Tool introduction: nmap

To identify accessible servers in a network range, nmap can perform a ping sweep using the ICMP protocol. In this process, the ICMP packet echo request is sent to each IP address in the network, while then waiting for the server’s echo reply. It goes without saying that all servers that have ping disabled will go undetected. Using the following command line, a network range can be scanned for accessible hosts, for example:

nmap -sn ${network range}

The IP addresses can then be scanned for accessible services by using a port scan. With TCP, a connection is successfully established in three steps: the three-way handshake. In this process, the client first sends a syn packet to the open port of the server as an initial connection request, and the server confirms the request with a syn/ack packet. In the final third step, the client only has to answer with an ack packet again in order to successfully establish a connection. Using the -sT option, we can tell nmap to run through the three-way handshake for a certain port.

Of course, not all ports on a target system will be open, so that nmap will normally only show one of the three states open, closed or filtered. Each of these states can be explained based on the TCP three-way handshake example:

• Port is open: In the second step of the three-way handshake, the server sends a syn/ack packet and thus accepts the connection.
• Port is closed: In the second step of the three-way handshake, the server sends an RST packet because the port is closed.
• Port is filtered: In the second step of the three-way handshake, the server sends no packet at all because e.g. an upstream firewall prevents the connection.

Unlike TCP, UDP is connectionless, which makes a port scan of UDP ports difficult. With UDP, a send datagram will only get a response when a service is listening on the port, the datagram has reached its destination and was understood on the receiving end, and an answer is provided for it. Results for UDP scans are thus generally less reliable. But if we have not received an answer from the server, we may be able to use possibly present ICMP messages from the server. In case of a closed UDP port, the server will answer with the ICMP message port unreachable, for example. We can then initiate a UDP port scan with nmap by means of the -sU option.

Generally speaking, nmap offers numerous scanning techniques, which can be controlled via the options. Detailed information about the scope of functions of nmap is provided on its man page (→man nmap). For example, the nmap command nmap -p22 -sTV 10.13.53.32 attempts to establish a full TCP connection to the target system 10.13.53.32 and port 22. If this was successful and a service answers, nmap is tasked with identifying the software version of the listening service by means of its version detection feature.

The following nmap command for example scans the specified host for all UDP ports as fast as possible. Beside the official explanation of used parameters, the most useful ones are also listed below:

nmap -Pn -sU -p- --open --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 api.dubius-payment.com

-Pn: Treat all hosts as online -- skip host discovery
-T5 <0-5>: Set timing template (higher is faster)
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-p- scan all ports (1 - 65535) or e.g. -p 80,443
--script=${Lua scripts}: Enable script scanning
-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-6: Enable IPv6 scanning

In principle, ping can be deactivated on the target systems, which is why a port scan should be carried out against each IP address. As a result, the nmap option '-Pn' should always be set. In addition, it is advisable to carry out individual port scans of IP addresses, since it is not time-efficient to wait for the output of a port scan against a network area. One approach would be to write all IP addresses of a network range to a file using the following command:

nmap -sL -n ${network}> | grep "Nmap scan" | cut -d" " -f5 > targets.txt

The port scans could then be iterated against the target systems as follows:

for ip in $(cat targets.txt); do ${nmap command} >> $ip-[slow|fast]-[default|full]-[tcp|udp].txt; done

In the example above, the target systems are read from a list. Accordingly, several port scans from different IT systems could be carried out in parallel if the nmap commands obtain the IP addresses from different files. For example, the following command breaks a list into packets of 10:

split -l 10 -d targets.txt segment