Nmap Network Scanning
For your preparation for network scanning, answer the following questions:
What network packets does nmap send to the target by default when run with the -sT option, e.g. nmap -sT 10.0.0.1, before beginning the port scan? Quantify the packets sent and identify the protocols of each packet. Be precise as possible and base your answer on the readings and the nmap manual.
Why is a SYN scan (nmap -sS) faster and more stealthy than a traditional connect scan (nmap -sT)? Support your answer by quantifying the packets send with each command for a single port. Identify the TCP flags used in each packet.
Nmap Network Scanning
Nmap derived from the phrase “Network Mapper” is an open source networking tool used for network study and network security auditing. Its design allows it to swiftly scan large network infrastructures but performs better with single hosts. Nmap sends raw IP packets to determine available hosts on the network, services offered by the hosts, versions of operating systems running, type of firewalls/filters in use among dozens of other attributes. While using the –sT scan option, nmap sends TCP connect packets to the target requesting the primary operating system to launch a connection between target device and the port. The connection occurs when the OS issues the connect system call. The nmap –sT option sends a series of six TCP probes to identified ports of the target remote device. The following list offers the various options and values for all the six packets as noted by Lyon Gordon Fyodor.
- Packet 1 involves window field 1 and can be stated as window scale (10), NOP, MSS (1460), timestamp (TSval: 0xFFFFFFFF; TSecr: 0), SACK permitted.
- Packet 2 which involves windows field 63 can be stated as: MSS (1400), window scale (0), SACK permitted, timestamp (TSval: 0xFFFFFFFF; TSecr: 0), EOL.
- Packet 3 involves window field 4 and can be stated as: Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), NOP, NOP, window scale (5), NOP, MSS (640).
- Packet 4 involves window field 4 and can be stated as: SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL.
- Packet 5 Involves window field16 and can be stated as: MSS (536), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL.
- Packet 6 involves window field 512 and can be stated as: MSS (265), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0).
SYN scan (nmap –sS) is faster than the default connect scan (nmap –sT) because rather