Host & Port Scanning

After we know that the host is alive we want to scan the host for the following information:

Open ports and its services
Service versions
Information that the services provided
Operating system

Port States

The scanned ports returned by the nmap scan can be in a total of 6 different states:

open

This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.

closed

When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.

filtered

Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.

unfiltered

This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.

open|filtered

If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.

closed|filtered

This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

TCP Ports

By default, if its run with root, nmap will scan the top 1000 TCP ports with SYN Scan -sS option as socket permissions are required to create raw TCP packets. Otherwise it will scan with TCP Connect Scan -sT option.

We can specify the ports range with -p option or --top-ports=10. We can also use fast port option -F to quickly scan the top 100 ports.

TCP Connect Scan option -sT, also knows as Full TCP Scan is more accurate as it finishes the whole three-way handshake. But its also the least stealthy method as most IDS/IPS systems can detect it. It's still important when accuracy is a priority. This scan is also useful when the host has a firewall that prevents incoming packets. But this scan is also slower as it waits for a response.

sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET
CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Nmap scan report for 10.129.2.28
Host is up, received user-set (0.013s latency).

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Filtered Ports

When a port is shows filtered there can be multiple reasons including firewalls on the hosts dropping the packets. By default nmap --max-retries is set to 10.

We can deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) to check the results clearly

sudo nmap 10.129.2.28 -p 139 --packet-trace -n --disable-arp-ping -Pn
<SNIP>
SENT (0.0381s) TCP 10.10.14.2:60277 > 10.129.2.28:139 S ttl=47 id=14523 iplen=44  seq=4175236769 win=1024 <mss 1460>
SENT (1.0411s) TCP 10.10.14.2:60278 > 10.129.2.28:139 S ttl=45 id=7372 iplen=44  seq=4175171232 win=1024 <mss 1460>
Nmap scan report for 10.129.2.28
Host is up.

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
<SNIP>

In this case we just get no reply. It is different when a firewall rejects the packets:

sudo nmap 10.129.2.28 -p 445 --packet-trace -n --disable-arp-ping -Pn
<SNIP>
SENT (0.0388s) TCP 10.129.2.28:52472 > 10.129.2.28:445 S ttl=49 id=21763 iplen=44  seq=1418633433 win=1024 <mss 1460>
RCVD (0.0487s) ICMP [10.129.2.28 > 10.129.2.28 Port 445 unreachable (type=3/code=3) ] IP [ttl=64 id=20998 iplen=72 ]
Nmap scan report for 10.129.2.28
Host is up (0.0099s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
<SNIP>

As a response, we receive an ICMP reply with type 3 and error code 3, which indicates that the desired port is unreachable. Nevertheless, if we know that the host is alive, we can strongly assume that the firewall on this port is rejecting the packets, and we will have to take a closer look at this port later.

UDP Ports

Unlike TCP, UDP is a stateless protocol. So there is no three-way handshake and no reply from the host. For that reason the timeout is much longer making UDP Scans (-sU) slower.

Another disadvantage of this is that we often do not get a response back because Nmap sends empty datagrams to the scanned UDP ports, and we do not receive any response. So we cannot determine if the UDP packet has arrived at all or not. If the UDP port is open, we only get a response if the application is configured to do so.

sudo nmap 10.129.2.28 -sU -Pn -n --disable-arp-ping --packet-trace -p 100 --reason

If we get an ICMP response with error code 3 (port unreachable), we know that the port is indeed closed.

Version Scan

Another useful scan option is -sV where nmap will get additional available information from the open ports such as service name, version, details about the service etc.

sudo nmap 10.129.2.28 -sV -Pn -n --disable-arp-ping --packet-trace -p 445 --reason

PreviousHost Discovery NextSaving The Results

Last updated 1 year ago