Open Source Tools: Part Two (More nmap options)

nmap optionsIn the previous article, we began our look at open source tools, beginning with nmap. In this article, we continue our look at some nmap options.

nmap Options: Stealth Scanning

For any scanning you perform, it is not a good idea to use a connect scan (-sT), which fully establishes a connection to a port. Excessive port connections can cause a DoS to older machines, and will definitely raise alarms on any IDS system. Therefore, you should use a stealthy port testing method with nmap, such as a SYN scan. To launch a SYN scan from nmap, you use the -sS flag, which produces a listing of the open ports on the target, and possibly open/filtered ports if the target is behind a firewall. The ports returned as open are listed with what service that port corresponds to, based on IANA port registrations, as well as any commonly used ports.


In addition to lowering your profile with half-open scans, an nmap option you may also consider is the FTP or “bounce” scan and idle scan options that can mask your IP from the target. The FTP scan (which was discussed in a previous article) takes advantage of a feature of some FTP servers, which allow anonymous users to proxy connections to other systems. If you find during your enumeration that an anonymous FTP server exists or one to which you have login credentials, try using the -b option with user:pass@server:ftpport. If the server does not require authentication, you can skip the username and password, and unless FTP is running on a nonstandard port, you can leave out the FTP port option as well. The idle scan, using -sI zombiehost:port, has a similar result, but a different method of scanning. If you can identify a target with low traffic and predictable IPID values, you can send spoofed packets to your target, with the source set to the idle target. The result is that an IDS sees the idle scan target as the system performing the scanning, keeping your system hidden. If the idle target is a trusted IP address and can bypass host-based access control lists (ACLs), then you’ll get even better results. Do not expect to be able to use a bounce or idle scan on every penetration test, but keep looking around for potential targets. Older systems, which do not offer useful services, may be the best targets for some of these scan options.

nmap Options: Fingerprinting

You should be able to create a general idea of the remote target’s operating system from the services running and the ports open. For example, ports 135, 137, 139 or 445 often indicate a Windows-based target. [135 is used by the End Point Manager (EPMAP) to remotely manage services (and is also used by DCOM); 137 and 139 are used by NetBIOS; 445 is used by Active Directory.] However, if you want to get more specific, you can use nmap’s -O flag, which invokes nmap’s fingerprinting mode. Care needs to be taken here as well, as some older operating systems such as AIX prior to 4.1 and older SunOS versions have been known to die when presented with a malformed packet. Keep this in mind before using -O across a Class B subnet. Note also that the fingerprint option without any scan types will invoke a SYN scan, the equivalent of -sS.


In the next article, we will look at some more nmap options.

External Links:

nmap.org – the nmap site

© 2013 David Zientara. All rights reserved. Privacy Policy