INFO3002 Ethical Hacking Principles and Practice

Lecture 3: Scanning and its tool nmap

School of Computer, Data and Mathematical Sciences
Western Sydney University

1
Lecture outline
■ Scanning overview
■ Networking basics for using nmap
■ How to use nmap

2
Scanning – Phase two in pentesting

2: Scanning

1:Reconnaissance 3:Exploitation

4: Post
Exploitation

5: Writing Report

3
Scanning types 1 - 4
1. Computer is alive?
2. Which ports are open?
3. Which services and OS the computer is running?
4. Which vulnerabilities may exist?

4
Scanning tools
■ Many scanning tools exist today.
▬ Some focus on one type of scanning, while some can combine several
types of scanning.

■ ping and fping

▬ Type 1 scanning

■ nmap
▬ Types 1 – 3 scanning, and certain type 4 scanning
▬ Since nmap is the main tool for types 1 – 3 scanning, this lecture will
focus on nmap

■ Nessus and Greenbone Vulnerability Management (GVM)

▬ Mainly Type 4 scanning

5
Cautions for conduct scanning
■ Only scan networks which you have authorization to scan,
otherwise the scan is illegal.

■ Heavily scanning a target will slow down its performance

and even cause it to crash.
▬ Always scan a mission-critical target with care.

6
Nmap (Network Mapper)
■ Nmap provides many features for scanning computer
networks such as host discovery, port scanning, service
and OS detection.
■ To accomplish the above, nmap sends specially crafted
packets to targets and then analyzes the responses.
■ Nmap is available on Linux, Windows and Mac OS.

7
Lecture outline
■ Scanning overview
■ Networking basics for using nmap
■ How to use nmap

8
Networking basics for using nmap
■ Address Resolution Protocol (ARP) Basics
■ Internet Protocol (IP) Basics
■ Internet Control Message Protocol (ICMP) Basics
■ Transport Control Protocol (TCP) Basics

9
ARP Basics
■ ARP is used to determine a host's MAC address given its IP
address within a LAN.

■ The process is as follows (suppose host P knows host Q's IP

address, but not MAC address)
▬ P broadcasts ARP request packet to the entire LAN, containing Q's IP
address
▬ Q receives ARP request, and replies to P with its MAC address

■ Thus, the above process can be used by nmap to decide

whether the host with a given IP address is alive.

Refer to the Wireshark capture file: arp-icmp-in-ping.pcapng

accompanying this lecture. It shows the arp packets triggered by a
ping command.
10
ARP Table

■ A host on a LAN 137.196.7.78

stores the 1A-2F-BB-76-09-AD
returned IP/MAC 137.196.7.23
address 137.196.7.14
mappings in an
LAN
ARP table.
71-65-F7-2B-08-53
58-23-D7-FA-20-B0
■ “ip n" or “ip
neighbor” will
0C-C4-11-6F-E3-98
display the ARP 137.196.7.88
table.

11
IP Basics
■ Remembering the main fields in IP packet format is very
important for doing scanning.

IP protocol version 32 bits

number total datagram
header length type of length (bytes)
ver head. Length
(bytes) len service for
fragment fragmentation/
Identifier flgs
offset reassembly
Number of Time To upper
remaining hops checksum
Live layer
(decremented at
each router) Source IP address
Destination IP address
upper layer protocol

Upper layer protocol data

12
ICMP Basics
■ ICMP is used to diagnose network problems.
■ ICMP messages are carried by IP datagrams, and have
the following format.

32 bits

Type Code Checksum

Message body
(if an error reporting msg, it also
includes the basic part of the IP
diagram that triggers this msg)

13
ICMP Basics (cont'd)
■ ICMP have many
message types Type Code Description
and subtypes, 8 0 echo request (ping)
which are 0 0 echo reply (ping)
3 0 dest network unreachable
determined by the
3 1 dest host unreachable
type and code 3 3 dest port unreachable
fields. 3 6 dest network unknown
3 7 dest host unknown
■ Main ICMP
11 0 TTL expired
message types 13 0 Timestamp Request
and subtypes (see 14 0 Timestamp Reply
right):

Refer to the Wireshark capture file: arp-icmp-in-ping.pcapng

accompanying this lecture for ICMP packets used by ping.

14
ICMP Message Examples
■ Besides Echo Request, a scanner can use Timestamp
request to 'ping' a remote host to see if it is alive.
▬ ICMP Type 13 Timestamp Request is used to query the system time of
a remote target.
▬ ICMP Type 14 Timestamp Reply will return a value in Greenwich Mean
Time.

■ NB: Since Timestamp Request/Reply are rarely used,

firewalls usually block ingress ICMP type 13 and egress
ICMP type 14 messages.

Reference: https://capec.mitre.org/data/definitions/295.html

15
TCP Basics
■ TCP implements connections at the transport layer.

■ TCP packets have the format below. In using nmap, pls pay special attention to
its six flags: SYN, ACK, FIN, RST, URG and PSH.

32 bits
URG: urgent data
(generally not used) source port # dest port # counting
by number of
ACK: ack_num sequence number bytes, not
field valid number of
acknowledgement number
PSH: push data now head not packets!
len used
UAP R S F receive window
(generally not used)
checksum Urg data pointer
SYN: Initiate
connection; Application-layer data
RST: Reset/discard
connection;
FIN: Terminate
connection;
16
 TCP Basics (cont'd)
■ Thee-way handshake for establishing TCP connections

client side server side

Choose init seq num: x;

Send SYN packet;
SYN=1, Seq=x
Choose init seq num: y;
Send SYN + ACK packet;
SYN=1, Seq=y
ACK=1; Ack_num=x+1
Send ACK for Seq y;
Also, this packet may
start to carry data;
ACK=1, Ack_num=y+1
Connection established;

Refer to the Wireshark capture file: tcp-in-http.pcapng accompanying

this lecture for example TCP connections.
17
nmap will abort TCP connections
■ What nmap does after detecting a port is open.
▬ Prevent connections from being established, thus saving memory
resources and being secretive.

client side server side

Choose init seq num: x;

Send SYN packet;
SYN=1, Seq=x
Choose init seq num: y;
Send SYN + ACK packet;
SYN=1, Seq=y
ACK=1; Ack_num=x+1
Send RST to let server
discard this connection;
RST=1
Connection discarded;

18
Lecture outline
■ Scanning overview
■ Network basics for using nmap
■ How to use nmap

19
How to use nmap
■ General tips for using nmap
■ Default behaviour
■ Host Discovery
■ Port scanning
■ Service Detection
■ OS Detection
■ Output options

The Nmap official manual is your best reference:

https://nmap.org/book/man.html

20
General tip 1 of using nmap
■ Observation: nmap has many options for customising its
behaviour. You cannot remember all of them.
■ Tip: nmap has default behaviour if no options are specified,
so you should remember its default behaviour, which is easy.
▬ If you want to modify the default behaviour, apply an option.

21
General tip 2 of using nmap
■ Remember nmap will do things in the following order, which
helps you understand what’s happening behind the scenes:

Host Discovery

Port Scanning

Service and OS
Detection

22
General tip 3 of using nmap
■ If you forget about an option, the easiest way is to run ‘nmap
–h’ or look at the "Options Summary" section of 'man nmap'.
■ nmap options are case-sensitive!
■ Important options:
▬ -P: means Ping, controlling host discovery
▬ -p: means port, specifying port range
▬ -s: means scan, controlling port and service scanning behaviour.
▬ -O: means OS, controlling OS detection
▬ -o: means output, specifying output format
▬ -A: means Aggressive or All, doing all of port scanning, service detection
and OS detection.

23
Default behaviour
■ Executing nmap with no command line options will perform a default
scan on the specified target.
kali@kali:~$ sudo nmap 192.168.109.132
…
Nmap scan report for 192.168.109.132
Host is up (0.00022s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet

‘sudo' is a must for running nmap since Kali 2020. Without it, the scan
results may not be thorough. In many old tutorials on the Internet, 'sudo' is
not there. But in this subject, always remember to add 'sudo' before 'nmap'.

24
Default behaviour - Host discovery
■ By default, nmap first detects whether a host is alive.
■ If run with root privilege, nmap will do the following detections
one after another:
▬ Send ARP request (if within the same LAN)
o the most effective way
▬ Send ICMP Echo Request
▬ Send TCP SYN to port 443
▬ Send TCP ACK to port 80
▬ Send ICMP Timestamp Request

25
Default behaviour - Host discovery (cntd)
■ Run without root privilege, nmap will do less by:
▬ Changing the step 4 to "send TCP SYN to port 80"
▬ Omitting the last step

■ Note: nmap will behave more effectively with root privilege

26
Default behaviour - Port Scanning
■ After host discovery, nmap scans the ports of a host.
■ Run with root privilege, nmap scans a port by sending TCP
SYN packets and then aborting connections by RST
packets.
▬ Quick, preferred

■ Run without root privilege, nmap scans a port by trying to

fully establish a TCP connection.
▬ Slow, not preferred

27
Default behavior – Port Scanning (cntd)
■ By default, nmap only scans TCP ports, and only scans
the 1000 most commonly used TCP ports.
▬ No other TCP ports are scanned.
▬ No UDP ports are scanned.

■ If you are curious in knowing what are those 1000 ports,

you can use the following command:
▬ sudo nmap -sT --top-ports 1000 -v -oG -

28
Default behaviour – Six Port States
■ Open: actively responds to an incoming connection.
■ Closed: actively responds to a probe but does not have any
service running on the port. Closed ports are commonly found
on systems where no firewall is in place to filter incoming traffic.
■ Filtered: typically protected by a firewall of some sort that
prevents Nmap from determining whether or not the port is
open or closed.
■ Unfiltered: Nmap can access but is unable to determine
whether it is open or closed.
■ open|filtered: Nmap believes to be open or filtered but cannot
determine which exact state the port is actually in.
■ closed|filtered: Nmap believes to be closed or filtered but
cannot determine which respective state the port is actually in.
29
Default behaviour – Service detection
and OS detection
■ A default nmap scan will NOT conduct service detection or
OS detection.
■ The service displayed for each port is just the most
common service offered by that port based on the nmap
database, but may not be the real one.

30
Host Discovery – A Range of IPs
■ A range of IP addresses can be specified as targets by
using ‘-’:
▬ sudo nmap 192.168.12.3-64

■ Scan all hosts on a subnet

▬ sudo nmap 192.168.12.*
▬ sudo nmap 192.168.12.0/24

31
Host Discovery – Options
■ To change the default behaviour, nmap allows you to
specify host discovery options (also called "Ping Options")
by starting with "-P".
■ Skip host discovery completely (-PN or -Pn)
▬ sudo nmap -Pn 192.168.12.100

■ Only do ICMP Echo Request (-PE)

▬ sudo nmap -PE 192.168.12.100

■ Only do ICMP Timestamp Request (-PP)

▬ sudo nmap -PP 192.168.12.100

32
Host Discovery – Options (cont'd)
■ Only do TCP SYN (-PS) : port 80 will be probed by default; can
change by –PS<port number>.
▬ sudo nmap –PS 192.168.12.100 # using port 80
▬ sudo nmap –PS443 192.168.12.100 # using port 443

■ Only do TCP ACK (-PA) : port 80 will be probed by default; can

change by –PA<port number>.
▬ sudo nmap –PA 192.168.12.100 # using port 80
▬ sudo nmap –PA443 192.168.12.100 # using port 443

■ Only do UDP (-PU) : port 40125 will be probed by default; can

change by –PU<port number>.
▬ sudo nmap –PU 192.168.12.100 # using port 40125
▬ sudo nmap –PU56667 192.168.12.100 # using port 56667

33
Port Scanning – Options
■ To change the default behaviour, nmap allows you to
specify scanning options by starting with "-s".
■ Scan ports by SYN packets (-sS)
▬ sudo nmap –sS 192.168.12.100

■ Scan ports by full TCP connections (-sT)

▬ sudo nmap –sT 192.168.12.100

■ Scan ports by ACK packets (-sA)

▬ sudo nmap –sA 192.168.12.100

34
Port Scanning – Options (cont'd)
■ Scan ports by FIN packets (-sF)
▬ sudo nmap –sF 192.168.12.100

■ Scan ports by turning on URG, FIN and PSH (-sX, so called Xmas
Scan)
▬ light up a probe packet like a Xmas tree; get OS or firewall info by
observing how they react to such a packet
▬ sudo nmap –sX 192.168.12.100

■ Scan the basic 1000 UDP ports (-sU)

▬ sudo nmap –sU 192.168.12.100

■ Not scan any port, only do host discovery (-sn)

▬ sudo nmap –sn 192.168.12.100

35
Port Scanning – Specify Ports

■ Other than the default 1000 ports, nmap allows you to

specify ports by the "-p" option.
■ Scan port 80 only
▬ sudo nmap –p 80 192.168.12.100

■ Scan ports 20-28,80, and 100

▬ sudo nmap –p 20-28,80,100 192.168.12.100

36
Port Scanning – Specify Ports (cont'd)
■ The "--top-ports" option is used to scan any number of
top ranked ports.
■ Scan the top 100 ports
▬ sudo nmap --top-ports 100 192.168.12.100

■ Command to show the top 100 TCP ports:

▬ sudo nmap -sT --top-ports 100 -v -oG -

■ Command to show the top 100 UDP ports:

▬ sudo nmap -sU --top-ports 100 -v -oG -

37
Service Detection
■ Nmap maintains a database file called nmap-service-
probes, which contains:
▬ probes for detecting various services.
▬ fingerprints to match responses to a certain service.

■ It is located at /usr/share/nmap/nmap-service-probes
■ Based on this database, nmap tries to determine the service
protocol (e.g. FTP, SSH, Telnet, HTTP), the application
name (e.g. vsftpd, Apache httpd, Solaris telnetd), the version
number, etc. of a service.

38
Service Detection – Options
■ If you want nmap to do serVice detection, simply add the
option "-sV".
■ Detecting services on TCP ports at the host 192.168.12.100
▬ sudo nmap -sV 192.168.12.100

■ Detecting services on UDP ports at the host 192.168.12.100

(service detection on UDP ports takes very long time)
▬ sudo nmap -sUV 192.168.12.100
▬ sudo nmap -sUV -p U:53 192.168.12.100 #only on UDP port 53

39
Service Detection – Output
kali@kali:~$ sudo nmap -sV 192.168.109.1
Nmap scan report for 192.168.109.1
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC

MAC Address: 00:50:56:C0:00:08 (VMware)

Service Info: Host: UWS-Laptop262; OS: Windows;
CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 61.23 seconds

40
Service Detection – Output Notes
In addition to service info, "-sV" also outputs the following:
■ Hostname: "Host:Laptop262"
■ Deduced OS: "OS:Windows"
■ Common Platform Enumeration (CPE) representation:
"cpe:/o:microsoft:windows"
▬ About CPE: https://nmap.org/book/output-formats-cpe.html

■ Report any incorrect results at https://nmap.org/submit/.

41
Service Detection – Wireshark capture
example
■ The first two ARP packets are to detect whether the host
is alive
■ The packets 3-5 are to detect whether the port is open
■ The remaining packets are mostly for service detection

Refer to the Wireshark capture file: stages-in-nmap.pcapng accompanying

this lecture. In this capture, the attacker IP is 192.168.153.132, the target IP
is 192.168.153.130, and the traffic is generated by the command:
‘sudo nmap -p 80 -sV 192.168.153.130'.

42
OS Detection
■ Nmap maintains a database file nmap-os-db, which
contains:
▬ probes for detecting various OSes.
▬ fingerprints to match responses to a certain OS.

■ It is located at /usr/share/nmap/nmap-os-db
■ Based on this database, nmap tries to determine the OS
of a target.

43
OS Detection – Options
■ To enable OS detection, simply use the argument "-O".
■ Detecting the OS of host 192.168.12.100
▬ sudo nmap -O 192.168.12.100

44
 OS Detection – Output
kali@kali:~$ sudo nmap -O 192.168.109.1
Nmap scan report for 192.168.109.1
Host is up (0.00022s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
49152/tcp open msrpc
49153/tcp open msrpc
49154/tcp open msrpc

MAC Address: 00:50:56:C0:00:08 (VMware)

Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1
cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8,
or Windows 8.1 Update 1

OS detection performed. Please report any incorrect results at

https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds 45
OS Detection – Output Notes
"-O" is different from "-sV" in:
■ No service version info
■ More detailed OS info
■ Much quicker to complete

46
Output formats
■ A scanning tool is as useful as the output it generates.
■ Besides outputting to the screen, nmap can generate
other output formats.
▬ These are for the convenience of being imported and used by other
programs such as network analysis tools, exploitation tools, etc.

47
Five Output formats by nmap
■ Interactive output (the default): output to the screen.
■ Normal output: write the output to a text file. The content
is the same as the interactive output except that it
contains less runtime information
■ XML output: write the output to an XML file
▬ Very useful for being imported to other programs.

■ Greppable output: write the output to a text file in the

format easy for the 'grep' tool.
■ Kiddie output: this output format is for fun. You can ignore
it.

48
Output formats – Options
■ Interactive output (the default): no argument is needed; always
accompany other output formats.
■ Normal output
▬ nmap -oN target_win7.nmap 192.168.23.1

■ XML output
▬ nmap -oX target_win7.xml 192.168.23.1

■ Greppable output
▬ nmap -oG target_win7.gnmap 192.168.23.1

■ All the above three outputs:

▬ nmap -oA target_win7 192.168.23.1
▬ Will generate three files: target_win7.nmap, target_win7.xml and
target_win7.gnmap

49
Nmap Scripting Engine (NSE)
■ NSE allows users to write (and share) simple scripts to
automate a wide variety of networking tasks.
■ Tasks typically include:
▬ Customized network/host discovery
▬ More sophisticated version detection
▬ Vulnerability detection

■ This unit will not require you to write scripts for NSE, but
you will be required to use some existing NSE scripts
later.
▬ Located at /usr/share/nmap/scripts

50
Example: Running an NSE script
The script name The port number The target IP addr

Vuln confirmed
51
Example Short Answer Question:
■ Give the nmap command to scan the top 2048 UDP ports
on the host 192.168.3.4.

52
Lecture Summary
■ Scanning is the second stage of Ethical Hacking,
responsible for detecting hosts, ports, services, and
vulnerabilities.
■ To understand how scanning works, it is essential to
command the following four networking protocols: ARP, IP,
ICMP, and TCP.
■ Nmap is mainly for hosts, ports and services scanning.
■ You should command the default behaviour of nmap first,
and then understand what additional behaviour is
specified by a command line option.

53
References
■ The web links mentioned in the slides of this lecture

Big reminders:
• Quiz 3 is due next week!
• Lab 3 is difficult. You should start working on it before
entering the lab class!

54