LabEx
Log InJoin Free

Execute TCP Null Scanning in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to execute TCP Null scanning in Nmap. The lab covers various aspects of Null scanning, including running a basic Null scan on a specific IP address, scanning a defined port range, adding verbosity to the scan, saving the scan results, comparing Null scans with SYN scans, and reviewing the results in the Xfce terminal.

Null scans, where all TCP flags are set to zero, can help determine port states, but they may not always be reliable due to certain firewalls or systems dropping packets with no flags. Through a series of Nmap commands, you'll gain hands - on experience with different Null scan operations.

Run Null scan with nmap -sN 192.168.1.1

In this step, we will perform a Null scan using Nmap. A Null scan is a type of TCP scan where all TCP flags are set to zero. This means that no flags (SYN, ACK, RST, FIN, URG, PSH) are set in the TCP header. The response to a Null scan can help determine the state of a port.

Here's a brief overview of how Null scans work:

  • Null Scan: Sends a TCP packet with no flags set.
  • Open or Filtered Port: If the port is open or filtered, there is no response.
  • Closed Port: If the port is closed, the target host should respond with an RST (reset) packet.

It's important to note that Null scans are not always reliable, as some firewalls or systems may drop packets with no flags set.

Let's run a Null scan against the IP address 192.168.1.1. Open your Xfce terminal and execute the following command:

sudo nmap -sN 192.168.1.1

This command tells Nmap to perform a Null scan (-sN) against the target IP address 192.168.1.1. You will need sudo privileges to run Nmap.

The output will show the status of the ports on the target machine. Since Null scans often don't provide definitive answers, you might see ports listed as open|filtered or closed.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
All 1000 scanned ports on 192.168.1.1 are filtered

Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds

In this example, all 1000 scanned ports are reported as filtered. This means that Nmap was unable to determine whether the ports are open or closed due to firewall rules or other network configurations.

Scan port range with nmap -sN -p 1-100 127.0.0.1

In this step, we will extend our use of the Null scan by specifying a port range to scan. This allows us to focus our scan on specific ports of interest, rather than scanning all 1000 default ports. We will scan ports 1 to 100 on the localhost (127.0.0.1).

The -p option in Nmap allows you to specify the port range. The syntax is -p <start_port>-<end_port>. In our case, we'll use -p 1-100 to scan ports 1 through 100.

Open your Xfce terminal and execute the following command:

sudo nmap -sN -p 1-100 127.0.0.1

This command tells Nmap to perform a Null scan (-sN) on ports 1 through 100 (-p 1-100) of the localhost (127.0.0.1). Remember that you need sudo privileges to run Nmap.

The output will show the status of ports 1-100 on the target machine. As with the previous Null scan, the results may not be definitive, and you might see ports listed as open|filtered or closed.

Example output (the actual output will vary):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 99 filtered ports
PORT    STATE  SERVICE
7/tcp   closed echo

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

In this example, port 7 (echo) is reported as closed, and the other 99 ports are filtered. This indicates that the target host responded with an RST packet for port 7, while the other ports either didn't respond or their responses were blocked by a firewall.

Add verbosity with nmap -v -sN 192.168.1.1

In this step, we will add verbosity to our Null scan. Verbosity in Nmap provides more detailed information about the scan process, which can be helpful for understanding what Nmap is doing and for troubleshooting any issues.

The -v option in Nmap increases the verbosity level. You can use -v multiple times (e.g., -vv) to increase the verbosity even further. For this step, we'll use a single -v.

Open your Xfce terminal and execute the following command:

sudo nmap -v -sN 192.168.1.1

This command tells Nmap to perform a Null scan (-sN) against the target IP address 192.168.1.1, with increased verbosity (-v). You will need sudo privileges to run Nmap.

The output will be more detailed than the previous Null scan. You'll see information about the scan progress, the ports being scanned, and any errors or warnings that occur.

Example output (the actual output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org )
NSE: Loaded 0 scripts for scanning.
Initiating Null scan for 192.168.1.1
Scanning 192.168.1.1 [1000 ports]
Completed Null scan for 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
All 1000 scanned ports on 192.168.1.1 are filtered

Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds

Notice the additional lines in the output, such as "NSE: Loaded 0 scripts for scanning.", "Initiating Null scan for 192.168.1.1", "Scanning 192.168.1.1 [1000 ports]", and "Completed Null scan for 192.168.1.1". These lines provide more insight into the scan process.

Save Null scan results with nmap -sN -oN null.txt 127.0.0.1

In this step, we will save the results of our Null scan to a file. This is useful for later analysis or for documenting your findings. Nmap provides several options for saving scan results in different formats. We will use the -oN option, which saves the results in a normal, human-readable format.

The -oN option takes a filename as an argument. In our case, we'll save the results to a file named null.txt in the ~/project directory.

Open your Xfce terminal and execute the following command:

sudo nmap -sN -oN null.txt 127.0.0.1

This command tells Nmap to perform a Null scan (-sN) against the localhost (127.0.0.1) and save the results in normal format (-oN) to the file null.txt. You will need sudo privileges to run Nmap.

After the scan completes, you can view the contents of the null.txt file using the cat command or a text editor like nano.

cat null.txt

Example output (the actual output will vary):

## Nmap 7.80 scan initiated Mon Oct 26 14:35:00 2020
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
All 1000 scanned ports on localhost (127.0.0.1) are filtered

## Nmap done at Mon Oct 26 14:35:03 2020 -- 1 IP address (1 host up) scanned in 3.21 seconds

You can also open the file with nano:

nano null.txt

This will open the null.txt file in the nano text editor, allowing you to view and edit the contents.

Compare Null scan with SYN scan in Xfce terminal

In this step, we will compare the results of a Null scan with a SYN scan. This will help you understand the differences between these two scan types and how they can be used to gather different information about a target.

A SYN scan (also known as a half-open scan) is a stealthier scan that doesn't complete the TCP handshake. It sends a SYN packet to the target, and if the target responds with a SYN/ACK, it indicates that the port is open. Nmap then sends a RST packet to close the connection.

A Null scan, on the other hand, sends a TCP packet with no flags set. The response from the target can indicate whether the port is open, closed, or filtered, depending on the target's operating system and firewall configuration.

First, let's perform a SYN scan against the localhost (127.0.0.1) and save the results to a file named syn.txt.

Open your Xfce terminal and execute the following command:

sudo nmap -sS -oN syn.txt 127.0.0.1

This command tells Nmap to perform a SYN scan (-sS) against the localhost (127.0.0.1) and save the results in normal format (-oN) to the file syn.txt. You will need sudo privileges to run Nmap.

Now, let's compare the contents of null.txt (which we created in the previous step) with the contents of syn.txt. You can use the diff command to compare the two files:

diff null.txt syn.txt

The diff command will show you the differences between the two files. You can also use a text editor like nano to open both files and compare them side-by-side.

nano null.txt syn.txt

Examine the output of both scans. You might notice that the SYN scan is more likely to identify open ports than the Null scan, especially if the target system is configured to drop packets with no flags set. Null scans are often used to try and bypass firewalls or intrusion detection systems, but they are not always reliable.

The key difference is that SYN scan attempts to establish a connection, while Null scan sends a packet with no flags set, relying on the target's response to infer port status.

Review results in Xfce terminal

In this step, we will review the results of the Null and SYN scans we performed in the previous steps. This involves examining the output files (null.txt and syn.txt) and interpreting the information they contain.

Open your Xfce terminal and use the cat command or nano editor to view the contents of both files.

cat null.txt
cat syn.txt

Or, using nano:

nano null.txt
nano syn.txt

When reviewing the results, consider the following:

  • Host Status: Check if the target host is reported as "up" or "down." If the host is down, Nmap may not be able to gather much information.
  • Port Status: Look for the status of each port. Common port statuses include "open," "closed," and "filtered."
    • Open: Indicates that the port is listening for connections.
    • Closed: Indicates that the port is not listening for connections.
    • Filtered: Indicates that a firewall or other network device is blocking access to the port, making it difficult to determine its status.
  • Differences between Null and SYN scans: Compare the results of the two scans. Did one scan identify more open ports than the other? Were there any ports that were reported as "filtered" by one scan but "closed" by the other?

For example, the null.txt might show all ports as filtered:

## Nmap 7.80 scan initiated Mon Oct 26 14:35:00 2020
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
All 1000 scanned ports on localhost (127.0.0.1) are filtered

## Nmap done at Mon Oct 26 14:35:03 2020 -- 1 IP address (1 host up) scanned in 3.21 seconds

While syn.txt might show some ports as open:

## Nmap 7.80 scan initiated Mon Oct 26 14:36:00 2020
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   closed smtp
80/tcp   open  http
111/tcp  open  rpcbind
...
## Nmap done at Mon Oct 26 14:36:03 2020 -- 1 IP address (1 host up) scanned in 3.21 seconds

By comparing the results of different scan types, you can gain a more comprehensive understanding of the target system's security posture. Remember that the accuracy of the results can be affected by various factors, such as firewalls, intrusion detection systems, and the target's operating system configuration.

Summary

In this lab, participants learned to execute TCP Null scanning using Nmap. They started by running a Null scan against the IP address 192.168.1.1 with the command sudo nmap -sN 192.168.1.1, understanding that a Null scan sets all TCP flags to zero and the response can help determine port states. They also learned to scan a specific port range (1 - 100) on 127.0.0.1, add verbosity to the scan, save the results to a file, compare Null scans with SYN scans, and review the results in the Xfce terminal. It was noted that Null scans are not always reliable due to some firewalls or systems dropping packets with no flags set.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux