Skip to content

Nmap Advanced Uses Pt.1

Intro

If you’re familiar with Nmap, you are probably aware of the myriad of options it has to offer. I have opted to use example scans for our purposes in hopes of being able to more easily demonstrate some of those options. 

We will take a look at some of the more advanced scans (focusing on Null, Xmas, and FIN scans), and some more examples, example commands, scripts and other options. I focused on these scans as they are rather interesting once you think about how they work and interact with other systems. Also, once in a while, you might be able to completely sneak under the radar of a firewall or packet-filtering router, which we will explain how.

Scans
  • Null Scan
  • Xmas Scan
  • FIN Scan
Examples, command-ling flags, scripts, options
  • DNS brute Script
  • http-errors Script
  • http-waf-detect Script
  • http-waf-fingerpring Script
  • –script
  • –reason
  • -A
  • Output Format
Commands

Null, Xmas and FIN Scans

These three scans rely on TCP RFC 793 to know which ports are open and which are closed. They do so by leveraging the fact that if the destination port state is closed, a RST packet is sent in response.

From the RFC:

 “CLOSED… an incoming segment not containing a RST causes a RST to be sent in response.” 

In such systems, any packet that does not contain a SYN, RST or ACK bit will cause an RST response, if the port is in fact closed, and no response if it is not. So long these bits are not included, any other viable combination of the remaining three (URG, PSH and FIN) should be completely fine.

The only thing Null, Xmas, and FIN scans do differently is how they set the TCP flags in the probe packets. In any case, if a RST packet finds its way back, the port would then be considered closed, while not receiving a response would imply it being open | filtered. Filtered just means that an ICMP unreachable error was received. 

Xmas scan (-sX) – Sets the URG, PSH and FIN flags

Null scan (-sN) – TCP flag header is 0 / does not set any flag – all six flag bits are 0

Fin scan (-sF) – Only sets the TCP FIN bit

Null Scan

Because Null scan doesn’t set any flags and all six flag bits are zero, it won’t trigger any responses (if it were to reach an open port – since the receiving system wouldn’t know how to handle a flag-less request). This is essentially how Null scan can help us determine if the port is open. Also, since it doesn’t contain any set flags, it can (sometimes) go under a firewall or a router that would filter incoming packets with certain flags.

Thus, Nmap and Null scan ‘know’ that not getting a response would mean that the port is either blocked by a firewall or that it is open. It is invoked by adding -sN to your command. 

Null scan finding7 open ports (and respective services) on the target host 

No response → open port (or filtered)

RST packet in response → closed port

Xmas Scan

The Xmas scan is called that way because it sets the URG, FIN, and PSH flags at the same time. It is invoked by adding -sX to your command. Like with the FIN and Null scans, receiving an RST packet would indicate the port being closed. Otherwise, it would be shown as open | filtered.

It is called Xmas scan because when the header is filled up with FIN, PSH, and URG flags sent with Xmas scan, it looks akin to a Christmas tree.

Christmas tree header

Image showing port 5902 is open and running vnc-2

Xmas scan sets PSH, FIN, and URG flags at the same time

RST packet received- port closed

No response – open port (or filtered)

FIN Scan

Similarly to the previous two scans (Null and Xmas) FIN scan will send a TCP packet with the FIN flag set. You can do so using -sF to your command. As previously, there will be no responses sent back if the TCP port is open, so Nmap won’t be sure if the port is truly open, or if there’s a firewall rule that is blocking the traffic. But, since the system should respond with an RST if the port closed, we can further deduce the open and /or filtered ports from that fact. 

Please note that some firewalls might be able to drop this traffic without actually sending RST’s.

Sets the FIN flag

No response – open port (or filtered)

RST packet received- port closed

Options in Nmap are usually added by specifying your option in the command (–option_name). Similarly, you can call in-built Nmap scripts by calling —script “name_of_your_script”

Here, we will quickly glance over a few more examples of options, scripts, and some additional commands.

script

SSH2-ENUM-ALGOS script

By scanning the host using ssh2-enum-algos script from the NSE scripts library, we have found out what are the algorithms offered by this SSH2 server.

reason

Syn-ack in the reason column indicates that the port is listening


DNS Brute Script

Dns Brute attempts to enumarate DNS hostnames by brute force guessing of common subdomains. *A and *AAAA mean IPv4 and IPv6, respectively.

Discovery of some of the scanme.nmap.org subdomains, using dns-brute NSE script

Some (of the many) interesting NSE scripts: 

http-errors Script – this script crawls a site looking for any error code(s) of 400 or above, and listing them in order

Example command: sudo nmap –scripts http-errors 10.10.10.10

http-waf-detect Script – tries to determine if a web server is protected with a Web Application Firewall, IDS, or IPS, by probing it with malicious payloads and looking for changes in the response code.

Example command: sudo nmap –scripts http-waf-detect 10.10.10.10

http-waf-fingerprint Script – this script tries to find out if a Web Application Firewall (WAF) is present, and what is its version.

Example command: sudo nmap –scripts http-waf-fingerprint 10.10.10.10

Remember that by default, path to the NSE scripts is /usr/share/nmap/scripts.

Other options
-A 

This command is equivalent to the -sV -O -SC -traceroute command.

-sV does service and version detection

-O does OS detection

-sC launches default NSE scripts

-traceroute – possible routes

In the screenshot above we have an excerpt from an output file we have created combining the -A command with some other switches.

  1. -A (or -sV -O -sC -traceroute) described above
  2. -T4 timing template, set to aggressive.
  3. -p- specifying all ports
  4. -oN Normal output format, with the respective path to the file that’s being written to
  5. -vv verbose output level 2

Output Formats

-oG

Works with grep, awk, cut, and diff, contains less information than XML format (-oX)

-oX

Can be parsed easily by free XML parsers, writes output in an XML format

-oN

Prints normal output of your scan to a file

Port Scan Type / Command-line flags/ Options

Example Command

TCP Null Scan

sudo nmap -sN <target_ip>

TCP FIN Scan

sudo nmap -sF <target_ip>

TCP Xmas Scan

sudo nmap -sX <target_ip>

–reason

sudo nmap –reason <target_ip>

-sC (Default Scripts )

sudo nmap -sC <target_ip>

–script <script_name>

sudo nmap –script “script_name” <target_ip>

-sS (Stealth scan)

sudo nmap -sS <target_ip>

-sV (Version and service detection)

sudo nmap -sV <target_ip>

-A (eqiuvalent → -sV -O -sC -traceroute)

sudo nmap -A <target_ip>

-oG, -oX, -oN (Output formats)

sudo nmap -o* <target_ip>

-p- (Scan all ports)

sudo nmap -p- <target_ip>

Conclusion

We have covered a lot in this article, yet we haven’t scratched the surface of what Nmap can do. We barely mentioned NSE (the Nmap Scripting Engine) of which we get ~600 scripts just by installing Nmap – and there are plenty more to be found out there. 

Finally, I would just like to emphasize a few more things (even though we might say they should go without saying) before concluding. 

  1. Never do unauthorized scans, you can get in a lot of trouble for nothing.
  2. Know your context. (Nmap is a Swiss army knife, but you still need to choose the appropriate extension for it to function)
  3. Know what you’re trying to achieve. (Nmap is also a scalpel, but you need to direct it skillfully)
  4. Use sudo. Seriously, even though you might get by without using it, spare yourself the headache and adopt the habit of using sudo in your Nmap commands, it will function best that way. (Barring a special use case)

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.