Conduct TCP ACK Scanning in Nmap

Introduction

In this lab, you will learn to conduct TCP ACK scanning using Nmap. The lab covers various aspects of ACK scanning, including running a basic ACK scan, scanning a specific port range, adding verbosity to the scan, saving scan results, analyzing filtered ports, and comparing ACK scans with SYN scans in the Xfce terminal. You'll understand how ACK scans work by sending TCP ACK packets to a target host and analyzing responses to determine if ports are filtered or unfiltered.

Run ACK scan with nmap -sA 192.168.1.1

In this step, you will learn how to perform an ACK scan using Nmap. An ACK scan is a type of TCP scan that sends TCP ACK packets to a target host. Unlike other scan types, an ACK scan doesn't establish a full TCP connection. Instead, it analyzes the responses (or lack thereof) to determine if a port is filtered or unfiltered.

Understanding ACK Scan Basics

ACK Packet: A TCP ACK (Acknowledgment) packet is typically used to acknowledge the receipt of data in an established TCP connection.
Firewall Behavior: Firewalls often have rules to block unsolicited incoming TCP connections. ACK scans exploit this behavior to map firewall rule sets.
Filtered vs. Unfiltered:
- Unfiltered: If the target port is unfiltered, the Nmap will receive an RST (Reset) packet in response to the ACK probe. This indicates that no firewall is blocking the connection.
- Filtered: If the target port is filtered, Nmap will receive no response, or an ICMP error message. This suggests that a firewall is blocking the connection.

Performing an ACK Scan

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Execute the ACK scan command: In the terminal, type the following command and press Enter:
```
nmap -sA 192.168.1.1
```
- nmap: The Nmap command-line scanner.
- -sA: Specifies the ACK scan type.
- 192.168.1.1: The target IP address. Replace this with the actual IP address you want to scan. If you are running this in a virtual environment, you might want to scan your gateway or another machine on your network. If you don't have another machine, you can scan your localhost IP address 127.0.0.1.
```
nmap -sA 127.0.0.1
```

Analyze the Results: Nmap will display the results of the scan. Look for ports that are marked as "Unfiltered" or "Filtered".

Example output (may vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 127.0.0.1
Host is up (0.00020s latency).
Other addresses for localhost (alias(es)): localhost

PORT      STATE      SERVICE
22/tcp    unfiltered ssh
80/tcp    unfiltered http
111/tcp   unfiltered rpcbind
631/tcp   unfiltered ipp
...

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

In this example, ports 22, 80, 111, and 631 are unfiltered, meaning that an ACK packet sent to these ports would likely receive an RST response.

Important Considerations:

ACK scans are not always reliable for determining the exact state of a port. Firewalls and network devices can sometimes produce misleading results.
ACK scans are primarily used to map firewall rules and identify potential entry points into a network.

Scan port range with nmap -sA -p 1-100 127.0.0.1

In this step, you will extend your knowledge of ACK scans by scanning a specific port range. This is useful for narrowing down your investigation to the most commonly used ports or ports of interest.

Understanding Port Ranges

A port range specifies a set of ports to scan, instead of scanning all 65535 ports. This can significantly reduce the scan time and focus your analysis. Common port ranges include:

1-1024: Well-known ports, often used by system services.
1-100: A smaller range for quick checks.
80,443,8080: Specific ports of interest (HTTP, HTTPS, alternative HTTP).

Scanning a Port Range with Nmap

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Execute the ACK scan command with a port range: In the terminal, type the following command and press Enter:
```
nmap -sA -p 1-100 127.0.0.1
```
- nmap: The Nmap command-line scanner.
- -sA: Specifies the ACK scan type.
- -p 1-100: Specifies the port range to scan (ports 1 through 100).
- 127.0.0.1: The target IP address (localhost in this case).

Analyze the Results: Nmap will display the results of the scan, focusing only on ports within the specified range (1-100).

Example output (may vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE      SERVICE
21/tcp  unfiltered ftp
22/tcp  unfiltered ssh
25/tcp  unfiltered smtp
53/tcp  unfiltered domain
80/tcp  unfiltered http

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

This output shows the state of ports 21, 22, 25, 53, and 80 on the localhost. All of them are unfiltered.

Benefits of Scanning Port Ranges:

Efficiency: Reduces scan time by focusing on specific ports.
Targeted Analysis: Allows you to investigate specific services or applications running on the target.
Reduced Noise: Filters out irrelevant information, making it easier to identify potential vulnerabilities.

Add verbosity with nmap -v -sA 192.168.1.1

In this step, you will learn how to increase the verbosity of Nmap scans. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding the results more deeply.

Understanding Verbosity Levels

Nmap offers different levels of verbosity, controlled by the -v option. Using -v once increases the verbosity level, and using it multiple times (e.g., -vv) increases it further. Higher verbosity levels provide more detailed output.

Adding Verbosity to an ACK Scan

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Execute the ACK scan command with verbosity: In the terminal, type the following command and press Enter:
```
nmap -v -sA 192.168.1.1
```
- nmap: The Nmap command-line scanner.
- -v: Enables verbose output.
- -sA: Specifies the ACK scan type.
- 192.168.1.1: The target IP address. Replace this with the actual IP address you want to scan. If you are running this in a virtual environment, you might want to scan your gateway or another machine on your network. If you don't have another machine, you can scan your localhost IP address 127.0.0.1.
```
nmap -v -sA 127.0.0.1
```

Analyze the Results: Nmap will display the results of the scan with more detailed information. You will see more output about the scan process, such as the probes being sent and the responses being received.

Example output (may vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Initiating Ping Scan at 10:10
Scanning 127.0.0.1 [4 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating ACK Scan at 10:10
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Completed ACK Scan at 10:10, 0.15s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Other addresses for localhost (alias(es)): localhost

PORT      STATE      SERVICE
22/tcp    unfiltered ssh
80/tcp    unfiltered http
111/tcp   unfiltered rpcbind
631/tcp   unfiltered ipp
...

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

The verbose output shows the different stages of the scan, including the ping scan and the ACK scan, as well as the ports discovered.

Benefits of Verbosity:

Troubleshooting: Helps identify issues during the scan process, such as network connectivity problems or firewall interference.
Deeper Understanding: Provides more insight into how Nmap works and how it determines the state of ports.
Detailed Reporting: Offers more comprehensive information for reporting and analysis.

Save ACK scan results with nmap -sA -oN ack.txt 127.0.0.1

In this step, you will learn how to save the results of an Nmap ACK scan to a file. This is useful for later analysis, reporting, or comparison with other scans.

Understanding Nmap Output Options

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format. Other options include -oX for XML format and -oS for script kiddie format (less readable).

Saving ACK Scan Results to a File

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Execute the ACK scan command with output to file: In the terminal, type the following command and press Enter:
```
nmap -sA -oN ack.txt 127.0.0.1
```
- nmap: The Nmap command-line scanner.
- -sA: Specifies the ACK scan type.
- -oN ack.txt: Specifies that the output should be saved in normal format to a file named ack.txt. The file will be saved in your current directory (~/project).
- 127.0.0.1: The target IP address (localhost in this case).
Verify the file creation: After the scan completes, verify that the file ack.txt has been created in your ~/project directory. You can use the ls command to list the files in the directory:
```
ls ~/project
```
You should see ack.txt in the list of files.

View the contents of the file: You can view the contents of the ack.txt file using the cat command or a text editor like nano:

cat ~/project/ack.txt

nano ~/project/ack.txt

The file will contain the Nmap scan results in a human-readable format.

Example content of ack.txt (may vary depending on the target):

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00016s latency).
Other addresses for localhost (alias(es)): localhost

PORT      STATE      SERVICE
22/tcp    unfiltered ssh
80/tcp    unfiltered http
111/tcp   unfiltered rpcbind
631/tcp   unfiltered ipp
...

## Nmap done at Fri Oct 27 10:15:01 2023 -- 1 IP address (1 host up) scanned in 0.85 seconds

Benefits of Saving Scan Results:

Documentation: Provides a record of the scan results for future reference.
Analysis: Allows you to analyze the results in more detail using text processing tools or scripts.
Reporting: Makes it easier to create reports based on the scan results.
Comparison: Enables you to compare the results of different scans over time to track changes in the network.

Analyze filtered ports in Xfce terminal

In this step, you will learn how to analyze the filtered ports identified during an Nmap ACK scan. Understanding why ports are filtered is crucial for assessing network security and identifying potential vulnerabilities.

Understanding Filtered Ports

In Nmap, a "filtered" port means that Nmap cannot determine whether the port is open or closed because packet filtering prevents Nmap's probes from reaching the port. This is often due to a firewall rule that blocks the specific type of traffic Nmap is using for the scan. With ACK scan, filtered ports usually indicate the presence of a firewall or other network device that is blocking the ACK packets.

Analyzing Filtered Ports from the ACK Scan

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Review the ack.txt file: In the previous step, you saved the ACK scan results to the ack.txt file. Use the cat command or nano to view the contents of the file:
```
cat ~/project/ack.txt
```
or
```
nano ~/project/ack.txt
```
Identify Filtered Ports: Look for lines in the output that indicate a port is in the "filtered" state. For example:
```
PORT      STATE      SERVICE
21/tcp    filtered  ftp
23/tcp    filtered  telnet
```
This indicates that ports 21 (FTP) and 23 (Telnet) are filtered.
Investigate the Cause of Filtering: The fact that ports are filtered suggests that a firewall or other network device is blocking the ACK packets sent to those ports. To further investigate, you can consider the following:
- Firewall Rules: Check the firewall configuration on the target machine or network to see if there are rules blocking ACK packets to specific ports. Since you are scanning 127.0.0.1, you can check the local firewall rules. However, in the LabEx environment, you likely won't have access to modify firewall rules.
- Network Topology: Consider the network topology between your scanning machine and the target. Are there any intermediate devices (e.g., routers, firewalls) that might be filtering traffic?
- Other Scan Types: Use other Nmap scan types (e.g., SYN scan, TCP connect scan) to see if they provide more information about the state of the ports. You will do this in the next step.
Example Analysis:

If you see that common ports like 21 (FTP), 23 (Telnet), and 80 (HTTP) are filtered, it's likely that a firewall is configured to block unsolicited incoming connections to these ports. This is a common security practice to prevent unauthorized access to services running on the target machine.

Important Considerations:

ACK scans are often used to map firewall rule sets. By sending ACK packets to different ports, you can determine which ports are being filtered and which are not.
The results of an ACK scan can be affected by the network configuration and the presence of firewalls.
Filtered ports do not necessarily mean that the service is not running. It simply means that Nmap cannot determine its state due to filtering.

Compare ACK scan with SYN scan in Xfce terminal

In this step, you will compare the results of an Nmap ACK scan with a SYN scan. This comparison will help you understand the differences between these scan types and how they can be used to gather different information about a target.

Understanding ACK and SYN Scans

ACK Scan (-sA): Sends TCP ACK packets to the target. It's primarily used to map firewall rulesets. If a port is unfiltered, it usually means that the firewall allows ACK packets to pass through. If a port is filtered, it means the firewall is likely blocking ACK packets. ACK scan does not determine if a port is open or closed.
SYN Scan (-sS): Sends TCP SYN packets to the target. It's a stealthier scan than a full TCP connect scan because it doesn't complete the TCP handshake. If a SYN/ACK packet is received, the port is considered open. If a RST packet is received, the port is considered closed.

Performing a SYN Scan

Open the Xfce terminal: If it's not already open, launch the Xfce terminal from the desktop environment.
Execute the SYN scan command: In the terminal, type the following command and press Enter:
```
nmap -sS 127.0.0.1
```
- nmap: The Nmap command-line scanner.
- -sS: Specifies the SYN scan type.
- 127.0.0.1: The target IP address (localhost in this case).
Execute the SYN scan command with output to file: In the terminal, type the following command and press Enter:
```
nmap -sS -oN syn.txt 127.0.0.1
```
- nmap: The Nmap command-line scanner.
- -sS: Specifies the SYN scan type.
- -oN syn.txt: Specifies that the output should be saved in normal format to a file named syn.txt. The file will be saved in your current directory (~/project).
- 127.0.0.1: The target IP address (localhost in this case).

Comparing the Results

View the SYN scan results: After the SYN scan completes, view the results in the terminal. You should see a list of open, closed, and filtered ports.
View the contents of the file: You can view the contents of the syn.txt file using the cat command or a text editor like nano:
```
cat ~/project/syn.txt
```
or
```
nano ~/project/syn.txt
```
The file will contain the Nmap scan results in a human-readable format.
Compare with ACK scan results: Compare the SYN scan results with the ACK scan results you obtained in the previous steps (either from the terminal output or the ack.txt file).
Analyze the Differences:
- Open Ports: The SYN scan will show you which ports are actually open on the target. The ACK scan will not directly reveal open ports.
- Filtered Ports: If a port is filtered in the ACK scan but open in the SYN scan, it suggests that the firewall is blocking ACK packets but allowing SYN packets to that port. This is a common scenario.
- Closed Ports: The SYN scan will show you which ports are closed. The ACK scan will not directly reveal closed ports.

Example Comparison:

Let's say the ACK scan shows that port 80 (HTTP) is filtered, while the SYN scan shows that port 80 is open. This indicates that the firewall is likely blocking ACK packets to port 80, but allowing SYN packets. This is a typical configuration for a web server, where incoming SYN packets are allowed to establish connections, but unsolicited ACK packets are blocked.

Key Takeaways:

ACK and SYN scans provide different types of information about a target.
ACK scans are useful for mapping firewall rulesets.
SYN scans are useful for identifying open ports.
By comparing the results of these scans, you can gain a better understanding of the target's security posture.

Summary

In this lab, you will learn to conduct TCP ACK scanning using Nmap. You'll start by performing a basic ACK scan with the command nmap -sA <target_ip>, understanding how ACK packets work and how to determine if a port is filtered or unfiltered based on the responses. You'll also learn to scan a specific port range, add verbosity to the scan, and save the results to a file. Additionally, you'll analyze filtered ports and compare ACK scans with SYN scans in the Xfce terminal.