Practical Labs: Nmap Scans and Wireshark Pcaps
No matter where you are in your IT career, chances are you've heard of at least one of these two tools: Nmap (network mapper) and Wireshark. Whether you're working as a network technician, a web application administrator, a penetration tester, or something else, knowing how these two tools are used becomes very beneficial to helping secure your assets.
In this article, I'll talk about how I set up my testing environment, what each of the 13 scan types that I used (there's a few more I didn't use), and what my Wireshark analysis looked like. As a note, I'm not going to go into too much detail about how to identify incoming scans; Chris Greer does a much better job at that, and is much more experienced than I am. I'll include a link to my full pcap files at the end for anybody that wants to do a deeper analysis themselves. For the purposes of keeping the article as neat as I can, you'll see some filters applied in the screenshots below as we continue.
So I have both my desktop and my laptop with VMware installed, and a Kali Linux instance on each of them. I made sure that both machines were hooked up to my network in bridged mode so that they would show up along with all of my other devices during my ping sweep. I used my desktop as the attacking machine and my laptop as the victim machine, where I had Wireshark running during the scans. Here is what my ping sweep of the network looked like:
The only two important IP addresses have been highlighted. I have my victim machine (the laptop at 192.168.12.148) and my attacking machine (desktop at 192.168.12.235). On my laptop, I used netcat to open three TCP ports (80, 143, 995) and two UDP ports (1645 and 593) in order to listen for incoming connections. I also used the fast scan flag (-F) so I didn't have to go through waiting for all the other ports that I knew were closed. Before we get into all the fun pictures and stuff, let's briefly list the different scan types that I used:
?1. -sS (TCP SYN scan)
?2. -sT (TCP connect scan)
?3. -sA (TCP ACK scan)
?4. -sW (TCP window scan)
?5. -sM (TCP Maimon scan)
?6. -sU (UDP scan)
?7. -sN (TCP null scan)
?8. -sF (TCP FIN scan)
?9. -sX (TCP Xmas scan)
?10. -sY (SCTP INIT scan)
?11. -sZ (SCTP COOKIE-ECHO scan)
?12. -sV (version detection)
?13. -sC (script scan)
There are even more types of scans or different flags to add, however I wanted to play with the scans that are used most frequently, as well as some of the SCTP protocol scans that I've never touched before. Let's jump into the fun technical stuff, huh?
1) TCP SYN Scan (-sS)
Often called the "stealth scan" or "half-open scan". This will send a TCP SYN packet to the target and hope for a TCP SYN/ACK back. In the event you receive that SYN/ACK back, the port is open. If you receive a RST flag, the port is closed. Here's what my scan looked like:
You can see that Nmap picked up on my three open TCP ports, and in Wireshark, you can see the SYN and SYN/ACK for port 80, and the SYN and RST for closed port 113.
2) TCP Connect Scan (-sT)
Contrary to the above half-open scan, the TCP connect scan will complete the three-way handshake while still providing the same information. According to documentation, it is almost always better to use a SYN scan if you have elevated privileges.
Same information, however you can see the ACK message being sent for the open port 80, completing the connection.
3) TCP ACK Scan (-sA)
This is a scan that I have never used before. You can see in the screenshot and read further in the Nmap website above that this scan will not return open or closed ports, and is instead used to find out which ports are being filtered by a firewall.
You can see that even though port 143 is open from earlier scans, the ACK scan doesn't show up as opened for us. There's also no difference in Wireshark that I found. Maybe when I revisit this with a firewall, I'll go deeper into this type of scan.
4) TCP Window Scan (-sW)
The window scan is the same as the ACK scan, however it can help determine whether a port is open or closed depending on the window size of the RST response packet. In my demonstration, it did not. I looked at the window size for both a known open port and a known closed port, and both were the same.
5) TCP Maimon scan (-sM)
Similar to the NULL, FIN, and Xmas scans, the Maimon scan will send a "weird" combination of TCP flags to the target. The target will typically send a RST whether the port is open or closed, but the creator of this scan (Uriel Maimon) noticed that some systems will drop the packet instead of sending a RST, indicating an open port. My target machine was not one of these lucky systems though.
领英推荐
6) UDP Scan (-sU)
Where to begin with this one...this is probably the slowest out of all the Nmap scans due to not getting any response from the UDP protocol. Because of this, Nmap will do retransmissions in order to double and triple check if the port is open. It is still worthwhile to do a UDP scan, as some UDP services still have vulnerabilities! After you hit the enter key, you can go get your car washed, do the dishes, cook dinner for the family, and then do the dishes again.
Even though I had UDP ports 1645 and 593 open, the destinations were still unreachable.
7/8/9) TCP NULL, FIN, and Xmax Scans (-sN, -sF, -sX)
I'm going to lump these three together as they all aim to do the same thing: sneak past firewalls. The only difference between these scans (and the Maimon scan) is which "weird" combination of TCP flags are set. A RST response means that the port is closed, and no response means that the port could either be open or filtered.
NULL Scan
Notice the NULL scan below: there's no RST packet from port 143, indicating open/filtered.
FIN Scan
Just like the NULL scan, there is no response from the victim machine for port 80.
Xmas Scan
Just like the other ones, both ports 143 and 995 did not respond, indicating open/filtered.
10) SCTP INIT Scan (-sY)
Alright now we're getting to the protocols that I knew nothing about until I thought about trying it myself. SCTP is a protocol that mixes some of the benefits of TCP and UDP together. According to the Nmap website, this is comparable to a TCP SYN scan, where it's half-open and very quick.
Wireshark doesn't tell me anything because I'm not using these protocols, but feel free to check out my "SY Scan" pcap file if you want to dive through it yourself.
11) SCTP COOKIE-ECHO Scan (-sZ)
Just like the above, I have limited information on the SCTP protocol. Nmap labels this scan as more advanced than the SCTP INIT scan and will only give a state of open or filtered rather than being able to differentiate them. This scan may be able to bypass a firewall that blocks INIT chunks and may allow COOKIE-ECHO chunks through. Again, something to read into a little more.
Again, Wireshark doesn't show me anything cool here so feel free to look at my "SZ Scan" pcap if you want to look into this more. At least the Nmap scan caught the potential for port 80 to be opened. I probably should have checked what other ports I had opened after getting these results, but I encourage you to try this for yourself.
12/13) Service Version Detection and Script Scan (-sV, -sC)
Alright listen, these last two scans are some of the best scans that you will want to use. Now my scans didn't show me much because I was only using netcat to open ports rather than running an actual service on these ports, so service version detection and the script scan weren't going to show much. However in the real world, these two scans are bread and butter. Detecting which version of a service is running on an open port is going to allow you to search through CVEs and find out if there is a vulnerability that needs to be fixed. The script scan is, in a nutshell, easy mode for an attacker to get further information on vulnerabilities and launch easy attacks. I saved the best two for last - these scans should not be forgotten about, as they are very powerful and give you some much needed information about a machine.
Service version detection doesn't give me much - but it does tell me which ports are opened. In the real world, you would get more information on a target.
Script scan doesn't give me anything without the versions. This scan checks to see if there are any scripts built into the Nmap program that can help enumerate or exploit a target.
As you can see, the -sV and -sC scans also use a half-open scan in order to find open ports. That way once the ports are known to be open, Nmap will run the service versioning and/or checking for scripts on those ports.
This concludes my Nmap and Wireshark lab. I spent a few hours gathering screenshots and doing some research on what these scans do, and this gave me a few more questions to start digging into. I think it's good to know about the different options that Nmap offers as well as getting some hands-on practice with some of the "oddball" scans you may need to try. As promised, I have included a link to my GitHub where you can find all 13 of the pcap files that I analyzed. I'll also include another link to the Nmap website, where you can find a manual and further explanation of what features Nmap offers. Thank you all for reading and please comment and share for the best reach!