Nmap
Intro
Nmap is an industry-standard tool for mapping networks, identifying live hosts and discovering the services. As it is one of the most used network scanner tools, a security analyst should identify the network patterns created with it. This section will cover identifying the most common Nmap scan types.
TCP connect scans
SYN scans
UDP scans
It is essential to know how Nmap scans work to spot scan activity on the network. However, it is impossible to understand the scan details without using the correct filters. Below are the base filters to probe Nmap scan behavior on the network.
TCP flags in a nutshell.
Notes
Wireshark Filters
Global search.
tcp
udp
Only SYN flag.
SYN flag is set. The rest of the bits are not important.
tcp.flags == 2
tcp.flags.syn == 1
Only ACK flag.
ACK flag is set. The rest of the bits are not important.
tcp.flags == 16
tcp.flags.ack == 1
Only SYN, ACK flags.
SYN and ACK are set. The rest of the bits are not important.
tcp.flags == 18
(tcp.flags.syn == 1) and (tcp.flags.ack == 1)
Only RST flag.
RST flag is set. The rest of the bits are not important.
tcp.flags == 4
tcp.flags.reset == 1
Only RST, ACK flags.
RST and ACK are set. The rest of the bits are not important.
tcp.flags == 20
(tcp.flags.reset == 1) and (tcp.flags.ack == 1)
Only FIN flag
FIN flag is set. The rest of the bits are not important.
tcp.flags == 1
tcp.flags.fin == 1
TCP Connect Scans
TCP Connect Scan in a nutshell:
Relies on the three-way handshake (needs to finish the handshake process).
Usually conducted with nmap -sT command.
Used by non-privileged users (only option for a non-root user).
Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.
Open TCP Port
Open TCP Port
Closed TCP Port
SYN -->
<-- SYN, ACK
ACK -->
SYN -->
<-- SYN, ACK
ACK -->
RST, ACK -->
SYN -->
<-- RST, ACK
The images below show the three-way handshake process of the open and close TCP ports. Images and pcap samples are split to make the investigation easier and understand each case's details.
Open TCP port (Connect):
Closed TCP port (Connect):
The above images provide the patterns in isolated traffic. However, it is not always easy to spot the given patterns in big capture files. Therefore analysts need to use a generic filter to view the initial anomaly patterns, and then it will be easier to focus on a specific traffic point. The given filter shows the TCP Connect scan patterns in a capture file.
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
SYN Scans
TCP SYN Scan in a nutshell:
Doesn't rely on the three-way handshake (no need to finish the handshake process).
Usually conducted with nmap -sS command.
Used by privileged users.
Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn't expect to receive data.
Open TCP Port
Close TCP Port
SYN -->
<-- SYN,ACK
RST-->
SYN -->
<-- RST,ACK
Open TCP port (SYN):
Closed TCP port (SYN):
The given filter shows the TCP SYN scan patterns in a capture file.
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
UDP Scans
UDP Scan in a nutshell:
Doesn't require a handshake process
No prompt for open ports
ICMP error message for close ports
Usually conducted with nmap -sU command.
Open UDP Port
Closed UDP Port
UDP packet -->
UDP packet -->
ICMP Type 3, Code 3 message. (Destination unreachable, port unreachable)
Closed (port no 69) and open (port no 68) UDP ports:
The above image shows that the closed port returns an ICMP error packet. No further information is provided about the error at first glance, so how can an analyst decide where this error message belongs? The ICMP error message uses the original request as encapsulated data to show the source/reason of the packet. Once you expand the ICMP section in the packet details pane, you will see the encapsulated data and the original request, as shown in the below image.
The given filter shows the UDP scan patterns in a capture file.
icmp.type==3 and icmp.code==3
Last updated