[Lesson 3]Network Vulnerability and Scanning: Port Scan-SYN SCAN in Nmap
In this lesson, we will be discussing about the port scanning in Nmap. Port scan in Nmap allows you to discover which TCP or UDP ports are open on your target host. The network ports are the entry points to a machine that is connected to the Internet.In addition,a service that listens on a port is able to receive data from a client application, process the data and send a response back.
Malicious client can sometimes exploit vulnerabilities in the server code. Thus, they can gain access to sensitive data or execute malicious code on the machine remotely.Therefore, the testing for all ports is necessary in order to achieve a thorough security verification.
Nmap Port Scan:
Port scanning is usually done in the initial phase of penetration test in order to discover all network entry points into the target system. Port scans is definitely a major part to be discuss in this lesson.
Type of Nmap options for port scanning that will be discussed:
- SYN scan
- TCP scan
- UDP Scan
- Some other type of Port Scans
Nmap SYN Scan:
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly. It can also scan of thousand of ports on a vast network without being block by restrictive firewalls. It’s also relatively stealthy since it never complete the TCP connections. It also allows clear and reliable differentiation between open, closed and filtered states. This technique is often referred as the half open scanning as we don’t open/initiate a full TCP connection.
SYN Scan (-sS):
- When you send a SYN packet, as if you are going to open a real connection and then wait for response.
- A SYN/ACK indicates the port is listening (open), while a RST(reset) is indicative of a non-listener.
- If no response is received after several re-transmissions or an ICMP unreachable error is received, the port is marked as filtered.
- If you receive a SYN/ACK from the target system, you send RST instead of the ACK packet. Thus, the three way handshake is not completed
Let’s perform a Nmap SYN scan in our virtual network:
Navigate to the terminal of Kali Linux and have a look into the IP address of it to understand the IP block. Here, my IP block is 10.0.2.0 as my netmask is 255.255.255.0. Basically, it means that there is 0 to 255 IP address in the last part of the IP address. By the way, I will not go further into the network basics in this lesson.
Here, start the SYN scan in the terminal:
- The nmap is the command to start the application itself .
- The-sS is the command line for SYN scan. Since it’s the default type for the privileged users(root) and I’m already the privileged user in Kali Linux. Therefore, this current parameter/command line is not necessary for a SYN scan in Kali Linux.
- Then, the target IP block we are going to scan is 10.0.2.0/24. This is what we have talk about before, this is the IP address block from 10.0.2.0 to 10.0.2.255.
- Next, let’s make the process fast by scanning the top 50 ports. In the command line, enter the “--top-ports” associated with the integer which is the 50 ports.
Now, let’s look at the scan results:
- We have 10.0.2.2, this is the gateway and DNS server for my virtual network in Kali Linux
- We have 10.0.2.1, this is the gateway and DNS server for my virtual network in metasploitable machine.
- Then, we have the 10.0.2.4 which is the Metasploitable machine.
- We also have the 10.0.2.15 which is our Kali Linux machine.
- Lastly, we have the state for the port scan as well.
Let’s open wireshark and have a look what’s happening when a SYN scan is performed in the terminal:
Navigate to wireshark in Kali Linus and select the eth0 to start listen to the interface.
In order to ignore the packet that we are not interested in, add a filter in the green column. I only want to see the traffic from my destination computer (metasploitable) which is the 10.0.2.4 and select only the TCP traffic. Then click the blue arrow that is next to the filter bar to activate the filter.
Next, we will see what happen in the Wireshark when we scan the machine with Nmap:
SYN Scan(Open Port):
I would like to analyze the SYN scan packets for an open port first. The 10.0.2.4 is my destination machine and the port 135 is open in the previous top 50 ports scan.
Stop the wireshark by clicking on the square button to avoid unwanted packets. Here, we have three packets:
- The first packet is from an arbitrary/random port of Kali Linux to the port 135 of the destination machine which is the metasploitable machine. It is a SYN packet to start a three way TCP handshakes.
- The second packet is a SYN/ACK sent by the destination machine/system.
- The third packet is a RST which is sent by Kali. Since that it is a SYN scan, the three way handshake is not completed and corrupted by a RST packet.
Restart the wireshark packet capturing to clean the old packet captured by clicking on the upper left button. Then, select the continue without saving option.
SYN Scan (Filtered Port):
This time, we scan a filtered port like port 136.
Here, the first packet is again a SYN packet to start three way handshake. The initial SYN is sent first, as usual, but Nmap sees no reply. Then, the Nmap will send again the SYN packet to initiate a three way handshake. Lastly, both the SYN packet is responded with RST,ACK packet.
[Note that for the closed port, both the SYN packet and the ACK,RST packet responded usually there will be only one when observed in the wireshark]
How Nmap interprets responses to a SYN probe:
The following figure and table will help you summarize the port state and help you understand it more easily.
Understand more about the NMAP port state in the following website: https://nmap.org/book/man-port-scanning-basics.html
Understand more about the NMAP Port Scan in the following website:https://nmap.org/book/man-port-scanning-basics.html https://nmap.org/book/synscan.html
Find the Gateway in UNIX/LINUX machine: https://www.unixmen.com/how-to-find-default-gateway-in-linux/
