Nmap Basic Port Scans | TryHackMe (THM)

Lab Access: https://tryhackme.com/room/nmap02

After learning about the “Host” Scan in the previous room, we will now concentrate on the “Port” Scan. To determine which ports are open and listening, as well as which ports are closed.

• Host — Similarly, we needed to know whether the “Owner” was at home since we wanted to know whether it was “Online” or “Offline.”
• Port — The concept is similar to whether the “Door” is open or closed.

This room’s focal points are as follows:

1. TCP connect port scan
2. TCP SYN port scan
3. UDP port scan

[Question 1.1] Launch the AttackBox by using the Start AttackBox button. You will launch different types of scans against the target VM to gain a solid knowledge of Nmap basic scan types.

Answer: No answer is needed.

In the same way that an IP address identifies a host on a network, a TCP or UDP port identifies a network service running on that host.

• The network service is provided by a server, which follows a certain network protocol. Timekeeping, replying to DNS inquiries, and serving web pages are some examples.
• A port is commonly associated with a service by utilizing the port number.
• By default, an HTTP server will bind to TCP port 80; moreover, if the HTTP server supports SSL/TLS, it will listen on TCP port 443. (TCP ports 80 and 443 are the default HTTP and HTTPS ports;
• If necessary, the webserver administrator may select different port numbers.)
• Furthermore, no more than one service can listen on any TCP or UDP port at the same time (on the same IP address).

At the risk of simplicity, we can divide ports into two categories:

1) An open port means that some service is listening on that port.
2) A closed port means that no service is listening on that port.

However, in practice, we must consider the impact of firewalls.

For example, a port may be open, yet packets may be blocked by a firewall. As a result, Nmap takes the following six states into account:

1. Open — indicates that a service is listening on the specified port.
2. Closed — indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
3. Filtered — means that Nmap cannot determine if the port is open or closed because the port is NOT accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
4. Unfiltered — this means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.
5. Open|Filtered — This means that Nmap cannot determine whether the port is open or filtered.
6. Closed|Filtered — This means that Nmap cannot decide whether a port is closed or filtered.

[Question 2.1] Which service uses UDP port 53 by default?

Answer: DNS

[Question 2.2] Which service uses TCP port 22 by default?

Answer: ssh

[Question 2.3] How many port states does Nmap consider?

Answer: 6

[Question 2.4] Which port state is the most interesting to discover as a pentester?

Answer: Open

Nmap supports a variety of TCP port scans. To understand the distinction between these port scans, we must examine the TCP header.

• The first 24 bytes of a TCP segment are the TCP header.
• The TCP header as defined in RFC 793 is demonstrated in the figure below.

The port number is given 16 bits, as we can see (2 bytes). The sequence number and acknowledgement number are in the second and third rows. Each row is given 32 bits (4 bytes), with a total of six rows totaling 24 bytes.

We should pay special attention to the flags that Nmap can set or unset.

The TCP flags have been highlighted in red. Setting a flag bit to 1 signifies changing its value.

The TCP header flags are, from left to right:

1. URG — Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
2. ACK — Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
3. PSH — Push flag asking TCP to pass the data to the application promptly.
4. RST — Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
5. SYN — Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
6. FIN — The sender has no more data to send.

[Question 3.1] What 3 letters represent the Reset flag?

Answer: RST

[Question 3.2] Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

Answer: SYN

TCP Connect Scan — It works simply by performing the TCP 3-way handshake.

Fundamentally, (1) the client sends a TCP packet with the SYN flag set, and (2) the server responds with SYN/ACK if the port is open; finally, the (3) client sends an ACK to complete the 3-way handshake.

We want to know if the TCP port is open, not if a TCP connection can be established.

As a result, the connection is severed as soon as its status is validated by sending an RST/ACK. You can use -sT to do a TCP connect scan.

It is vital to note that if you are NOT a privileged user (root or sudoer), the ONLY way to identify available TCP ports is to perform a TCP connect scan.

In the Wireshark packet capture window below, we see Nmap sending TCP packets with the SYN flag set to several ports, including 256, 443, and 143.

Nmap will attempt to connect to the 1000 most popular ports by default. 

• To signal that it is not open, a closed TCP port responds to a SYN packet with RST/ACK. As we attempt to begin a TCP 3-way handshake with the closed ports, this pattern will be repeated.

Because port 143 is open, it responded with a SYN/ACK, and Nmap completed the three-way handshake with an ACK. (image below)

The diagram below illustrates all of the packets sent and received between our Nmap host and the target system’s port 143. The first three packets represent the completion of the TCP 3-way handshake. The fourth packet then shatters it with a RST/ACK packet.

The following command example gave a thorough list of open ports to demonstrate the -sT (TCP connect scan).

1) It is worth noting that we can use -F to enable fast mode and reduce the number of examined ports from 1000 to 100 most commonly used ports.
2) It is important to note that the -r option can be used to scan the ports in sequential order rather than random order. This option is important for verifying whether ports open consistently, such as when a target boots up.

[Question 4.1] Launch the VM. Open the AttackBox and execute nmap -sT MACHINE_IP via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

Answer: 110

[Question 4.2] What is Nmap’s guess about the newly installed service?

Answer: pop3

To start with, this scan needs a “Privileged (root or sudoer)” user to execute.

TCP SYN Scan — It is essential to understand that it DOES NOT NEED TO COMPLETE THE TCP 3-WAY-HANDSHAKE and instead closes the connection once it receives a response from the server.

• Because the TCP connection is not established in this instance, the chances of the scan being logged are minimized.

The following Wireshark screenshot illustrates a TCP SYN scan. In the event of closed TCP ports, the behavior is similar to that of the TCP connect scan.

Evaluate the two screenshot to better understand the difference between the two scans.

1. We can notice TCP connect scan -sT traffic in the upper half of the following picture. Nmap will need to complete the TCP 3-way handshake before shutting any open TCP ports.
2. The lower part of the following picture shows how an SYN scan -sS does not require the TCP 3-way handshake to be completed; instead, Nmap sends an RST message immediately an SYN/ACK packet is received.

TCP SYN scan is the default scan mode when using Nmap as a privileged user, such as root or sudo, and it is a very dependable option.

1. It discovered the open ports you discovered before with the TCP connect scan
2. There’s no TCP connection was formed with the destination.

[Question 5.1] Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS 10.10.48.181. What is the new open port?

Answer: 6667

[Question 5.2] What is Nmap’s guess of the service name?

Answer: irc

To begin, because UDP is a connectionless protocol, it does not require a handshake to establish a connection.

It should be highlighted that this does not ensure that a service listening on a UDP port will react to the messages. However, if a UDP packet is delivered to an unreachable port, an ICMP port unreachable error (type 3, code 3) is returned.

You can use the -sU option to specify a UDP scan; additionally, you can combine it with another TCP scan.

The diagram below indicates that if we transmit a UDP packet to an open UDP port, we will not receive a response. As a result, sending a UDP packet to an open port will produce no results.

However, as illustrated in the diagram below, we anticipate receiving an ICMP packet with type 3, destination inaccessible, and code 3, port unreachable. In other words, Nmap will report as open UDP ports that do not receive any responses.

We can notice in the Wireshark sample below that every closed port generates an ICMP message destination unreachable (port unreachable).

A UDP scan against this Linux server proved useful, and we discovered that port 111 is open. Nmap, on the other hand, cannot tell whether UDP port 68 is open or filtered.

[Question 6.1] Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v MACHINE_IP. A new service has been installed since the last scan. What is the UDP port that is now open?

-F flag was added to speed up the scan (scan 100 most common instead of 1000).
-v to get updates as the scan progresses

Answer: 53

[Question 6.2] What is the service name according to Nmap?

Answer: domain

Instead of the default 1000 ports, you can choose which ports to scan. Specifying the ports is now simple. Here are several examples:

port list: -p22,80,443 will scan ports 22, 80 and 443.
port range: -p1-1023 will scan all ports between 1 and 1023 inclusive, while -p20-25 will scan ports between 20 and 25 inclusive.
You can request a port scan by using -p-, which will scan all 65535 ports. 
Add -F to scan the top 100 most popular ports. Using --top-ports 10 will examine the top ten most commonly used ports.

You can control the scan timing using -T<0-5>.

-T0 is the slowest (paranoid), while -T5 is the fastest. According to Nmap manual page, there are six templates:

paranoid (0)
sneaky (1)
polite (2)
normal (3)
aggressive (4)
insane (5)

Here are a few “T” scans to keep an eye out for:

• You could use -T0 or -T1 to avoid IDS alerts.
• For example, -T0 searches one port at a time and waits 5 minutes between sending each probe, so you can estimate how long it would take to scan one target.
• If no timing is specified, Nmap uses the standard -T3.
• It should be noted that -T5 is the most aggressive in terms of speed; nevertheless, due to the greater possibility of packet loss, this can compromise the accuracy of the scan results.
• It should be noted that -T4 is frequently used during CTFs and when learning to scan on practice targets.
• -T1 is frequently used in real-world hacking operations where stealth is more crucial.

Alternatively, you can choose to control the packet rate using --min-rate <number> and --max-rate <number>. 
• For example, --max-rate 10 or --max-rate=10 ensures that your scanner is not sending more than ten packets per second.

Moreover, you can control probing parallelization using --min-parallelism <numprobes> and --max-parallelism <numprobes>.

Nmap probes the targets to discover which hosts are live and which ports are open; probing parallelization specifies the number of such probes that can be run in parallel. For instance, --min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel; these 512 probes are related to host discovery and open ports.

[Question 7.1] What is the option to scan all the TCP ports between 5000 and 5500?

Answer: -p5000–5500

[Question 7.2] How can you ensure that Nmap will run at least 64 probes in parallel?

Answer: — min-parallelism 64

--min-parallelism 64

[Question 7.3] What option would you add to make Nmap very slow and paranoid?

Answer: -T0

[Question 8.1] Ensure you have taken note of all the scan options covered in this room. It is time to learn more advanced port scanning techniques by joining the Nmap Advanced Port Scans room.

Answer: No answer is needed.

CONCLUSION

In my opinion, the major objective underlying all of these scans is to have a basic understanding of how TCP works, such as understanding the 3-way handshake, which is crucial because it allows us to understand how the system works and why it runs in this manner.

Nonetheless, this room is full of information since it provides a fresh new viewpoint on how each port scan works and how it appears in Wireshark, which provides a better illustration of how it runs behind-the-scenes.

Cheers! ◡̈