Sunday, January 1, 2012

Nmap Main Scan types -sA, -sL, -P0


ACK scanning (-sA)

The ACK scanning is an advanced method in Nmap, usually used to map out firewall rulesets. It helps to determine whether  a firewall is stateful or not. ACK scanning sends an ACK packet to the specified ports. If an RST comes back, the specified ports are classified as ‘unfiltered’. If nothing comes back, the ports are determined as ‘filtered’. The scan never showing ports indicates they’re in the ‘open’ state.
Below is the example in our laboratory.

#nmap –sA –v 10.50.1.254
Starting Nmap V. 2.54BETA30
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) appears to be up ... good.
Initiating ACK Scan against vpn1-gw.lab.tct.hut.fi (10.50.1.254)
The ACK Scan took 1 second to scan 1549 ports.
All 1549 scanned ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254) are: UNfiltered

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

List scanning (-sL)


List scanning generates and prints a list of IPs/Names without actually pinging or port scanning them. The outputs are shown below.
#nmap –sL –v 10.50.1.254
Starting Nmap V. 2.54BETA30
Host vpn1-gw.lab.tct.hut.fi (10.50.1.254) not scanned

Nmap run completed -- 1 IP address (0 hosts up) scanned in 0 seconds

P0 option (-P0)

An option that is useful with scans is "-P0". Also called ‘Don’t ping host.’  Do not try and ping host at all before scanning them. This option allows the scanning of networks that don’t allow ICMP echo requests (for example, Microsoft.com) through their firewalls. Since Nmap will ping a target with both TCP "ping" and ICMP echo before attempting a port scan, sites blocking ICMP and TCP probes will not be scanned by default.
#nmap –p0 –v 10.50.1.254

Starting Nmap V. 2.54BETA30
Interesting ports on vpn1-gw.lab.tct.hut.fi (10.50.1.254):
(The 1543 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet                 
24/tcp     open        priv-mail               
80/tcp     open        http                   
139/tcp    open        netbios-ssn            
515/tcp    open        printer                
1723/tcp   open        pptp                   


Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

No comments:

Post a Comment