Port scanning in Linux - nmap

Today, it is not a time for the theoretical aspects of security. I would like to present several interesting in my opinion issues. It should be close to any potential network or server administrator. Admin should be aware of risks and techniques of potential attacks (both within and outside the local network) and at least basic techniques to protect against them (regardless of the hardware and operating system).

In general, scanning and fingerprinting can detect which application handles a particular service, including information about version of the software, port number and often many elaborate nuances of its operation. Individual services and network mechanisms entire operating systems are characterized by unique features, so potentially old, leaky or misconfigured applications and systems can be detected. Users should use a variety of techniques and tools. One of the most popular port scanner is Nmap. This tool is able to use extensive scanning techniques (syn, fin, ack, null, xnmas) and (it is my favorite option) can "guess" what operating system is running on the remote host. Now, Namp is available in all system repositories.

Scanning

Scanning of "tcp connect" type is the most basic technique. It is to carry out a full TCP connection to the port. During three-way handshake connection (SYN, SYN/ACK, ACK) every computer in your network cannot ignore the TCP / SYN, so this method is quite effective. If the port is open and receives from the Nmap a TCP packet with SYN flag then it will reply by SYN / ACK. If it is close then RTS/ACK will be the answer message. Please note that this method is easy to detect. They are established connection attempts to the actual services. The remote system logs will be so after a mark. To perform a scan tcp connect using Nmap must use option -sT.

TCP SYN scanning is performed by sending a packet with SYN flag. It will not establish full connection, because if the remote host responds SYN / ACK (the port is open) then the attacker will never send ACK. In a typical firewall logs you will not find even trace connections. If you want to use this technique, put the option -sS.

The tcp fin is a method for sending to the remote port packet with the FIN flag (such as usually during the connection handshake action). Host will respond with RST message, if port is close. It is a hidden scanning, run by –sF option.

The next scanning technique is tcp ack type which is also relatively safe and hidden method. It involves sending the package immediately with ACK (without the SYN and SYN / ACK). In this case, the ACK is bogus. It refers to the association which has never been established. Close port will answer by RST while open port… will not answer at all! Nmap use –sA option for this method.

TCP NULL (-sN option) is a technique in which packets are sent to the host without any flags (SYN, SYN / ACK or FIN). For such "provocations" open port does not respond (scanner knows that it is open) while close port “growl” by ordinary RST.

Nmap also allows for remote detection of the operating system. This is done with the "-O". OS details and other information (e.g. uptime) nmap determines on the basis of the "Timestamp" of TCP / IP header.


Do you like this article? Please share on Facebook or back to Knowledge Base index