PhiloCyber | Cybersecurity Together

Introduction

Welcome to the fourth episode of our comprehensive Nmap course! Building on the port scanning fundamentals we covered in Episode 3, this module will dive deeper into advanced scan types and protocol selection strategies. You'll learn how to choose and combine sophisticated scanning techniques to overcome various network challenges and defensive measures.

Advanced scanning is about selecting the right tool for the right job. Just as a locksmith uses different picks for different locks, a skilled network analyst must know which scan type will yield the most accurate results in each unique environment.

In this episode, we'll explore specialized scan types that go beyond the basics, learn how to combine multiple techniques for comprehensive results, and develop strategies for scanning in challenging environments like those protected by firewalls, IDS/IPS systems, and other security measures.

Building on Port Scanning Fundamentals

Before diving into advanced techniques, let's briefly recap what we learned in Episode 3 and understand how the advanced scan types we'll cover in this episode build upon those foundations.

Quick Recap from Episode 3

In the previous episode, we covered:

TCP/IP protocol fundamentals and how they relate to port scanning
The six port states in Nmap (open, closed, filtered, etc.)
Basic TCP scanning techniques (SYN, Connect, NULL/FIN/Xmas)
Basic UDP scanning and its challenges

Now we'll build on this knowledge to explore more sophisticated scanning approaches.

Moving Beyond Basic Scans

Advanced scanning techniques are necessary when:

Basic scans are being blocked by firewalls or IDS/IPS systems
You need to gather more detailed information about services
Standard scanning methods produce ambiguous results
You're working with non-standard network configurations
Stealth is a priority to avoid detection

The techniques we'll cover in this episode are designed to address these challenges.

Advanced TCP Scan Types

Beyond the basic SYN, Connect, and NULL/FIN/Xmas scans we covered in Episode 3, Nmap offers several specialized TCP scanning techniques for specific scenarios:

TCP ACK Scan (`-sA`)

The ACK scan is primarily used to map firewall rulesets and determine whether they are stateful or stateless:

sudo nmap -sA 192.168.1.1

How it works:

Nmap sends an ACK packet (not part of an established connection)
If unfiltered, the target responds with RST (regardless of whether port is open or closed)
If filtered, no response is received or an ICMP error is returned

Show Packet Trace Example

sudo nmap 10.129.2.28 -p 80 -sA --packet-traceSENT (...) TCP ... > ...:80 A ... RCVD (...) TCP ...:80 > ... RA ...

Advantages:

Excellent for firewall rule mapping
Can bypass simple packet filters
Often less logged than other scan types

Limitations:

Cannot determine if ports are open or closed
Only identifies filtered vs. unfiltered states
Ineffective against stateful firewalls

TCP Window Scan (`-sW`)

The Window scan is a variation of the ACK scan that examines the TCP window field of the RST packets returned:

sudo nmap -sW 192.168.1.1

How it works:

Like the ACK scan, it sends ACK packets to target ports
Analyzes the TCP window size in the RST responses
Some systems use a positive window size for open ports and zero window size for closed ports
This behavior is implementation-specific and not reliable on all systems

Real-World Application

Window scans are particularly useful when:

ACK scans show unfiltered ports but you need to determine if they're open
You're scanning systems known to implement window size differentiation
You need to verify results from other scan types

TCP Maimon Scan (`-sM`)

Named after its discoverer, Uriel Maimon, this scan uses an unusual FIN/ACK probe:

sudo nmap -sM 192.168.1.1

How it works:

Sends a FIN+ACK packet to the target port
According to RFC 793, RST should be generated regardless of port state
Some BSD-derived systems drop the packet for open ports
Like NULL/FIN/Xmas scans, absence of RST suggests open|filtered state

This scan type is rarely used today as most modern systems respond with RST regardless of port state, but it's included for historical completeness and specialized scenarios.

Advanced UDP Scanning Techniques

UDP scanning is inherently more challenging than TCP scanning due to its connectionless nature. Let's explore advanced techniques to improve UDP scan accuracy and efficiency:

UDP Scan with Service Probes

Combining UDP scanning with service detection significantly improves accuracy:

sudo nmap -sU -sV 192.168.1.1

How it works:

Nmap sends UDP packets with protocol-specific payloads
For example, a DNS query to port 53 or SNMP query to port 161
Valid responses confirm the port is open and identify the service
This approach is much more reliable than empty UDP packets

Common UDP Services and Their Ports

53: DNS
67/68: DHCP
69: TFTP
123: NTP

161: SNMP
500: IKE (VPN)
514: Syslog
1900: UPnP

UDP Scan Performance Optimization

UDP scans can be extremely slow. Here are techniques to improve performance:

# Scan only the most common UDP ports sudo nmap -sU --top-ports 100 192.168.1.1 # Increase timing template and disable DNS resolution sudo nmap -sU -T4 -n --top-ports 20 192.168.1.1 # Scan specific UDP services sudo nmap -sU -p 53,123,161 192.168.1.1

Key optimization strategies:

Limit the number of ports scanned (--top-ports, -p)
Increase the timing template (-T4 or -T5)
Disable DNS resolution (-n)
Increase the number of probes sent in parallel (--min-rate)
Focus on ports likely to be open in your target environment

Remember that aggressive timing settings may lead to missed ports due to rate limiting or packet loss.

Specialized Scan Types

Nmap includes several specialized scan types designed for specific scenarios and advanced reconnaissance:

IP Protocol Scan (`-sO`)

This scan determines which IP protocols (TCP, UDP, ICMP, etc.) are supported by the target:

sudo nmap -sO 192.168.1.1

How it works:

Sends IP packets with different protocol numbers in the IP header
If protocol is unsupported, target may respond with ICMP protocol unreachable
No response or other ICMP errors suggest the protocol might be supported

Show Example Output

Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Not shown: 249 closed protocols
PROTOCOL STATE         SERVICE
1       open           icmp
2       open|filtered  igmp
6       open           tcp
17      open           udp
47      open|filtered  gre
50      open|filtered  esp
51      open|filtered  ah
103     open|filtered  pim
108     open|filtered  ipcomp
132     open|filtered  sctp

This scan is useful for discovering non-standard protocols and potential covert channels.

FTP Bounce Scan (`-b`)

This technique uses an FTP server as a proxy to scan other hosts:

sudo nmap -b username:password@ftp.philocyber.com 192.168.1.1

How it works:

Exploits the FTP protocol's PORT command to scan third-party systems
Nmap connects to an FTP server and requests it to send files to ports on the target
Based on the FTP server's response, Nmap determines if ports are open

Historical Note

This scan type is mostly of historical interest as most modern FTP servers have disabled this functionality due to its security implications. However, it's still included in Nmap and occasionally useful when encountering legacy systems.

Idle (Zombie) Scan (`-sI`)

The idle scan is one of Nmap's most sophisticated techniques, allowing completely blind scanning:

sudo nmap -sI zombie_host:port target_host

How it works:

Uses a third-party "zombie" host to indirectly scan the target
Exploits predictable IP ID sequence numbers in the zombie host
Nmap probes the zombie to get its current IP ID
Sends spoofed SYN packets to target, appearing to come from the zombie
If port is open, target sends SYN-ACK to zombie, zombie sends RST, incrementing its IP ID
Nmap probes zombie again to see if IP ID increased

Advanced Stealth Technique

The idle scan is the only completely blind scan in Nmap - your IP address never appears in the target's logs. However, it requires finding a suitable zombie host with predictable IP ID sequences and low traffic. Modern systems with randomized IP IDs have made this technique less reliable.

Combining Scan Types

One of Nmap's most powerful features is the ability to combine multiple scan techniques in a single command. This allows you to overcome limitations of individual scan types and build a more complete picture of the target.

Comprehensive Scan Combinations

Here are some powerful scan combinations for different scenarios:

Comprehensive Host Discovery and Port Scan:

sudo nmap -sS -sU -T4 -A -v 192.168.1.0/24

Combines SYN and UDP scanning with OS detection, version detection, script scanning, and traceroute.

Firewall Evasion Scan:

sudo nmap -sS -sV -T2 -f --data-length 200 --randomize-hosts 192.168.1.1

Uses fragmented packets, random data length, slower timing, and host randomization to evade detection.

Quick Network Sweep with Service Detection:

sudo nmap -sV -F -T4 --version-intensity 2 192.168.1.0/24

Fast scan of common ports with lightweight version detection for quick network mapping.

Strategy for Combining Scans

Start with a quick scan to identify active hosts and open ports
Follow up with more targeted scans on interesting hosts
Use specialized scans to investigate anomalies or ambiguous results
Balance thoroughness with time constraints and stealth requirements

Real-World Applications

The advanced scanning techniques covered in this episode have numerous practical applications:

Advanced Security Assessments

Security professionals use specialized scan types to bypass sophisticated defenses and identify vulnerabilities that basic scans might miss. ACK scans help map firewall rules, while idle scans provide stealth.

Firewall Rule Validation

Network administrators use ACK and Window scans to verify firewall configurations, ensuring that filtering rules are working as expected and identifying potential misconfigurations.

Red Team Operations

Red teams combine multiple scan types to create comprehensive target profiles while evading detection. Techniques like idle scanning and protocol-specific probes help maintain stealth during engagements.

Compliance Verification

Organizations use comprehensive scanning strategies to verify compliance with security standards like PCI DSS, which require regular scanning for unauthorized services and potential vulnerabilities.

Key Takeaways

Advanced TCP scans like ACK (-sA) and Window (-sW) are valuable for mapping firewall rules and identifying stateful inspection.
Specialized scans like IP Protocol (-sO) and Idle Scan (-sI) provide unique insights into network configurations and enable stealthy reconnaissance.
UDP scanning can be optimized through targeted port selection, service-specific probes, and appropriate timing settings.
Combining multiple scan types provides more comprehensive and accurate results than relying on a single technique.
Port selection strategies should balance thoroughness with efficiency based on the specific assessment goals.
Timing and performance settings must be carefully calibrated to the target environment to avoid missed ports or detection.
Different scanning scenarios (internal networks, internet-facing systems, high-security environments) require different approaches and technique combinations.

Next Steps

In the next episode, we will explore service and version detection:

How Nmap identifies specific service versions running on open ports.
Using the -sV option and understanding version intensity levels.
Interpreting service fingerprinting results and confidence levels.
Techniques for identifying services running on non-standard ports.
Balancing version detection thoroughness with scan speed and stealth.

Additional Resources

Nmap Book: Advanced Port Scanning Techniques

Nmap Book: Idle Scan

Nmap Book: Performance and Optimization

Nmap Book: Firewall/IDS Evasion

Video Demonstration

Watch the video demonstration to see these advanced scanning techniques in action.

Knowledge Check Quiz

Knowledge Check

1. What is the primary purpose of a TCP ACK scan (-sA) in Nmap?

2. Which of the following scan types allows you to scan a target without revealing your IP address in the target's logs?

3. When optimizing UDP scanning performance, which approach would be LEAST effective?

4. What is the IP Protocol scan (-sO) used for?

5. Which of the following scan combinations would be most appropriate for a comprehensive yet stealthy scan of a high-security environment?

Introduction

Building on Port Scanning Fundamentals

Before diving into advanced techniques, let's briefly recap what we learned in Episode 3 and understand how the advanced scan types we'll cover in this episode build upon those foundations.

Quick Recap from Episode 3

In the previous episode, we covered:

TCP/IP protocol fundamentals and how they relate to port scanning
The six port states in Nmap (open, closed, filtered, etc.)
Basic TCP scanning techniques (SYN, Connect, NULL/FIN/Xmas)
Basic UDP scanning and its challenges

Now we'll build on this knowledge to explore more sophisticated scanning approaches.

Moving Beyond Basic Scans

Advanced scanning techniques are necessary when:

Basic scans are being blocked by firewalls or IDS/IPS systems
You need to gather more detailed information about services
Standard scanning methods produce ambiguous results
You're working with non-standard network configurations
Stealth is a priority to avoid detection

The techniques we'll cover in this episode are designed to address these challenges.

Advanced TCP Scan Types

Beyond the basic SYN, Connect, and NULL/FIN/Xmas scans we covered in Episode 3, Nmap offers several specialized TCP scanning techniques for specific scenarios:

TCP ACK Scan (`-sA`)

The ACK scan is primarily used to map firewall rulesets and determine whether they are stateful or stateless:

sudo nmap -sA 192.168.1.1

How it works:

Nmap sends an ACK packet (not part of an established connection)
If unfiltered, the target responds with RST (regardless of whether port is open or closed)
If filtered, no response is received or an ICMP error is returned

Show Packet Trace Example

sudo nmap 10.129.2.28 -p 80 -sA --packet-traceSENT (...) TCP ... > ...:80 A ... RCVD (...) TCP ...:80 > ... RA ...

Advantages:

Excellent for firewall rule mapping
Can bypass simple packet filters
Often less logged than other scan types

Limitations:

Cannot determine if ports are open or closed
Only identifies filtered vs. unfiltered states
Ineffective against stateful firewalls

TCP Window Scan (`-sW`)

The Window scan is a variation of the ACK scan that examines the TCP window field of the RST packets returned:

sudo nmap -sW 192.168.1.1

How it works:

Like the ACK scan, it sends ACK packets to target ports
Analyzes the TCP window size in the RST responses
Some systems use a positive window size for open ports and zero window size for closed ports
This behavior is implementation-specific and not reliable on all systems

Real-World Application

Window scans are particularly useful when:

ACK scans show unfiltered ports but you need to determine if they're open
You're scanning systems known to implement window size differentiation
You need to verify results from other scan types

TCP Maimon Scan (`-sM`)

Named after its discoverer, Uriel Maimon, this scan uses an unusual FIN/ACK probe:

sudo nmap -sM 192.168.1.1

How it works:

Sends a FIN+ACK packet to the target port
According to RFC 793, RST should be generated regardless of port state
Some BSD-derived systems drop the packet for open ports
Like NULL/FIN/Xmas scans, absence of RST suggests open|filtered state

This scan type is rarely used today as most modern systems respond with RST regardless of port state, but it's included for historical completeness and specialized scenarios.

Advanced UDP Scanning Techniques

UDP scanning is inherently more challenging than TCP scanning due to its connectionless nature. Let's explore advanced techniques to improve UDP scan accuracy and efficiency:

UDP Scan with Service Probes

Combining UDP scanning with service detection significantly improves accuracy:

sudo nmap -sU -sV 192.168.1.1

How it works:

Nmap sends UDP packets with protocol-specific payloads
For example, a DNS query to port 53 or SNMP query to port 161
Valid responses confirm the port is open and identify the service
This approach is much more reliable than empty UDP packets

Common UDP Services and Their Ports

53: DNS
67/68: DHCP
69: TFTP
123: NTP

161: SNMP
500: IKE (VPN)
514: Syslog
1900: UPnP

UDP Scan Performance Optimization

UDP scans can be extremely slow. Here are techniques to improve performance:

# Scan only the most common UDP ports sudo nmap -sU --top-ports 100 192.168.1.1 # Increase timing template and disable DNS resolution sudo nmap -sU -T4 -n --top-ports 20 192.168.1.1 # Scan specific UDP services sudo nmap -sU -p 53,123,161 192.168.1.1

Key optimization strategies:

Limit the number of ports scanned (--top-ports, -p)
Increase the timing template (-T4 or -T5)
Disable DNS resolution (-n)
Increase the number of probes sent in parallel (--min-rate)
Focus on ports likely to be open in your target environment

Remember that aggressive timing settings may lead to missed ports due to rate limiting or packet loss.

Specialized Scan Types

Nmap includes several specialized scan types designed for specific scenarios and advanced reconnaissance:

IP Protocol Scan (`-sO`)

This scan determines which IP protocols (TCP, UDP, ICMP, etc.) are supported by the target:

sudo nmap -sO 192.168.1.1

How it works:

Sends IP packets with different protocol numbers in the IP header
If protocol is unsupported, target may respond with ICMP protocol unreachable
No response or other ICMP errors suggest the protocol might be supported

Show Example Output

Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Not shown: 249 closed protocols
PROTOCOL STATE         SERVICE
1       open           icmp
2       open|filtered  igmp
6       open           tcp
17      open           udp
47      open|filtered  gre
50      open|filtered  esp
51      open|filtered  ah
103     open|filtered  pim
108     open|filtered  ipcomp
132     open|filtered  sctp

This scan is useful for discovering non-standard protocols and potential covert channels.

FTP Bounce Scan (`-b`)

This technique uses an FTP server as a proxy to scan other hosts:

sudo nmap -b username:password@ftp.philocyber.com 192.168.1.1

How it works:

Exploits the FTP protocol's PORT command to scan third-party systems
Nmap connects to an FTP server and requests it to send files to ports on the target
Based on the FTP server's response, Nmap determines if ports are open

Historical Note

Idle (Zombie) Scan (`-sI`)

The idle scan is one of Nmap's most sophisticated techniques, allowing completely blind scanning:

sudo nmap -sI zombie_host:port target_host

How it works:

Uses a third-party "zombie" host to indirectly scan the target
Exploits predictable IP ID sequence numbers in the zombie host
Nmap probes the zombie to get its current IP ID
Sends spoofed SYN packets to target, appearing to come from the zombie
If port is open, target sends SYN-ACK to zombie, zombie sends RST, incrementing its IP ID
Nmap probes zombie again to see if IP ID increased

Advanced Stealth Technique

Combining Scan Types

Comprehensive Scan Combinations

Here are some powerful scan combinations for different scenarios:

Comprehensive Host Discovery and Port Scan:

sudo nmap -sS -sU -T4 -A -v 192.168.1.0/24

Combines SYN and UDP scanning with OS detection, version detection, script scanning, and traceroute.

Firewall Evasion Scan:

sudo nmap -sS -sV -T2 -f --data-length 200 --randomize-hosts 192.168.1.1

Uses fragmented packets, random data length, slower timing, and host randomization to evade detection.

Quick Network Sweep with Service Detection:

sudo nmap -sV -F -T4 --version-intensity 2 192.168.1.0/24

Fast scan of common ports with lightweight version detection for quick network mapping.

Strategy for Combining Scans

Start with a quick scan to identify active hosts and open ports
Follow up with more targeted scans on interesting hosts
Use specialized scans to investigate anomalies or ambiguous results
Balance thoroughness with time constraints and stealth requirements

Real-World Applications

The advanced scanning techniques covered in this episode have numerous practical applications:

Advanced Security Assessments

Firewall Rule Validation

Network administrators use ACK and Window scans to verify firewall configurations, ensuring that filtering rules are working as expected and identifying potential misconfigurations.

Red Team Operations

Compliance Verification

Organizations use comprehensive scanning strategies to verify compliance with security standards like PCI DSS, which require regular scanning for unauthorized services and potential vulnerabilities.

Key Takeaways

Advanced TCP scans like ACK (-sA) and Window (-sW) are valuable for mapping firewall rules and identifying stateful inspection.
Specialized scans like IP Protocol (-sO) and Idle Scan (-sI) provide unique insights into network configurations and enable stealthy reconnaissance.
UDP scanning can be optimized through targeted port selection, service-specific probes, and appropriate timing settings.
Combining multiple scan types provides more comprehensive and accurate results than relying on a single technique.
Port selection strategies should balance thoroughness with efficiency based on the specific assessment goals.
Timing and performance settings must be carefully calibrated to the target environment to avoid missed ports or detection.
Different scanning scenarios (internal networks, internet-facing systems, high-security environments) require different approaches and technique combinations.

Next Steps

In the next episode, we will explore service and version detection:

How Nmap identifies specific service versions running on open ports.
Using the -sV option and understanding version intensity levels.
Interpreting service fingerprinting results and confidence levels.
Techniques for identifying services running on non-standard ports.
Balancing version detection thoroughness with scan speed and stealth.

Additional Resources

Nmap Book: Advanced Port Scanning Techniques

Nmap Book: Idle Scan

Nmap Book: Performance and Optimization

Nmap Book: Firewall/IDS Evasion

Video Demonstration

Watch the video demonstration to see these advanced scanning techniques in action.

Knowledge Check Quiz

Knowledge Check

1. What is the primary purpose of a TCP ACK scan (-sA) in Nmap?

2. Which of the following scan types allows you to scan a target without revealing your IP address in the target's logs?

3. When optimizing UDP scanning performance, which approach would be LEAST effective?

4. What is the IP Protocol scan (-sO) used for?

5. Which of the following scan combinations would be most appropriate for a comprehensive yet stealthy scan of a high-security environment?

Episode 4: Advanced Scan Types and Protocol Selection

Introduction

Building on Port Scanning Fundamentals

Quick Recap from Episode 3

Moving Beyond Basic Scans

Advanced TCP Scan Types

TCP ACK Scan (-sA)

TCP Window Scan (-sW)

Real-World Application

TCP Maimon Scan (-sM)

Advanced UDP Scanning Techniques

UDP Scan with Service Probes

Common UDP Services and Their Ports

UDP Scan Performance Optimization

Specialized Scan Types

IP Protocol Scan (-sO)

FTP Bounce Scan (-b)

Historical Note

Idle (Zombie) Scan (-sI)

Advanced Stealth Technique

Combining Scan Types

Comprehensive Scan Combinations

Strategy for Combining Scans

Real-World Applications

Advanced Security Assessments

Firewall Rule Validation

Red Team Operations

Compliance Verification

Key Takeaways

Next Steps

Additional Resources

Nmap Book: Advanced Port Scanning Techniques

Nmap Book: Idle Scan

Nmap Book: Performance and Optimization

Nmap Book: Firewall/IDS Evasion

Video Demonstration

Knowledge Check Quiz

Knowledge Check

Loading courses...

Episode 4: Advanced Scan Types and Protocol Selection

Introduction

Building on Port Scanning Fundamentals

Quick Recap from Episode 3

Moving Beyond Basic Scans

Advanced TCP Scan Types

TCP ACK Scan (-sA)

TCP Window Scan (-sW)

Real-World Application

TCP Maimon Scan (-sM)

Advanced UDP Scanning Techniques

UDP Scan with Service Probes

Common UDP Services and Their Ports

UDP Scan Performance Optimization

Specialized Scan Types

IP Protocol Scan (-sO)

FTP Bounce Scan (-b)

Historical Note

Idle (Zombie) Scan (-sI)

Advanced Stealth Technique

Combining Scan Types

Comprehensive Scan Combinations

Strategy for Combining Scans

Real-World Applications

Advanced Security Assessments

Firewall Rule Validation

Red Team Operations

Compliance Verification

Key Takeaways

Next Steps

Additional Resources

Nmap Book: Advanced Port Scanning Techniques

Nmap Book: Idle Scan

Nmap Book: Performance and Optimization

Nmap Book: Firewall/IDS Evasion

Video Demonstration

Knowledge Check Quiz

Knowledge Check

TCP ACK Scan (`-sA`)

TCP Window Scan (`-sW`)

TCP Maimon Scan (`-sM`)

IP Protocol Scan (`-sO`)

FTP Bounce Scan (`-b`)

Idle (Zombie) Scan (`-sI`)

TCP ACK Scan (`-sA`)

TCP Window Scan (`-sW`)

TCP Maimon Scan (`-sM`)

IP Protocol Scan (`-sO`)

FTP Bounce Scan (`-b`)

Idle (Zombie) Scan (`-sI`)