Here's to learning basics of networking and an awesome tool called NMAP! Hi there! How are you doing? More so, how is your internet doing? What about LAN? Are you exchanging traffic with domains you'd not want to? Are there any open ports on your network that can be attacked? Most importantly (and somewhat not related to the post) have you changed your router's default credentials? If you are not sure about the majority of the questions asked above, , you have landed on the correct post! Please follow along. congrats Networks is a very broad concept to understand and explore. There are just way too many exciting things in this single concept! So, let's begin with the basics: The initial things that'll get you started with learning more about the networks and getting hang of the awesome tool: NMAP Sneak peek into (somewhat applicable history): OSI Layer: Even if you have bunked the Computer Networks lectures in your school/college, if you are remotely associated with engineering, there are high chances you'd have heard of this term. Let me throw a diagram out here: Presenting OSI Seven Layers: Source: https://community.fs.com/blog/tcpip-vs-osi-whats-the-difference-between-the-two-models.html These layers are responsible for handling everything that happens behind the scenes when you make that new network connection (say, open a new tab on your browser and go to ), and in here are a bunch of protocols. https://www.aditi.fyi/home In the attempt to keep this post away from surpassing its limits to be called a post, let's discuss briefly one of these layers, L4 => Transport layer One of the most prominent protocols in this layer is TCP [ ]. Transmission Control Protocol If you want to learn the philosophy behind TCP && need a book to read on weekends check out this dated  September 1981! And that's what is fascinating about networks, the protocols we are using today are exactly the same as were defined decades ago with very few alterations, if at all. masterpiece TCP is a protocol,  which means a connection is established and maintained until the application programs at each end have finished exchanging messages.  It determines how to break application data into packets that networks can deliver, sends packets to and accepts packets from the network layer, manages flow control and handles re-transmission of dropped or garbled packets, and acknowledges all packets that arrive. connection-oriented The connection is established, using the well-known THREE-WAY HANDSHAKE This is how a TCP connection is established and data starts to get across, but wait ? what is SYN, ACK These are "flags", just bits that are set to 1 while crafting the corresponding TCP packet. A TCP packet is made up of header and data. Where Header has a fixed set of fields: [Source: WikiPedia] A TCP segment consists of a segment and a section. The segment header contains 10 mandatory fields, and an optional extension field ( , pink background in table). header data Options Identifies the sending port. Source port (16 bits): Identifies the receiving port. Destination port (16 bits): : The accumulated sequence number of the first data byte of this segment for the current session. Sequence number (32 bits) If the ACK flag is set then the value of this field is the next sequence number that the sender of the ACK is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data. Acknowledgment number (32 bits): Specifies the size of the TCP header in 32-bit . The minimum size header is 5 words and the maximum is 15 words thus giving the , allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data. Data offset (4 bits): words minimum size of 20 bytes and a maximum of 60 bytes For future use and should be set to zero. Reserved (3 bits): Contains 9 1-bit flags (control bits) as follows: Flags (9 bits) NS (1 bit): ECN-nonce - concealment protection CWR (1 bit): Congestion window reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism. ECE (1 bit): ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates: URG (1 bit): Indicates that the Urgent pointer field is significant (1 bit): Indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. ACK PSH (1 bit): Push function. Asks to push the buffered data to the receiving application. RST (1 bit): Reset the connection (1 bit): Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid when it is set, and others when it is clear. SYN FIN (1 bit): Last packet from sender The size of the , which specifies the number of window size units that the sender of this segment is currently willing to receive. Window size (16 bits): receive window The 16-bit field is used for error-checking of the TCP header, the payload, and an IP pseudo-header. Checksum (16 bits): If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte. Urgent pointer (16 bits): So, SYN and ACK are the segments that have the respective flags turned on i.e. set to 1. Now, let's jump to NMAP and see how the information we learned above comes in handy while exploring this tool. Want to see some live captures and scans, checkout this video: Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics Source: https://nmap.org/book/man.html You can setup nmap by downloading it from here: https://nmap.org/download.html Once you have set NMAP, we can use it to find available hosts, open ports, OS versions etc. All you need is an IP Address and it's best to try it out on your own IP (unless you have the required permissions to do so on any other IP). So, how to begin, very simple just refer to the manual above and try out the different types of scans! There are a plethora of flags that one can use while typing nmap. I'm documenting some popular commands here, let's understand how these work: > sudo nmap <IP Address> : Does basic scan router
[ ] you a Mac address back sudo, you can have idea device it’ll be. Note that the popular ports will be scanned, you can specify specific ports -p 
E.g: -p , scan ports use -p-


> sudo nmap -v <IPAddress> / ( C:: )
-v (what’s happening)
Scans IPs the subnet.


> sudo nmap / - /home/scanresults.txt
Captures the scan results outputs them the specified file.
- => basic output
-oX => file output
-oG => Output grepable -oA => Outputs three > sudo nmap -F / - /home/scanresults.txt
Does a fast scan
-F : speeds up the scan restricting the ports scanning most popular ports

> sudo nmap —script vuln <target IP>
Use scripts vuln category scan possible vulnerabilities the target IP

> sudo nmap —script vuln <target IP>
Use scripts vuln category scan possible vulnerabilities the target IP

> sudo nmap -sS -D < IP> <target IP> a Stealth Scan use Decoys. Decoys craft the traffic appear multiple IPs thus causing confusion narrowing down the exact attacker of If get on using some on type of only using 443 80 To all 192.168 .1 .0 24 class 24 verbose all in 192.168 .1 .0 24 oN and in oN text XML in format in all format 192.168 .1 .0 24 oN by to all in to for all on all in to for all on some To do and to from in 's IP Wait, you just saw -sS in the above command, what is that? That stands for Stealth scan. When port scanning with Nmap, there are three basic scan types. These are: SYN "Half-open" Scans (-sS) (aka Stealth scan) TCP Connect Scans (-sT) UDP Scans (-sU) Additionally, there are several less common port scan types, such as: TCP Null Scans (-sN) TCP FIN Scans (-sF) TCP Xmas Scans (-sX) Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems. Here are the details on some of them, right from : nmap book -sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it It also allows clear, reliable differentiation between the open, closed, and filtered states. never completes TCP connections. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered. -sT (TCP connect scan) TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. -sF (FIN Scan), -sX (XMas Scan), -sN (Null Scan): These three scan types exploit a subtle loophole in the to differentiate between open and closed ports. TCP RFC Any packet SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) is OK. not containing Nmap exploits this with three scan types: Does not set any bits (TCP flag header is 0) Null scan (-sN) : Sets just the TCP FIN bit. FIN scan (-sF): Sets the FIN, PSH, and URG flags Xmas scan (-sX): Most firewalls work by preventing incoming TCP connections (while allowing outbound connections). This is accomplished by blocking any TCP packets with SYN bit set and ACK bit cleared. The above scans clear the SYN bit and are hence able to bypass the firewall rules. However, note that not all systems follow the RFC 793 as properly and end up sending RST to probes regardless of whether the port is open or not. Examples include Microsoft Windows, many Cisco devices, and IBM OS/400 And there are SO MANY other scans that we have not covered here. So you see, the FLAGS are crucial in indicating in which stage the communication is. Crafting packets skillfully by setting the right flags can thus help us in triggering the required response from the host, be it to just check the general availability or gather more details about the system. So, I'll leave you to it now, the post has almost reached its full length. Check out NMAP, explore the networking basics! I'll be writing and covering more details around the same in coming blog posts or live learning sessions! To stay updated subscribe , the , and join our free open ! aditi.fyi YouTube Channel Discord Community Keep Hacking! xoxo Previously published at https://www.aditi.fyi/post/basics-of-network-nmap

Flow

BUNCH

Cisco

First Data

Microsoft

Target

YouTube

An Introductory Guide to Hacking NETBIOS

I Automated My Whatsapp Chats on Android and Here's How You Can Too

Book a call

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Too Long; Didn't Read

How to Map Your Home Networks Using NMAP

How to Map Your Home Networks Using NMAP

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

An Introductory Guide to Hacking NETBIOS

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

An Introductory Guide to Hacking NETBIOS

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps