IamSpotted: Adventures in Cybersecurity

TryHackMe | Nmap Advanced Port Scans

This room covered the following scans: Null, FIN, Xmas, Maimon, ACK, Window, and Custom. Then we covered a few additional features: IP Spoofing, MAC Spoofing, Decoy scans, Fragmented packets, and Idle/Zombie scans.

Null scans do not set a flag; it gets sent with all flag bits set to 0. This scan is chosen by using -sN. When a packet is sent with no flags set, it won’t trigger a respons when it reaches an open port. So when nmap doesn’t receive a reply, it see it as either open or a firewall is blocking the packet. However, if the port is closed, we should receive an RST/ACK in response. As a result of the behavior of the scan we get one of two outputs for each port: Open|Filtered or Closed.

The FIN scan sends a packet where the FIN flag is set. To do this type of scan you would use the -sF option. This one has similar expectations as the Null scan and as such has similar output.

The XMAS scan gets its name from Christmas tree lights. An XMAS scan sets the FIN, PSH, and URG flags simultaneously. This scan is selected by using the -sX option. Again, like the previous two scans, if an RST packet is received, the port is closed. Otherwise it is reported as Open|Filtered. The results will also be similar to the previous two scans.

These 3 scans can be efficient when scanning a target behind a stateless firewall. Stateless firewalls will check if the incoming packet has the SYN flag to detect a connection attempt. If we use a flag or combination of flags that doesn’t match the SYN packet, you can deceive the firewall and reach the host behind it. Stateful firewalls will block all such packets and make these scans useless.

The TCP Maimon Scan gets its name from Uriel Maimon, who first described this scan in 1996. In a Maimon scan, the FIN and ACK bits are set and we expect an RST in response. Certain BSD systems will drop the pack if it is an open port exposing the open ports. It also won’t work on most targets in our modern networks. To select this scan, use the -sM option.

The last 3 scans we covered where the TCP ACK, Window, and custom scans. The TCP ACK scan, set with the -sA option, sends… a TCP packet with the ACK flag set. Who would have thought?! In this case we expect to get a response back regardless of the port being open or closed. Therefore, in a simple setup, we won’t learn much.

However, if there is a firewall inbetween us and the target, we may be able to determine which ports aren’t being blocked and we discover firewall rule sets and how it’s configured. A similar scan, the Window scan, looks at the RST packets returned. In this scan we are expecting to get and RST packet in response to our ACK packets regardless of whether the port is open or closed. This scan is also better when there is a firewall between us and the target. The difference is that with this scan, the ports of interest will appear to be closed. Finally using –scanflags allows you to do custom scans. When developing a custom scan, you need to understand how the different ports will behave so that you can interpret the results properly.

The next task had us learn about how to spoof our IP address and use decoys. When spoofing our IP address, we will use the -S option. It is important to note that when spoofing an IP address, it is imperative that you have the ability to monitor the network traffic to analyze the results since the target will be sending it’s responses to the spoofed IP address.

If you are on the same subnet as the target, you can also spoof your MAC address. The flag for this is –spoof-mac. Since spoofing the IP address requires the ability to monitor network traffic, it may not always be of use. But what if we could spoof the IP address of a few machines and send our packets that come back to us? Well, interestingly, there’s an option for that: -D. It allows us to create decoy traffic and lets us try to blend into the traffic.

As you can see, we have spoofed IP addresses to two machines and the sent our traffic with it. You can either use specific IP addresses or you can use RND to generate random addresses.

Task 6 covers Fragmented packets and how they can help us. Using the -f option is what allows us to fragment our packets. -f will split the packets into 8 bytes or less while -ff will be 16 bytes or less. You can even change the default value using the –mtu option, but ensure it’s always a multiple of 8. The portion of the packet that is getting fragmented is the data. To help with reassembly, the IP uses ID and fragment offset.

The next scan covered is the idle/zombie scan. As you might be able to tell, this requires you to find an idle device on the network. The first thing you do is send a SYN/ACK request to the idle device and grab the IP ID from the RST packet. Then you send a SYN packet to the target with the IP address spoofed to appear to come from the idle device. If the port is closed, it will respond to the idle host with a RST packet and the idle device will not increment it’s IP ID. If the port is open, it will send a SYN/ACK to our idle device which causes the idle device to send an RST packet to the victim and increment its IP ID by one. Then we send another SYN/ACK to the idle device, this increments the IP ID by one again. We then compare the result of our second response to the first response. If the difference is 1, we know that it didn’t receive anything from the target and can assume the port was closed. On the other hand, if it increments by two, we know that the victim responded to our packet and we can assume that the port is open.

As you can see, this requires the only communication with the idle device to be our machine and the victim machine. If it receives any other network traffic while we do this scan, it will give us inaccurate results and be useless.

Finally, we discussed the –reason and -v options. –reason causes nmap to display the reason it came to the conclusion that it did. For why the port is open or closed. The -v option is used for verbose output while -vv is for very verbose output. If that isn’t enough you can use -d for debugging or -dd for even more details.