UNIT 3 ENUMERATION AND PORT SCANNING

Host Discovery -Scanning for Open Ports and Services -Types of Port
Scanning -TCP Three-way handshake- TCP Flags -Port Status Types- TCP
SYN Scan- TCP Connect Scan- NULL, FIN and XMAS -TCP ACK Scan-
Responses- UDP Port Scan- Scanning a vulnerable host- Performing an
IDLE scan with NMAP -Service Version Detection- OS Fingerprinting.

Enumeration in Ethical Hacking

Enumeration is extracting a system’s valid usernames, machine names,
share names, directory names, and other information. It is a key
component of ethical hacking and penetration testing, as it can provide
attackers with a wealth of information that can be used to exploit
vulnerabilities. It can also be defined as collecting detailed information
about the target systems, such as operating and network infrastructure
details. Enumeration can be used in both an offensive and defensive
manner.
Enumeration is one of the most important steps in ethical hacking
because it gives hackers the necessary information to launch an attack.
For example, hackers who want to crack passwords need to know the
usernames of valid users on that system. Enumerating the target system
can extract this information (CrashTestSecurity.com, 2022).
Enumeration can be used to gather any of the following information:
 Operating system details
 Network infrastructure details
 Usernames of valid users
 Machine names
 Share names
 Directory names
  Printer names
 Web server details

Techniques for Enumeration

When it comes to network security, enumeration is key. By enumerating
a system, you can gain a better understanding of that system and how it
works. This knowledge can then be used to exploit vulnerabilities and
gain access to sensitive data.
Several techniques can be used for enumeration, and your method will
depend on the type of system you are targeting. The most common
methods include email IDs and usernames, default passwords, and DNS
zone transfer.
 Using email IDs and usernames is a great way to gather
information about a system. You can use this information to brute
force passwords or gain access to sensitive data. Default
passwords are another common method of enumeration.
 By using default passwords, you can gain access to systems that
have not been properly configured.
 DNS zone transfer is a technique that can be used to expose
topological information. This information can be used to identify
potential targets for attack.
Understanding the techniques available for enumeration can better
protect your systems from attack.
Process of Enumeration
Enumeration is the process of identifying all hosts on a network. This
can be done in several ways, but active and passive scanning is the most
common method. Active scanning involves sending out requests and
analyzing the responses to determine which hosts are active on the
network. Passive scanning involves listening to traffic and then analyzing
it to identify hosts.
Both methods have their advantages and disadvantages. Active scanning
is more likely to identify all hosts on a network, but it is also more likely
to cause disruptions because it generates a lot of traffic. Passive
scanning is less likely to identify all hosts, but it is also less likely to cause
disruptions because it does not generate any traffic.
The Types of Enumeration
There are many different types of enumeration. The most appropriate
type will depend on the situation and the required information:
 NetBIOS Enumeration: NetBIOS is a protocol that allows devices
on a network to share resources and communicate with each
other. NetBIOS enumeration is querying a device to identify what
NetBIOS resources are available. This can be done using tools
like nbtstat and net view.
 SNMP Enumeration: SNMP is a protocol that allows devices to be
managed and monitored remotely. SNMP enumeration is
querying a device to identify what SNMP resources are available.
This can be done using tools like SNMP-check and snmpwalk.
 LDAP Enumeration: LDAP is a protocol that allows devices on a
network to share information about users and resources. LDAP
enumeration is querying a device to identify what LDAP resources
are available. This can be done using tools
like ldapsearch and ldapenum.
 NTP Enumeration: NTP is a protocol that allows devices on a
network to synchronize their clocks with each other. NTP
enumeration is querying a device to identify what NTP resources
are available. This can be done using tools like Nmap and PRTG
Network Monitor (CrashTestSecurity.com, 2022).

Services and Ports to Enumerate

When conducting a penetration test or simply enumerating services on
a target machine, knowing which ports are associated with it is often
useful. This can be accomplished using a port scanner such as Nmap to
scan for open ports on the target machine. Once you have a list of open
ports, you can use a port lookup tool to determine which service runs
on each port. This information can be extremely helpful when trying to
identify potential attack vectors.
The following are some of the most commonly used services and their
associated ports (Kulkarni, 2018):
 FTP – 21
 SSH – 22
 HTTP – 80
 HTTPS – 443
 SMTP – 25
 POP3 – 110
 IMAP – 143
 SNMP – 161
As you can see, various services can run on any given port. Knowing
which service runs on which port when enumerating a target machine is
helpful.
Host Discovery
Host discovery is a process of enumeration of live hosts. The quality and
completeness of this process has a direct impact on the success of
further attacks against the target network.
Introduction
The standard approach to host discovery is based on an ICMP
Echo message which is often ignored or blocked by cautious
administrators. A variety of active techniques were developed to solicit
a response from networked machines thus revealing their existence. In
cases where stealth is necessary, this article will show you how to query
third party services to produce a list of live hosts without sending a
single packet directly to scanned systems.
Network Discovery
ICMP Ping
A classical way to discover hosts on the network is to send ICMP Echo
request (Type 8) which should prompt target hosts to respond
with ICMP Echo reply messages. The communication looks something
like this:
0.0.000000 192.168.1.100 -> 192.168.1.1 ICMP Echo (ping) request
0.0.002329 192.168.1.1 -> 192.168.1.100 ICMP Echo (ping) reply
It is common to use ICMP of different types such as Timestamp
request (Type 13) and Address Mask request (Type 18) to produce
responses from hosts which filter the standard ICMP Echo request:
0.000000 192.168.1.100 -> 192.168.1.1 ICMP Timestamp request
0.000539 192.168.1.1 -> 192.168.1.100 ICMP Timestamp reply
Unfortunately, this method is not very reliable since a lot of the hosts
and firewalls simply drop all ICMP packets.

TCP SYN Ping

One way to learn about live hosts is to send the first part of the three-
way handshake (SYN packet) to a range of hosts and record any replies.
Since we can learn about host’s existence from either open or closed
TCP ports, we can increase the reliability of the scan by targeting a
frequently opened port 80 and a frequently closed port 0.
The example below illustrates a SYN Ping targeting 192.168.1.1 on port
53.
0.000000 192.168.1.100 -> 192.168.1.1 TCP 1243 > domain [SYN] Seq=0
Len=0 0.000461 192.168.1.1 -> 192.168.1.100 TCP domain > 1243 [RST,
ACK] Seq=3538621942 Ack=1 Win=0 Len=0
Even with all closed ports, it is still possible to discover a live host.
TCP ACK Ping
ACK Ping works almost like the above SYN Ping, with the exception that
it relies on an ACK packet instead. This method works by soliciting a RST
response from a live host for either open or closed ports by sending it
an ACK packet.
0.000000 192.168.1.100 -> 192.168.1.1 TCP 2903 > domain [ACK] Seq=0
Ack=0 Win=512 Len=0
0.000414 192.168.1.1 -> 192.168.1.100 TCP domain > 2903 [RST] Seq=0
Len=0
This method is effective for evading non-stateful firewalls.
TCP FIN, NULL, Xmas Ping
FIN, NULL and Xmas Pings work by generating a RST response for a
closed port. Such pings must be sent to a known closed port to produce
a reply such as port 0:
0.000000 192.168.1.100 -> 192.168.1.1 TCP 1624 > 0 [FIN] Seq=0 Len=0
0.000498 192.168.1.1 -> 192.168.1.100 TCP 0 > 1624 [RST, ACK]
Seq=3959530871 Ack=1 Win=0 Len=0
UDP Ping
UDP Ping works by producing an ICMP port unreachable error when
attempting to communicate with a closed UDP port. Once again we will
be using port 0:
0.000000 192.168.1.100 -> 192.168.1.1 UDP Source port: 1285
Destination port: 0 0.000733 192.168.1.1 -> 192.168.1.100 ICMP
Destination unreachable (Port unreachable)
This method is highly effective for evading firewalls that do not filter
UDP packets.
ARP Ping
ARP Ping is a preferred host discovery method on a local Ethernet LAN,
because it is faster and more reliable than approaches relying on
protocols higher up in the networking stack. It works by sending ARP
Probes to a range of IP addresses to discover live hosts.
221.788823 00:01:02:03:04:05 -> Broadcast ARP Who has 192.168.1.1?
Tell 192.168.1.100 221.789179 00:06:07:08:09:10 -> 00:01:02:03:04:05
ARP 192.168.1.1 is at 00:06:07:08:09:10
IP Protocol Ping
This method attempts to solicit a host reply by sending raw IP packets
with varying protocol id options:
0.680436 192.168.1.102 -> 192.168.1.1 ICMP Echo (ping) request
0.681045 192.168.1.102 -> 192.168.1.1 IGMP V1 Membership Query
0.681305 192.168.1.102 -> 192.168.1.1 IP [Malformed Packet] 0.684463
192.168.1.1 -> 192.168.1.102 ICMP Echo (ping) reply.

Scanning for Open Ports and Services

1. Once we have successfully scanned the number of live hosts on a
network, we attempt to find open ports and the services associated
with them on a network. Port scanning is the process of discovering
TCP and UDP open ports on the target host or network.
2. Open ports reveal the services that are running upon the network.
We perform port scanning in order to look for potential entry points
into the systems. One of the most challenging tasks with port
scanning is to evade firewalls and intrusion detection and prevention
mechanisms.
3. Our goal is to make our scan less noisy. In this chapter, we will also
discuss some stealth scanning techniques to make your scans less
noisy. There exist many tools such as netcat, hping2, and
Unicornscan for scanning open ports, but nmap is our ultimate
choice.
4. However, we will look at some of the gui and command line tools
too. But our main focus will be on nmap as it’s one of the most
comprehensive port scanning tools.
Types of Port Status:
 Open: The open status means that the given port is open and is
actively running a service.
 Filtered: The filtered status means that the respective port might be
hidden behind a firewall and its status remains unknown.
 Closed: The closed state represents a given port is closed on the host
machine.
Different Port Scanning Techniques in Nmap:
The following are the extensively used scanning techniques in Nmap:
1. TCP Connect Scan (-sT): TCP Connect scan uses the concept of a
full three-way handshake to discover whether a given port is open,
filtered, or closed according to the response it receives. Nmap sends a
TCP request packet to each and every port specified and determines the
status of the port by the response it receives. RFC 793 says,
If the connection does not exist (CLOSED) then a reset is sent in response
to any incoming segment except another reset. In particular, SYNs
addressed to a non-existent connection are rejected by this means.
 What it essentially means is that if Nmap sends a TCP request to a
closed port with its SYN flag set, then it receives a TCP packet with its
RESET FLAG set from the target server. This tells Nmap that the
specified port is “closed”.
 Otherwise, if the port is actually “open”, then Nmap receives a
response with SYN/ACK flags set responding to the packet sent by
Nmap with its SYN flag set.
 The third possibility is that if a port is filtered, most of the server’s
firewalls are configured to just drop incoming packets. Nmap doesn’t
receive any response back. This essentially means that the given port
is running behind a firewall (i.e “filtered”).
2. TCP SYN Scan (-sS): SYN scans are often called “Half-open” or “Stealth”
scans. SYN scan works the same way as TCP Connect scan with closed
and filtered ports i.e receives a RST packet for closed port and no
response for filtered ports. The only difference is in the way they handle
the open ports. SYN scan sends a response packet to the server with its
RESET FLAG set(but not ACK which is usually the default in the actual
three-way handshake) after receiving SYN/ACK from the target server.
This is to avoid the server from continuously making requests to
establish a connection and thereby reduce the scan time.
This scan type is referred to as a stealth scan due to the following
advantages:
 Faster because it doesn’t have to complete the full three-way
handshake.
 Some applications often log only those connections that are fully
established. So applications listening on open ports do not log these
connections which makes SYN scan “stealthy”.
3. UDP Scan (-sU): UDP unlike TCP, doesn’t perform a handshake to
establish a connection before sending data packets to the target port
but rather sends the packets hoping that the packets would be received
by the target port. That is why UDP connections are often called
“stateless”. This type of connection is more efficient when speed dwarf’s
quality, like in video sharing. As there will be no acknowledgment from
the target port whether it has received the packet, UDP scans become
more difficult and very much slower.
 When there’s no response from the target port after sending a UDP
packet, it often times means that the port is either “open” or is
running behind a firewall i.e “filtered” in which case the server would
just drop the packet with no response.
 UDP scan can effectively identify closed ports as the target UDP port
responds with an ICMP packet with a message that the port is
unreachable.
The below scan techniques are very less likely to be used in real-time
but it’s worth learning the principle behind them. They are said to be
even stealthier than the “SYN stealth” scan.
For the below scan types, when a packet is sent to an “open” port, there
won’t be any response from the target port which is very similar to the
UDP scan. When the below scan types don’t get a response, they would
mark the port as being open/filtered. As per RFC 793, for malformed
packets, the closed ports on the server are mandated to respond with
an RST TCP packet and no response at all for open ports.
 TCP NULL Scan (-sN): NULL scan, as the name implies, sends a TCP
packet with no flags set. If the port is closed, the host responds with
an RST.
 TCP FIN Scan (-sF): FIN scan, rather than sending completely empty
packets, it sends a packet with its FIN flag set. If the port is closed,
the host responds with an RST.
 TCP XMAS Scan (-sX): XMAS scan, sends a packet with URG, PSH, FIN
flags set. This scan got its name from the appearance it gives of a
Christmas tree when viewed as a packet capture in Wireshark. If the
port is closed, the host responds with an RST.

his could also be seen as a way of how TCP connection is established.

Before getting into the details, let us look at some basics. TCP stands
for Transmission Control Protocol which indicates that it does
something to control the transmission of the data in a reliable way.
The process of communication between devices over the internet
happens according to the current TCP/IP suite model(stripped out
version of OSI reference model). The Application layer is a top pile of a
stack of TCP/IP models from where network referenced applications
like web browsers on the client-side establish a connection with the
server. From the application layer, the information is transferred to the
transport layer where our topic comes into the picture. The two
important protocols of this layer are – TCP, UDP(User Datagram
Protocol) out of which TCP is prevalent(since it provides reliability for
the connection established). However, you can find an application of
UDP in querying the DNS server to get the binary equivalent of the
Domain Name used for the website.

TCP provides reliable communication with something called Positive

Acknowledgement with Re-transmission(PAR). The Protocol Data
Unit(PDU) of the transport layer is called a segment. Now a device
using PAR resend the data unit until it receives an acknowledgement. If
the data unit received at the receiver’s end is damaged (It checks the
data with checksum functionality of the transport layer that is used for
Error Detection), the receiver discards the segment. So the sender has
to resend the data unit for which positive acknowledgement is not
received. You can realize from the above mechanism that three
segments are exchanged between sender(client) and receiver(server)
for a reliable TCP connection to get established. Let us delve into how
this mechanism works :

 Step 1 (SYN): In the first step, the client wants to establish a

connection with a server, so it sends a segment with
SYN(Synchronize Sequence Number) which informs the server that
the client is likely to start communication and with what sequence
number it starts segments with
 Step 2 (SYN + ACK): Server responds to the client request with SYN-
ACK signal bits set. Acknowledgement(ACK) signifies the response of
the segment it received and SYN signifies with what sequence
number it is likely to start the segments with
 Step 3 (ACK): In the final part client acknowledges the response of
the server and they both establish a reliable connection with which
they will start the actual data transfer

In TCP connection, flags are used to indicate a particular state of

connection or to provide some additional useful information like
troubleshooting purposes or to handle a control of a particular
connection. Most commonly used flags are “SYN”, “ACK” and “FIN”.
Each flag corresponds to 1 bit information.
Types of Flags:

 Synchronization (SYN) – It is used in first step of connection

establishment phase or 3-way handshake process between the two
hosts. Only the first packet from sender as well as receiver should
have this flag set. This is used for synchronizing sequence number
i.e. to tell the other end which sequence number they should
accept.
 Acknowledgement (ACK) – It is used to acknowledge packets which
are successful received by the host. The flag is set if the
acknowledgement number field contains a valid acknowledgement
number.
In given below diagram, the receiver sends an ACK = 1 as well as
SYN = 1 in the second step of connection establishment to tell
sender that it received its initial packet.

 Finish (FIN) – It is used to request for connection termination i.e.

when there is no more data from the sender, it requests for
connection termination. This is the last packet sent by sender. It
frees the reserved resources and gracefully terminate the
connection.

 Reset (RST) – It is used to terminate the connection if the RST

sender feels something is wrong with the TCP connection or that
the conversation should not exist. It can get send from receiver side
when packet is send to particular host that was not expecting it.
 Urgent (URG) – It is used to indicate that the data contained in the
packet should be prioritized and handled urgently by the receiver.
 This flag is used in combination with the Urgent Pointer field to
identify the location of the urgent data in the packet.
 Push (PSH) – It is used to request immediate data delivery to the
receiving host, without waiting for additional data to be buffered on
the sender’s side. This flag is commonly used in applications such as
real-time audio or video streaming.
 Window (WND) – It is used to communicate the size of the receive
window to the sender. The window size is the amount of data that
the receiving host is capable of accepting at any given time. The
sender should limit the amount of data it sends based on the size of
the window advertised by the receiver.
 Checksum (CHK) – It is used to verify the integrity of the TCP
segment during transmission. The checksum is computed over the
entire segment, including the header and data fields, and is
recalculated at each hop along the network path.
 Sequence Number (SEQ) – It is a unique number assigned to each
segment by the sender to identify the order in which packets should
be received by the receiver. The sequence number is used in
conjunction with the acknowledgement number to ensure reliable
data transfer and to prevent duplicate packets.
 Acknowledgement Number (ACK) – It is used to acknowledge the
receipt of a TCP segment and to communicate the next expected
sequence number to the sender. The acknowledgement number
field contains the sequence number of the next expected segment,
rather than the number of the last received segment.

Finish (FIN) v/s Reset (RST) –

 Push (PSH) – Transport layer by default waits for some time for
application layer to send enough data equal to maximum segment
size so that the number of packets transmitted on network
minimizes which is not desirable by some application like interactive
applications(chatting). Similarly transport layer at receiver end
buffers packets and transmit to application layer if it meets certain
criteria.
This problem is solved by using PSH. Transport layer sets PSH = 1
and immediately sends the segment to network layer as soon as it
receives signal from application layer. Receiver transport layer, on
seeing PSH = 1 immediately forwards the data to application layer.
In general, it tells the receiver to process these packets as they are
received instead of buffering them.

 Urgent (URG) –Data inside a segment with URG = 1 flag is forwarded

to application layer immediately even if there are more data to be
given to application layer. It is used to notify the receiver to process
the urgent packets before processing all other packets. The receiver
will be notified when all known urgent data has been received.
Push (PSH) v/s Urgent (URG) –

PORT STATUS TYPES

In the context of ethical hacking or penetration testing, understanding
the status of ports on a target system is crucial. Ports are logical
endpoints used for communication between computers on a network.
Here's how port status is relevant to ethical hacking:

1. **Open Ports:** Open ports are those that are actively listening for
incoming network connections. They are the primary target for ethical
hackers as they provide potential entry points into a system. Services
and applications often run on open ports, and vulnerabilities in these
services can be exploited.
2. **Closed Ports:** Closed ports are not actively listening for incoming
connections. This usually means that there is no service or application
running on these ports. While they may not be direct entry points,
ethical hackers might still scan them to gather information about the
target system.
3. **Filtered Ports:** Filtered ports are those where a firewall or some
other network filtering device is actively blocking access. Ethical hackers
need to identify filtered ports as these can sometimes indicate that the
organization has taken security measures to protect specific services.
4. **Stealth Ports:** Stealth ports are ports that are configured not to
respond to network scans. This can be done intentionally to make it
more challenging for hackers to discover open ports. Ethical hackers
often try to identify stealth ports and understand why they are hidden.
To determine the status of ports on a target system during ethical
hacking, various network scanning techniques are used, including:
- **Port Scanning:** Tools like Nmap are commonly used to scan a
target's ports and determine their status (open, closed, or filtered).
- **Banner Grabbing:** This technique involves connecting to open
ports to retrieve banners or service information. It can help in
identifying the exact services running on open ports, which can be
useful for further exploitation.
- **TCP/UDP Scanning:** Ethical hackers may perform both TCP and
UDP port scans since different services often use different transport
protocols.
- **Version Detection:** Some scanning tools can even attempt to
identify the specific versions of services running on open ports, which
can be critical for finding known vulnerabilities associated with those
versions.
It's important to note that ethical hacking should always be conducted
with proper authorization and within the boundaries defined by the
organization being tested. Unauthorized port scanning or any form of
network intrusion is illegal and unethical. Ethical hackers should have
clear rules of engagement and permissions before conducting any
testing.
TCP SYN SCAN
TCP SYN scan is a most popular and default scan in Nmap because it
performs quickly compare to other scan types and it is also less likely to
block from firewalls. Another reason is that when it comes to states
open, closed and filtered, TCP SYN scan gives a clear definition. Main
concept behind this scan is TCP three-way handshake. TCP SYN scan
required raw-packet privileges that needs root access.

Open state :
What happened there is that Nmap tries to establish a connection
between scanme.nmap.org by sending TCP SYN packet. In this situation
server sends a SYN/ACK packets to establish the connection. This is the
result that Nmap uses to determine whether the port is open. Nmap
reset the connection at the end.
Close state:

TCP SYN packet is sends to the server as the last time and what happned
here is server directly reject the connection with RST packet due to the
closed port.
filtered port:

In the filtered state, Server doesn't send a reply back, not even a RST
packet to terminate the connection. Most accurate reason can be a
firewall on the server side blocks reply packets. So Nmap decides this
type of ports as filtered.
Another things is that default SYN scan is not enough for slip through a
network with firewalls and intrusion prevention systems. It needs more
improved techniques.
TCP Connect Scan
In the Nmap TCP connection scan, Nmap asks its underlying Operating
network to establish a connection with the target server by issuing the
“connect” system call. But the problem with this scan is that it takes
time to complete and it require to generate more packets to obtain
information. In the other hand, targets are more likely to allow the
connection because it tries to establish a connection with target same
as network enabled applications like web browsers.

Open state :

First two steps are exactly the same as TCP SYN scan and instead of
sending a reset(RST) packet, TCP Connect Scan sends a ACK packet and
establish the connection. After the establish the connection, it resets
the connection.
Other steps of SYN Connect scan is same as SYN scan which is
mentioned in the above section.
So the difference between these two scan types is TCP Connect scan
establish a full connection with the target but SYN scan completes only a
half of the connection with target.
There are some other scanning techniques in Nmap which are not used
as much as the one mentioned in previous lessons. However, in some
cases, you may need to find some other ways to be able to discover the
sensitive hosts in a network.

📜 In the figure above, there are three types of scans which is the null
scan, fin scan and xmas scan. The common feature of these three
scanning methods is that they send packets to the target systems in
which SYN, ACK and RST flags are not set.
▶️ Null scan (-sN) does not set any bits. For instance, TCP flag header is 0.
▶️ Fin scan (-sF) sets just the TCP FIN bit.
▶️ Xmas scan (-sX) sets the FIN, PSH/Push , and URG flags lighting up the
packet like a Christmas tree.

📁There are two rules defined in RFC standards about such packets:
1. The first rule is if the destination port state is CLOSED, and
incoming segment not containing a RST causes a RST to be sent in
response.
2. The second rule is packets sent to OPEN ports without the SYN,
RST or ACK bits set are dropped.
How Nmap interprets responses to a NULL, FIN, or Xmas scan probe
These three scan types are exactly the same in behavior except for the
TCP flags set in probe packets. Responses are treated as shown in Figure
above.
If the RST packet is received, the port is considered closed. While no
response means that it is open or filtered. In addition, if an ICMP
unreachable error is received, the port is marked as filtered. Thus, with
the result from these types of scans, you can find out if a port is closed
or not.
TCP ACK Scan (-sA):

⭐️This scan is different than others discussed so far. It never determines

open and open|filtered ports. It is used to map out firewall rule sets.
This is done to determine whether the port are stateful or not and
which ports are filtered.
How Nmap interprets responses to an ACK scan probe

⭐️The ACK scan probe packet has only ACK flag set.When scanning
unfiltered systems, both open and closed port will return a RST packet.
Nmap then labels them as unfiltered.

⭐️This mean that the ports are reachable by the ACK packet. However,
whether they are open or closed is undetermined.

⭐️Ports that don’t respond or send certain ICMP error messages back
are labelled as filtered.

In the figure above, the result illustrated that the state of port is
unfiltered instead of normal scan that result in open, closed or filtered.
Idle Scan (-sL):
⚡️ Idle scan as an advance scan method/technique that allows for a truly
blind TCP port scan of the target. Truly blind TCP port scan means
that no packets are sent to the target from your real IP address.

⚡️ Instead, a unique side channel attack exploits the predictable

IP fragmentation ID sequence generation on the zombie host. This is
done to gather information about the open ports on the target.

⚡️ IDS systems will display the scan as coming from the zombie machine
that you specified.
The idle scan is based on three facts:
 As you already know, one way to determine whether TCP port is
open or closed. The target machine will responded with a
SYN/ACK packet if the port is open and RST if the port is closed.
 A machine that receives unexpected SYN/ACK packet will
responded with RST and an unexpected RST will be ignored.
 Every IP packet on the internet has a fragment identification
number (IP ID). Since many operating systems simply increment
this number for each packet they send. Probing for the IP ID can
tell an attacker how many packets have been sent since the last
probe.
Open Port:
Let’s see what happen in an idle scan if the target port is open.

Steps:
1. First step is to probe the IP ID of the zombie system. The
attacker/scanner will sends a SYN/ACK to the zombie. Then, since
the zombie does not expect the packet, it sends back a RST with
IP ID.
2. The second steps is to forge a SYN packet from the zombie to the
target system. The target then sends a SYN/ACK in response to
the SYN and appears to be coming from the zombie. Since the
zombie does not expect the packet, it sends back a
RST. This increments its IP ID in the process.
3. Third step is to probe the zombie’s IP ID again. The
attacker/scanner a SYN/ACK to zombie again. Then, the RST
packet of the zombie has an IP ID which is increased by two since
the first step.
Concluded that port is open.
Closed Port:
Now let’s see what happen in an idle scan if the target port is closed.
 1. The first step is to probe the IP ID of the zombie system.
Attacker/Scanner sends a SYN/ACK to the zombie. Since the
zombie does not expect the packet, it sends back a RST with an IP
ID.
2. Second step is to forge a SYN packet from the zombie to the
target system. The target sends a RST as the port is closed in
response to the SYN and that appears to be coming from the
zombie. The zombie ignores the unexpected RST. Thus, its IP ID
does not change.
3. Third step is to probe the zombie’s IP ID again. The
attacker/scanner sends a SYN/ACK to the zombie again. The RST
packet of the zombie has an IP ID which is increased by 1 since
the first step.
Concluded that port is closed/not open.
Filtered Port:
Let’s see what happen in an idle scan if the target port is filtered.
 1. The first step is to probe the IP ID of the zombie system. The
attacker/scanner sends a SYN/ACK to the zombie. Since zombie
does not expect the packet, it sends back a RST with an IP ID.
2. Second step is to forge a SYN packet from the zombie and send to
the target system. The target filtering its port, ignores the SYN
that appears to come from the zombie. The zombie is unaware
that anything happened so its IP ID remains the same.
3. The third step is to probe zombie’s IP ID again.The
attacker/scanner sends a SYN/ACK to the zombie again. The RST
packet of the zombie’s IP ID which has increased by 1 since the
first step.
Concluded that port is closed/not open. Form the attacker’s point of
view, the filtered port is indistinguishable from a closed port. WHY ❓ in
both cases the IP ID is increased only by one.
Let’s perform an idle scan:
In order to be able to perform an idle scan, we first need to have a
zombie computer on the network which has incremental IP ID
sequencing. Fortunately, we have an Nmap script to help us find the
computer that is appropriate to become a zombie.
First let find the scripts that start with ipid with the command in figure
above.

Responses
■ If there is no response, this means that the firewall is stateful and it’s
filtering your packets.
■ If you receive a reset packet, it means that the packet reached the
destination.

The capture from Wireshark also gives a better insight into the TCP
ACK scan.

UDP PORT SCAN

UDP scanning is a process in which we scan for the UDP services that are
being deployed on the target system or are currently in a running state.
UDP is a connectionless protocol, hence it is hard to probe as compared
to TCP.

Working of UDP scan:

In UDP scan usually, we take advantage of any UDP service clients like
dig or tools like Nmap to send UDP datagrams to the target UDP network
services like DNS, SNMP, and DHCP and wait for the response. Besides
this, we can also send the UDP datagrams to all the ports and wait for
the result.
Some popular services that we look for in UDP scan are:
 DNS
 SNMP
 DHCP

UDP SCAN Using NMAP:

UDP scan works by sending a UDP packet to every targeted port. For
most ports, this packet will be empty (no payload), but for a few of the
more common ports, a protocol-specific payload will be sent. Based on
the response, the port is assigned to one of four states. The result table
looks like this in a Nmap UDP scan:

State Response

open Any UDP response

open | filtered No response registered

closed ICMP port unreachable error (type 3, code 3)

Other ICMP unreachable errors (type 3, code 1,

filtered
2, 9, 10, or 13)

nmap’s UDP scan usage command:

sudo nmap -p <port numbers>
-sU <target domain>
Example:
Conclusion:

For UDP scanning, the service sends a generic UDP packet and waits for
a response. If there is no response, the port is assumed to be open and
a UDP packet specific to the service on that port is sent to detect the
service. If an ICMP error packet is returned, the port is considered
closed.
SERVICE VERSION DETECTION

Version detection provides information on all identified open ports

interrogating them using probes that generate specific responses by
specific services.

Syntax
Version Detection is used with the -sV command, and it allows the user
to collect information about the port. This can include the version
number, the service type, the operating system, the hostname, etc.

nmap -sV <localhost>

The command starts an assessment on <localhost>.

The command can be customized with the following options:

 --allports
 --version-intensity
 --version-light
 --version-all
 --version-trace

Example
The following example demonstrates the use of Version Detection
using scanme.nmap.org (a safe test host):

nmap -sV scanme.nmap.org

This outputs:

$ nmap -sV scanme.nmap.org

Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-11 03:37 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.074s latency).
Other addresses for scanme.nmap.org (not scanned):
2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu
Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at

https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.82 seconds

OS DETECTION

NMAP stands for Network Mapper which is an open-source tool used

for network exploration and security auditing, in comparison to this, a
tool named Nessus is used by industry professionals. These tools are
mainly used by cybersecurity experts and hackers.
Its main purpose is:
 Provide the list of the live host.
 Find the open Ports.
 The real-time information of a network.
 OS and Port scanning.
The hackers and the cybersecurity expert need to know the Operating
System of the machine. It becomes very easy to access a system if we
can know the specific open ports or the security holes of the
system. Network Mapper(NMAP) NMAP has a database that helps
in Operating systems (OS) but it is not automatically updated. The
database to detect an OS is located at ‘/usr/share/nmap/nmap-os-db’.
Operating System(OS) detection is a very long and hectic process. So,
before we get our hands dirty we should know about the five separate
probes being performed to determine the OS. This probe may consist
of one or more packets. The response to each packet (which is sent by
the probe) by the target system helps to determine the OS type.
The five different probes are:
 Sequence Generation.
 ICMP Echo.
 TCP Explicit Congestion Notification.
 TCP.
 UDP.
1. Sequence Generation: The Sequence Generation Probe consists of
six packets that are sent 100 ms apart and are all TCP SYN packets. The
result of all these packets will help in Operating System(OS) detection.
2. ICMP Echo: Two ICMP request packets are sent to the target system
with different settings in the packet. The result of all these will help
verify the OS type by NMAP.
3. TCP Explicit Congestion Notification: Congestion is a slowdown that
occurs when a lot of packets are generated and passed by a single
router. The packets which are sent are mainly used to get back the
responses from the target system. This helps to detect the OS because
a specific OS returns a specific value and each OS handles a packet
differently.
4. TCP: Six packets are sent during this probe, and some packets are
sent to open or closed ports with specific packet settings by using the
corresponding result we can determine the type of Operating
System(OS). The TCP Packets which are sent with varying flags are as
follows:
 no flags.
 SYN, FIN, URG, and PSH.
 ACK.
 SYN.
 ACK.
 FIN, PSH, and URG.
5. UDP: UDP probe consists of a single packet that is sent to a closed
port. If the port used on the target system is closed and an ICMP Port
Unreachable message is returned it specifies that there is no Firewall.
OS detection using NMAP
Now we need to run the actual commands to perform OS detection
using NMAP, and at first, we will get the IP address of the host system,
and then will perform a scan to get all active devices on the network.
Step 1: Getting the IP of the System
ifconfig

Step 2: List of active devices in the Network

nmap -sn 192.168.232.128/24

Let’s do an SYN scan with OS detection in one of the active IPs

Let’s select IP: 192.168.232.2
nmap -sS 192.168.232.2 -O
Running: VMware Player.
OS details: VMware Player virtual NAT device.

Let’s now perform an Aggressive scan To guess the OS

 -sV stands for Service version.

 -A stands for Aggressive.
It will only display the chance of Operation System (OS) on the host
computer with the help of Probability and Percentage.
nmap -sV 192.168.232.2 -A