Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Multipart PortScanning Tutorial Part 5

  1. #1
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Post Multipart PortScanning Tutorial Part 5

    Multipart PortScanning Tutorial Part 5

    In this edition we will be looking at the results of NULL Scans.
    We are using Nmap

    The other parts are located here:
    Part1
    Part2
    Part3
    Part4

    Disclaimer: This information is for educational purposes only and not to commit a crime!
    If you do something that causes you to hose your box don't come kicking and screaming on the forums!
    All IP Address' MAC Address' etc. have been munged!


    Ok first off a NULL Scan is a scan in which there are no TCP Flags set. This is normally something that doesn't happen or shouldn't happen in the "real world". If the scanned ports are closed then we should get a RST (Reset) packet back from our target.

    The basic scan uses the -sN flag.

    So it will look like the following on a windows box with a firewall in place.

    Code:
     bt ~# nmap -sN -vv 192.168.1.4
    As always we are using the -vv (very verbose) flags.
    And the following is our typical output:

    Code:
    Starting Nmap 4.20 ( http://insecure.org ) at 2008
    Initiating ARP Ping Scan at 11:35
    Scanning 192.168.1.4 [1 port]
    Completed ARP Ping Scan at 11:35, 0.01s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 11:35
    Completed Parallel DNS resolution of 1 host. at 11:35, 0.05s elapsed
    Initiating NULL Scan at 11:35
    Scanning 192.168.1.4 [1697 ports]
    Completed NULL Scan at 11:36, 36.33s elapsed (1697 total ports)
    Host 192.168.1.4 appears to be up ... good.
    All 1697 scanned ports on 192.168.1.4 are open|filtered
    MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
    
    Nmap finished: 1 IP address (1 host up) scanned in 37.093 seconds
                   Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
    And now the same scan without the firewall in place.

    Code:
     bt ~# nmap -sN -vv 192.168.1.4

    This time I will show only the info that is relevant.


    Code:
    Starting Nmap 4.20 ( http://insecure.org ) at 2008
    All 1697 scanned ports on 192.168.1.4 are closed
    MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
    Notice the difference? The only thing is that now the ports are showing up as closed! This is a huge bit of information.
    We also learned in both that the host is "up" as well as the network interface's MAC address.
    But most importantly we probably didn't set off any alarms on the target network.
    Because I did this on my network I know that it didn't.

    Now lets look at one more scan, only this time we will do it against a *nix box.

    Code:
     bt ~# nmap -sN -vv 192.168.1.101
    Again the output shows only what is relevant.
    Code:
    Starting Nmap 4.20 ( http://insecure.org ) at 2008
    
    Host 192.168.1.101 appears to be up ... good.
    All 1697 scanned ports on 192.168.1.101 are open|filtered
    MAC Address: 11:00:22:AA:BB:CC (Cisco-Linksys, LLC)
    
    Nmap finished: 1 IP address (1 host up) scanned in 36.094 seconds
                   Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
    This time we see that the *nix box showed the ports as being in a open or filtered state.

    The advantage of doing a NULL Scan are no TCP sessions are created for this scan, it is normally quiet from the perspective of the remote device's applications. Therefore, none of these scans should appear in any of the application logs. This is a huge advantage when scanning a firewall or router that is facing the internet on a target network. These scans are also some of the most minimal port-level scans that nmap can do. For a closed port, only two packets are transferred. This is all that is needed to find an open port!

    The Disadvantages of doing this type of scan are, Some implementations of the TCP stack will render this scan useless. For instance with Microsoft this scan will show all ports as closed regardless of their actual state. But even this can work to your advantage, since any device showing open ports must not be a Windows-based device!
    There is another caveat to the above, Software based firewalls can override this rule, as shown in the first scan.

    So now that we know what a NULL Scan can do for us or against us we should be able to better protect our networks.
    Ideally and in my opinion we want our box to respond as being open | filtered as shown above. This makes it harder for an intruder to guess what the target is.

    So if this has helped or hindered you let me know.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  2. #2
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Thanks for these tutorials! i have been reading them since lastnight lol. Please keep them comming! I'm adding these to my binder for me to study.

  3. #3
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Nice tutorial about explaining the Null Scan

    I would like to point out nmap has yet again been updated.
    Now it's version 4.53 and i wonder how soon the next version
    will be released. Sorry to the moderators if i already said this
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    kysuke -Thanks for these tutorials! i have been reading them since lastnight lol. Please keep them comming! I'm adding these to my binder for me to study.
    You are quite welcome! I am glad that after 90 some odd views someone found it interesting enough to comment on.


    Quote Originally Posted by MaXe Legend View Post
    Nice tutorial about explaining the Null Scan

    I would like to point out nmap has yet again been updated.
    Now it's version 4.53 and i wonder how soon the next version
    will be released. Sorry to the moderators if i already said this

    Yes I know it has but the methodology used is still the same.
    Thanks for the comment none the less. !
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Junior Member
    Join Date
    Nov 2007
    Posts
    79

    Default

    Well I'd like also to say thanks for all of the Port Scanning Tuts especially number 4.

    I didn't want to write 5 replies so I'll just put all my thanks in this one.

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    39

    Default

    Thanks again

  7. #7
    Junior Member
    Join Date
    Apr 2007
    Posts
    25

    Default

    Just finished a long night on google, searching for nmap scaning.
    Came back home to remote and find your tutorials.

    Thankyou.
    Your tutorials answered some questions i was looking for.

    Look forward to part 6?

  8. #8
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by anathema View Post
    Well I'd like also to say thanks for all of the Port Scanning Tuts especially number 4.
    I didn't want to write 5 replies so I'll just put all my thanks in this one.
    Quote Originally Posted by wallsballs View Post
    Thanks again

    Quote Originally Posted by doggy View Post
    Just finished a long night on google, searching for nmap scaning. Came back home to remote and find your tutorials.
    Thankyou. Your tutorials answered some questions i was looking for.
    Look forward to part 6?

    Thanks anathema, wallsballs, and doggy for reading and commenting

    Sorry for the long delay in responding.


    As for a part 6 well I am not sure if there is anything left to cover but If you through some suggestions my way I will try and get another one up here.


    /shameless plug Search under my user name and you will find other tutorials as well. /end shameless plug
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  9. #9

    Default

    what IDS set up were you running to determine that "we probably did not set off any alarms"

  10. #10
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by __CG__ View Post
    what IDS set up were you running to determine that "we probably did not set off any alarms"
    What I used is irrelevant in this case. The reason is because I did a "null scan"
    and the timing was set to paranoid. Now I did not show that in the tutorial because I wanted to keep it simple. Maybe at a latter date I can do another one or whatever. It is not the IDS or lack thereof that was important but rather doing a null scan sends out very little noise on the wire. This is important if you feel that your target may have the capabilities to detect said noise.

    So your next question is how do I evade or avoid setting off alarms?

    Well during your information gathering phases one needs to try and determine if the target would have the money/resources/manpower to setup and monitor some sort of IDS in the first place. If the answer is no then no need to worry.

    Hope that clears some things up. If not feel free to ask away.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •