP error messages back are labeled as filtered.
In the figure above, the result illustrated that the state of port is unfiltered instead of normal scan that result in open, closed or filtered.
Idle Scan (-sL):
⚡️ Idle scan as an advance scan method/technique that allows for a truly blind TCP port scan of the target. Truly blind TCP port scan means that no packets are sent to the target from your real IP address.
⚡️ Instead, a unique side channel attack exploits the predictable IP fragmentation ID sequence generation on the zombie host. This is done to gather information about the open ports on the target.
⚡️ IDS systems will display the scan as coming from the zombie machine that you specified.
The idle scan is based on three facts:
- As you already know, one way to determine whether TCP port is open or closed. The target machine will responded with a SYN/ACK packet if the port is open and RST if the port is closed.
- A machine that receives unexpected SYN/ACK packet will responded with RST and an unexpected RST will be ignored.
- Every IP packet on the internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send. Probing for the IP ID can tell an attacker how many packets have been sent since the last probe.
Open Port:
Let’s see what happen in an idle scan if the target port is open.
Steps:
- First step is to probe the IP ID of the zombie system. The attacker/scanner will sends a SYN/ACK to the zombie. Then, since the zombie does not expect the packet, it sends back a RST with IP ID.
- The second steps is to forge a SYN packet from the zombie to the target system. The target then sends a SYN/ACK in response to the SYN and appears to be coming from the zombie. Since the zombie does not expect the packet, it sends back a RST. This increments its IP ID in the process.
- Third step is to probe the zombie’s IP ID again. The attacker/scanner a SYN/ACK to zombie again. Then, the RST packet of the zombie has an IP ID which is increased by two since the first step.
Concluded that port is open.
Closed Port:
Now let’s see what happen in an idle scan if the target port is closed.
- The first step is to probe the IP ID of the zombie system. Attacker/Scanner sends a SYN/ACK to the zombie. Since the zombie does not expect the packet, it sends back a RST with an IP ID.
- Second step is to forge a SYN packet from the zombie to the target system. The target sends a RST as the port is closed in response to the SYN and that appears to be coming from the zombie. The zombie ignores the unexpected RST. Thus, its IP ID does not change.
- Third step is to probe the zombie’s IP ID again. The attacker/scanner sends a SYN/ACK to the zombie again. The RST packet of the zombie has an IP ID which is increased by 1 since the first step.
Concluded that port is closed/not open.
Filtered Port:
Let’s see what happen in an idle scan if the target port is filtered.
- The first step is to probe the IP ID of the zombie system. The attacker/scanner sends a SYN/ACK to the zombie. Since zombie does not expect the packet, it sends back a RST with an IP ID.
- Second step is to forge a SYN packet from the zombie and send to the target system. The target filtering its port, ignores the SYN that appears to come from the zombie. The zombie is unaware that anything happened so its IP ID remains the same.
- The third step is to probe zombie’s IP ID again.The attacker/scanner sends a SYN/ACK to the zombie again. The RST packet of the zombie’s IP ID which has increased by 1 since the first step.
Concluded that port is closed/not open. Form the attacker’s point of view, the filtered port is indistinguishable from a closed port. WHY ❓ in both cases the IP ID is increased only by one.
Let’s perform an idle scan:
In order to be able to perform an idle scan, we first need to have a zombie computer on the network which has incremental IP ID sequencing. Fortunately, we have an Nmap script to help us find the computer that is appropriate to become a zombie.
First let find the scripts that start with ipid with the command in figure above.
Use the script with the IP address block of our network. To keep it very simple, we will scan the top 2 ports. In the figure above, 10.0.2.4 (target machine: Metasploitable) and 10.0.2.15 is our Kali Linux machine. Both of this machine IP ID sequence is all zero. This two machine cannot be used as a zombie. In addition, the 10.0.2.1 is the default gateway and it has incremental sequencing. It can be used as a zombie system.
Ps: if the ipidseq.nse is not working and have errors. Try to get the script from the official site: https://nmap.org/nsedoc/scripts/ipidseq.html
We will try to use the Kali Linux machine as zombie to scan our target machine Metasploitable. I know that this is unnecessary and have no meaning when we use the attacker machine as a zombie.
🌟However, I just want to show that the Idle scan (-sI) will not work when the IP ID sequence is all zeros. In addition, this scan will also never work when a randomized IP ID sequence is used.
Now, it is time to use system which has an incremental IP ID sequence class. Once again to keep it simple, I just scan the top 3 ports. The scans is completed successfully.
Let’s compare the SYN scan with the Idle Scan with same conditions. Port 23 and 80 are open in both scans. According to SYN scan, port 443 is closed. We also know that the idle scan is no able to distinguish between closed port and filtered port. Thus, Idle scan flagged the port 443 as closed or filtered.
Now, let’s run the last nmap query with reason option. As you can notice that port 23 and 80 are flagged as open because the IP ID has changed in the process. Whereas the IP ID sequence of the port 443 has not changed, then the port is flagged closed or filtered.
Related information:
