First of all I should tell we only learn this tutorials for protect our own websites and servers. After study our tutorials you can find your own system or website safe. If you haven’t any legal permission doesn’t try this.
In the previous tutorial we discuss nmap basic scanning codes and how to save our nmap logins. Today we going to discuss some difficulty nmap codes. Before the start tutorial lets see some information about network scanning.
There are three basic categories of Network Scanning. Like this,
- Connect scanning
- Stealth scanning (SYN Scanning/half-open scanning)
- Zombie scanning
Among this network scan types you can simply understand Connect scanning and Stealth scanning. But zombie scanning is some difficulty to understand.
We should know all the scanning types of network.
Why we told this is connect scanning? Because of in the UNIX sockets programming we used “connect()” system call for start remote TCP.
If we used this target server or device can gather details of whom doing this scan. If you work in any country ‘Cyber defense team’ this is not suitable for you. Other countries ‘Cyber defense team’ can know your details and they know we are monitoring they are.
It’s happening this connect scanning through TCP connect() method (TCP 3-way handshake). Because of they can find the person who did. I will explain about this.
We treat the PC that runs nmap as the client and the target as the server. First client start to work.
- First client request from server to start a TCP connection. After that client send a SYN (Synchronize Sequence Number) flag set TCP packet for server specialist port.
- Secondly if server accept the client request then send a SYN and ACK (Acknowledgement) flags set TCP packet to client.
- Thirdly after receiving SYN/ACK packet to client, client again send ACP packet to server.
In this way, the connection will only start once the ACK packet is received on the server.
For the nmap SYN packet request if receive SYN/ACK responding, it’s mean that port is open. If doesn’t receive any respond that port is also closed.
But when a 3-way handshake occurs, the process of establishing a TCP connection is complete, so that system can function and store the information related to it in the firewall or server logs.
If we using this way it’s some difficult to find user details. Stealth scanning involves sending a TCP packet that has the RST flag set to the server as a 3rd step, without completing the 3-way handshake that occurs when a TCP connection is mentioned. In this case, the client does not send a TCP packet with the ACK flag set up in step 3 to the server. That is, the process of creating a TCP connection is not complete. This is way we call it half-open scanning.
I’m not going to talk about zombie scanning today, but you should remember about that.
Ok, now let’s see how to do connect scanning and stealth scanning?
How to do connect scanning?
In this case we used –sT command. If you running nmap without root privileges its set default scan as connect scanning.
Remember this is well, -sT command only scans TCP port. In this tutorial ends I will show you how to scan TCP and UDP ports.
nmap –sT 127.0.0.1
If we run nmap in this way, we only can scan default 1000 ports. If we want to scan all post you should change this code.
nmap –sT 127.0.0.1 –p <port 1>-<port 2> or nmap –sT 127.0.0.1 –p –
let’s think we want to scan all 65535 ports. We can use this code.
nmap –sT 127.0.0.1 –p 1-65535 or nmap –sT 127.0.0.1 –p <port>
In this way you can scan specially port.
nmap –sT 127.0.0.1 –p 22
nmap –sT 127.0.0.1 –p <port 1>,<port 2>
Let’s think we need to scan two of ports. We can use this single code.
nmap –sT 127.0.0.1 –p 22,80
nmap –sT 127.0.0.1 –p <port 1>-<port 2>
If you want to special range of ports you can use this command.
nmap –sT 127.0.0.1 –p 22-5000
IMPORTANT – If you run nmap without root privileges using –sT command it’s also running as stealth scanning. Otherwise we using –sS command it’s also scanning like stealth scanning. But you should root privileges to use –sS command. Because of if you using any nmap scan do it with –sS command.
Now we have good knowledge about connect scanning. Now let’s see how to do stealth scanning.
sudo nmap 127.0.0.1 –p 1-80
sudo nmap -sS 127.0.0.1 –p 1-80
sudo nmap –sT –sU 127.0.0.1 –p U:68,T:22