nmap ( "network map") port scanner

The exercise to perform

Work with a partner. You will play your two computers off against each other. One will be mostly passive, the target machine. From the other you will run nmap against that target. While operating, it is instructive to be able to see the network traffic you cause. For that, run Wireshark (or tcpdump) in a window on the side. Fire that up now, size and relocate to a convenient part of the screen, on both machines.

Before doing anything, make sure there are no obstructing firewall rules in place. On both machines:

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -nL

Internal versus external detection

You will run nmap from the first machine, targeting the second one, to see port status on the second. First, let the second machine analyze itself. On the second machine please execute:

netstat -pant

Observe which ports are open. Check that by moving over to the first machine executing:

nmap -sT <target-IP>

netstat and nmap are both looking at the second machine. With netstat, the second machine is looking at itself; while with nmap, the first machine is looking at the second from outside. Since we're talking about two views of the very same thing we'd expect both programs to report the same ports, albeit in different format. As you look at them, what's the comparison between the local netstat and remote nmap views?

Change the set of open ports on the second machine, by closing one that's open and opening a new one. You do that by stopping or starting the programs that are using those ports. For those programs that have init scripts you could do the like of "service httpd stop" or "service vsftp start" (if your machine uses systemd instead of the SysVinit startup mechanism, it'll be "systemctl stop httpd.service" or "systemctl start vftpd.service"). Or for any, if you know the name of the binary program, run or kill it directly "stunnel /etc/stunnel/stunnel.conf" or "killall sshd". Be careful what you kill. Be sure it's not something you're making use of (e.g., don't kill sshd on a machine you're accessing via sshd!). Now repeat the two measurements, netstat from inside and nmap from outside, and confirm that the change is detected and reflected by each. (The one you kill should disappear, the one you start should show up.)

Packet activity of nmap

Now let's look in detail at the operational behavior of nmap. Wireshark will reveal it. I assume you are familiar with the standard "3-way handshake" by which TCP establishes a fresh conversation with another machine. Client sends a packet with "syn" flag set, server sends back a packet with "syn" and "ack" flags set if the port is open, or with "rst" flag if not. To complete the connection, client confirms by sending a packet with "ack" set. Above we used "nmap -sT" which is nmap's TCP connect scan. Read its description in the nmap man page. Now choose one of the ports that is open on the second, target computer. From the first computer run nmap's connect scan against just that port. For example, if that's port 80:

nmap -sT -p 80 <target-IP>

That causes a volley of 4 packets. Identify them in Wireshark and relate them to the 3-way handshake.

nmap also has a version called TCP SYN scan, slightly different. Read its description in the nmap man page. Now run it against an open port, for example maybe port 80, if it's open:

nmap -sS -p 80 <target-IP>

This time there are 3 packets. For an open port, how would you describe the difference between the -sT and -sS scan versions in terms of normal TCP operation to start conversations?

Repeat the two above probes from the first machine, but do it against a port known to be closed on the second. For example, supposing 10101 is closed on the second machine:

nmap -sT -p 10101 <target-IP>
nmap -sS -p 10101 <target-IP>

How many packets result from these? For a closed port, is there an operational difference between them?

You can see that nmap's various scan types involve some minor but deliberate differences in behavior. These are designed to elicit different, known, responsive behavior from the target. Possibly to identify the target operating system. Or to minimize the likelihood of scan detection by the target, should it be running intrusion detection software. Look at the man page again, there are several scan variants you could try. -sN, -sF, -sX, -sA, -sW, -sM. Play with a couple of these a little. Take a look at the packets they generate and the results nmap reports when you run them.

Effect of firewall

Choose one of the open ports, 80 as example. Without closing it, erect a firewall rule that prevents it from being reached. On the second machine:

iptables -A INPUT -p tcp --dport 80 -j DROP

Run a SYN scan against the second machine from the first:

nmap -sS <target-IP>

Look at the difference in result reported for that port. Now get rid of the rule:

iptables -D INPUT -p tcp --dport 80 -j DROP

Operating system "fingerprinting"

Determine the address of one machine running Windows, and another running linux. Perform operating system detection against each:

nmap -O <target-IP>

Did nmap get it right?

Decoy scan

Run this one:

nmap -sS -p 80 -D, <target-IP>

Read about decoy scans in the man page. Judging from what you captured in Wireshark, the target will experience contact from how many machines? What machines are they??