Nmap from Scratch | Part-1 | SYN Scan v/s TCP Connect Scan
Welcome folks , so before we start with different types of scans let’s get our basics clear .
So, a very simple definition of n-map:
“N-map is an open-source vulnerability scanner which is used to detect the port states and service running on the ports”.But n-map have so much more than just scanning abilities, we can use n-map to brute force, exploit the target machines.
N-map also comes with NSE which is a nmap scripting engine, with tons of different scripts to attack, n-map is written in Lua language and it scans 1000 ports by default.
Now Let’s do a very simple scan as a user :
This scan might take little while .
On scanning, we can see that we got port 80, open and a service called HTTP is running on it (typically a browser). This is how n-map shows the information, very simple threes columns PORT ( tells us about the port number and type TCP/UDP), STATE (what’s the state of the port ) and finally SERVICE (what service the port is running ).
Now let’s understand the different types of STATE, that n-map returns in different scenarios.
OPEN : N-map gives this state in result if the port is accessible and a service is running on it , basically the port is accepting TCP/UDP connections.
CLOSED : N-map gives this state , when the port is accessible but there’s no service running on it.
FILTERED : N-map gives this state , when n-map couldn’t identify whether the port is open or closed, this is due to the presence of firewalls , IDS etc.
UNFILTERED : N-map gives this state , when the port is accessible but n-map is couldn’t to identify if the port is closed or open .
OPEN/FILTERED : When n-map is confused between, if the port is open or filtered .
CLOSE/FILTERED : When n-map is confused between, if the port is closed or filtered .
Now , since we are done with various states , let’s understand what kind of scan does n-map do when a normal user uses it and when a sudo user uses it .
When we run n-map as a non-root user the n-map performs a TCP CONNECT scan , but when we use n-map as a root user the n-map performs a SYN scan .
SYN Scan ( -Ss )
When we run n-map as a root user , it performs a SYN scan by default , which is also known as raw stealth scan , as n-map sends raw packets to the target machine . Now, in this scan the n-map doesn’t complete the connection , a typical representation would be something like :
As we can see , the attacker machine ( in red ) , sends a TCP SYN packet to the target(in green) , and as soon as the target replies back , the attacker machine sends a RST flag , thereby aborting the connection .
This scan is fast and more stealthy as compared to TCP Connect Scan .
TCP CONNECT Scan
When we run n-map as a non-root user , the n-map performs a complete TCP connection , as a result of this , the scan is slower as compared to SYN scan , and more loud . TCP Connect scan looks something like :
So the attacker machine sends the SYN packet , the target sends SYN/ACK , basically a kind of acknowledgement , the attacker machine sends another ACK flag , after this some data is received from the target , it can be a service banner . Once data is received , the connection is closed using the RST flag .
Due to this nature of establishing a complete connections , the TCP Connect Scan is slow and leave many traces for the target to identify the attacker , wherein the SYN scan is better as compared to TCP Connect scan , as it’s faster and more stealthy .
That’s it for now , you can read my other blogs about some very interesting vulnerabilities here .