Introduction
In this lab, you will learn to compare scan results in Nmap. The lab involves performing both SYN and TCP scans against a target IP address, saving the outputs to separate files, and then comparing these files using the diff command. You'll also explore verbose scans and analyze the differences observed in the Xfce terminal.
The process begins by running a SYN scan using nmap -sS -oN syn.txt 192.168.1.1 and a TCP scan using nmap -sT -oN tcp.txt 192.168.1.1, saving the results to syn.txt and tcp.txt respectively. These files are then compared using diff syn.txt tcp.txt. Furthermore, verbose scans are conducted with nmap -v -sS 127.0.0.1 and nmap -v -sT 127.0.0.1, and the comparison notes are saved in the Xfce text editor for analysis in the Xfce terminal.
Run SYN scan and save with nmap -sS -oN syn.txt 192.168.1.1
In this step, you will perform a SYN scan using Nmap and save the output to a file. A SYN scan, also known as a half-open scan, is a type of TCP port scan that attempts to determine the state of TCP ports on a target system. It's called "half-open" because the scanning host doesn't complete the TCP connection handshake. Instead, it sends a SYN packet and analyzes the response. This technique is stealthier than a full TCP connect scan because it doesn't establish a full connection, potentially avoiding detection by some firewalls and intrusion detection systems.
Here's a breakdown of the command:
nmap: The Nmap command-line scanner.-sS: Specifies the SYN scan technique.-oN syn.txt: Specifies that the output should be saved in normal (human-readable) format to a file namedsyn.txt.192.168.1.1: The target IP address to scan. Replace this with the actual IP address of the target you want to scan. If you are running this lab in a virtual environment, you might use127.0.0.1(localhost) as the target.
Let's execute the command. First, ensure you are in the ~/project directory.
cd ~/project
Now, run the SYN scan:
sudo nmap -sS -oN syn.txt 192.168.1.1
Note: You might need sudo privileges to perform a SYN scan, as it requires sending raw packets. If you are using a different target IP address, replace 192.168.1.1 with the correct IP. If you are scanning localhost, you can use 127.0.0.1.
After the scan completes, you can view the contents of the syn.txt file using a text editor or the cat command:
cat syn.txt
The output will show the open ports and other information gathered during the scan. The exact output will depend on the target system and its configuration.
Example output (the specific output will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
This output indicates that ports 22, 80, and 443 are open on the target system. The "filtered" ports mean that Nmap couldn't determine whether those ports were open or closed due to firewall rules or network conditions.
Run TCP scan and save with nmap -sT -oN tcp.txt 192.168.1.1
In this step, you will perform a TCP connect scan using Nmap and save the output to a file. A TCP connect scan, specified by the -sT option, is a basic form of TCP scanning where Nmap attempts to establish a full TCP connection with the target host on each port. This involves completing the three-way handshake (SYN, SYN-ACK, ACK). While reliable, this method is also easily detectable, as the target system logs the connection.
Here's a breakdown of the command:
nmap: The Nmap command-line scanner.-sT: Specifies the TCP connect scan technique.-oN tcp.txt: Specifies that the output should be saved in normal (human-readable) format to a file namedtcp.txt.192.168.1.1: The target IP address to scan. Replace this with the actual IP address of the target you want to scan. If you are running this lab in a virtual environment, you might use127.0.0.1(localhost) as the target.
Let's execute the command. First, ensure you are in the ~/project directory.
cd ~/project
Now, run the TCP connect scan:
sudo nmap -sT -oN tcp.txt 192.168.1.1
Note: While sudo is not strictly required for a TCP connect scan, it's good practice to use it for consistency and to avoid potential permission issues. If you are using a different target IP address, replace 192.168.1.1 with the correct IP. If you are scanning localhost, you can use 127.0.0.1.
After the scan completes, you can view the contents of the tcp.txt file using a text editor or the cat command:
cat tcp.txt
The output will show the open ports and other information gathered during the scan. The exact output will depend on the target system and its configuration.
Example output (the specific output will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
This output indicates that ports 22, 80, and 443 are open on the target system. The "closed" ports mean that Nmap received a RST (reset) packet in response to its SYN packet, indicating that the port is closed.
Compare files with diff syn.txt tcp.txt
In this step, you will compare the syn.txt and tcp.txt files that you created in the previous steps using the diff command. The diff command is a powerful tool for identifying differences between two files. It compares the files line by line and highlights any additions, deletions, or modifications.
Before running the diff command, it's important to understand why the outputs of the SYN scan (-sS) and TCP connect scan (-sT) might differ. The SYN scan is a "half-open" scan, meaning it doesn't complete the full TCP handshake. This can make it stealthier but also less reliable in some cases, as firewalls or network devices might block the initial SYN packet or the response. The TCP connect scan, on the other hand, completes the full TCP handshake, making it more reliable but also more easily detectable.
To compare the files, use the following command:
diff syn.txt tcp.txt
This command will compare the syn.txt and tcp.txt files and display any differences in the terminal.
Example output (the specific output will vary depending on the target system and network conditions):
2,4c2,4
< Nmap scan report for 192.168.1.1
< Host is up (0.00020s latency).
< Not shown: 997 filtered ports
---
> Nmap scan report for 192.168.1.1
> Host is up (0.00020s latency).
> Not shown: 997 closed ports
5c5
< 22/tcp open ssh
---
> 22/tcp open ssh
6c6
< 80/tcp open http
---
> 80/tcp open http
7c7
< 443/tcp open https
---
> 443/tcp open https
10c10
< Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
---
> Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
In this example, the output shows that the main difference between the two files is the "Not shown" line. The SYN scan (syn.txt) shows "997 filtered ports," while the TCP connect scan (tcp.txt) shows "997 closed ports." This indicates that the SYN scan was unable to determine the state of some ports due to filtering, while the TCP connect scan was able to determine that those ports were closed.
The diff output uses the following symbols:
<: Indicates a line that exists only in the first file (syn.txt).>: Indicates a line that exists only in the second file (tcp.txt).c: Indicates that the lines are different and need to be changed to make the files identical.
By analyzing the diff output, you can gain insights into the differences between the two scan types and how they perceive the target system.
Run verbose scans with nmap -v -sS 127.0.0.1 and nmap -v -sT 127.0.0.1
In this step, you will run both SYN and TCP connect scans against localhost (127.0.0.1) with the verbose option enabled. The -v option in Nmap increases the verbosity level, providing more detailed information about the scan process. This can be helpful for understanding how Nmap works and for troubleshooting any issues.
First, let's run the verbose SYN scan:
sudo nmap -v -sS 127.0.0.1
This command will perform a SYN scan on localhost and display verbose output in the terminal. You'll see more information about the scan's progress, including the ports being scanned, the timing of the scan, and any errors or warnings that occur.
Example output (the specific output will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
NSE: Loaded 0 scripts for scanning.
Initiating SYN Stealth Scan
Scanning 127.0.0.1 [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:15, 2.50s elapsed (1000 total ports)
Nmap scan report for 127.0.0.1
Host is up (0.000020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
Next, run the verbose TCP connect scan:
sudo nmap -v -sT 127.0.0.1
This command will perform a TCP connect scan on localhost and display verbose output.
Example output (the specific output will vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:16 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Connect Scan
Scanning 127.0.0.1 [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Completed Connect Scan at 10:16, 3.00s elapsed (1000 total ports)
Nmap scan report for 127.0.0.1
Host is up (0.000020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds
Observe the differences in the output. The verbose output provides more details about the scan process, such as the type of scan being performed ("SYN Stealth Scan" or "Connect Scan"), the number of ports being scanned, and the time it takes to complete the scan. You can also see the ports that were discovered to be open.
By comparing the verbose output of the SYN and TCP connect scans, you can gain a better understanding of how each scan type works and how they interact with the target system.
Save comparison notes in Xfce text editor
In this step, you will use the Xfce text editor to save your observations and comparisons from the previous steps. This is a crucial step for documenting your findings and understanding the differences between the Nmap scan types.
First, open the Xfce text editor. You can do this by searching for "Text Editor" in the Xfce application menu or by running the following command in the terminal:
mousepad notes.txt
This command will open the Xfce text editor (Mousepad) and create a new file named notes.txt in your ~/project directory.
Now, in the text editor, write down your observations about the differences between the SYN scan and the TCP connect scan. Consider the following points:
- Speed: Which scan type was faster?
- Accuracy: Did both scan types identify the same open ports? If not, why might that be?
- Stealth: Which scan type is considered more stealthy and why?
- Firewall Evasion: How might firewalls treat each scan type differently?
- Verbose Output: What additional information did you gain from the verbose scans?
Here's an example of what your notes might look like:
Nmap Scan Comparison Notes:
SYN Scan (-sS):
- Faster than TCP connect scan.
- May be less accurate due to filtered ports.
- Considered more stealthy as it doesn't complete the full TCP handshake.
- Firewalls may block SYN packets, leading to inaccurate results.
TCP Connect Scan (-sT):
- Slower than SYN scan.
- More reliable as it completes the full TCP handshake.
- Less stealthy as it's easily detectable.
- Less likely to be blocked by firewalls, providing more accurate results.
Verbose Output (-v):
- Provides more detailed information about the scan process.
- Helpful for understanding how Nmap works and troubleshooting issues.
- Shows the type of scan being performed and the number of ports scanned.
Observed Differences:
- SYN scan reported "filtered" ports, while TCP connect scan reported "closed" ports.
- This suggests that some ports were being filtered, preventing the SYN scan from determining their state.
After you have finished writing your notes, save the file by clicking on "File" -> "Save" in the text editor, or by pressing Ctrl+S.
This notes.txt file will be used in the next step to analyze the differences in the Xfce terminal.
Analyze differences in Xfce terminal
In this step, you will use the Xfce terminal to further analyze the differences between the SYN and TCP connect scans, building upon the notes you saved in the previous step. You'll use command-line tools to search for specific patterns and compare the scan results.
First, open the Xfce terminal.
Now, let's use the cat command to display the contents of the syn.txt and tcp.txt files, which contain the Nmap scan results from the first two steps:
cat syn.txt
cat tcp.txt
Examine the output of both commands. Pay attention to the differences in the scan results, such as the reported port states (open, closed, filtered) and the time it took to complete the scans.
Next, use the grep command to search for specific keywords in the scan results. For example, you can search for the word "open" in both files:
grep "open" syn.txt
grep "open" tcp.txt
Compare the output of these commands. Do both scans report the same open ports? If not, what are the differences?
You can also search for other keywords, such as "closed" or "filtered", to further analyze the scan results.
Now, let's use the diff command again to compare the syn.txt and tcp.txt files:
diff syn.txt tcp.txt
Review the output of the diff command. This will highlight the lines that are different between the two files. Pay attention to the lines that indicate differences in the reported port states.
Finally, use the cat command to display the contents of your notes.txt file, which contains your observations from the previous step:
cat notes.txt
Reflect on your observations and compare them to the scan results and the output of the diff command. Do your observations align with the scan results? Can you explain any discrepancies?
By using the Xfce terminal and command-line tools to analyze the Nmap scan results, you can gain a deeper understanding of the differences between the SYN and TCP connect scans and how they interact with the target system. This analysis will help you make informed decisions about which scan type to use in different situations.
Summary
In this lab, we began by performing a SYN scan on a target IP address (192.168.1.1 or localhost) using Nmap with the command nmap -sS -oN syn.txt 192.168.1.1. This involved understanding the purpose of a SYN scan as a stealthier "half-open" TCP port scan that avoids establishing a full connection. The output of the scan was saved to a file named syn.txt in normal format.
The key learning point was how to execute a SYN scan using Nmap, interpret the command's parameters (-sS for SYN scan, -oN for normal output to a file), and understand the potential need for sudo privileges due to the use of raw packets. We also learned how to view the scan results using cat syn.txt.
