LabEx
Log InJoin Free

Perform Stealth Network Scanning with Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to perform stealth network scanning using Nmap, a powerful open - source tool for network discovery and security auditing. Stealth scanning is crucial in cybersecurity, enabling security professionals to identify network vulnerabilities while reducing the risk of detection.

You will explore different Nmap scanning techniques, starting from basic stealth scans and moving on to more advanced covert methods. These skills are essential for security professionals conducting network audits without triggering existing security systems or alerting potential threats on the network. By the end of the lab, you'll gain practical experience with Nmap's stealth scanning and know how to apply these techniques in real - world security assessments.

Setting Up Your Testing Environment

In this step, we're going to get your environment ready for the stealth network audit. We'll set up a simple web server that will act as the target for our scanning. Having a controlled target like this is crucial because it allows you to practice stealth scanning techniques without affecting real - world systems.

First, we need to open a terminal. The terminal is like a command - line interface where you can type commands to interact with your computer. Once you've opened the terminal, you'll navigate to your workspace. Your workspace is a specific directory where you'll keep all your project - related files. To do this, use the following command:

cd /home/labex/project

The cd command stands for "change directory". It tells the system to move you from your current location to the specified directory, which in this case is /home/labex/project.

Now that you're in your workspace, we'll create a new directory called stealth. Directories are like folders on your computer, and creating a dedicated directory helps you organize your work. Use the following command to create the directory:

mkdir -p /home/labex/project/stealth

The mkdir command is used to make a new directory. The -p option ensures that if any intermediate directories in the path don't exist, they will be created as well.

After creating the directory, you need to navigate into it. This way, any files you create will be stored inside the stealth directory. Use the cd command again:

cd /home/labex/project/stealth

Next, we'll create a simple HTML file. HTML (Hypertext Markup Language) is the standard language for creating web pages. This file will be served by our web server, simulating a real - world web service. Use the following command to create the file:

echo "Robotics server running..." > index.html

The echo command prints the text "Robotics server running..." to the terminal. The > symbol redirects that output and writes it into a new file called index.html.

Now, we need to set up a DNS resolver. DNS (Domain Name System) is like a phone book for the internet. It translates domain names (like google.com) into IP addresses. By setting up a DNS resolver, we ensure that our system can properly connect to other networks. Use the following command:

sudo sh -c 'echo "nameserver 8.8.8.8" > /etc/resolv.conf'

The sudo command gives you administrative privileges to perform actions that require special permissions. The sh -c is used to run a shell command. We're writing the line "nameserver 8.8.8.8" into the /etc/resolv.conf file, which is where the system stores DNS configuration.

Finally, we'll start a simple web server using the nc (netcat) command. Netcat is a versatile networking utility that can be used for various tasks, including setting up a simple server. This server will listen on port 8080 and serve the HTML file we created earlier. Use the following command:

nc -lvp 8080 < index.html &

Let's break down this command:

  • nc is the netcat utility for network connections. It allows you to create connections between different network endpoints.
  • -l tells netcat to listen for incoming connections. Instead of trying to connect to another server, it will wait for others to connect to it.
  • -v enables verbose output. This means that netcat will provide more detailed information about what it's doing.
  • -p 8080 specifies the port to listen on. Ports are like doors on a computer, and in this case, we're opening port 8080 for incoming connections.
  • < index.html feeds the content of index.html to any connection. When a client connects to our server, it will receive the content of the index.html file.
  • & runs the process in the background. This way, you can continue using the terminal to run other commands while the server is running.

After running the command, you should see output indicating that the server is listening on port 8080:

Listening on 0.0.0.0 8080

You now have a web server running on port 8080 that will act as your target for the stealth scanning exercises.

Performing Basic Stealth Scans with Nmap

In this step, we're going to learn how to perform a basic stealth scan using Nmap. But first, let's understand what a stealth scan is. Stealth scanning, also known as SYN scanning, is a really useful technique in the world of network security. When you're trying to figure out which ports are open on a target system, a stealth scan can help you do that while reducing the chances of being detected by the target. This is important because if the target system detects your scan, it might take defensive actions or log your activity.

Now, before we start the scan, we need to make sure we're in the right place. We'll navigate back to our main workspace. This is like going back to your home base where all your project - related files are stored. To do this, we'll use the following command:

cd /home/labex/project

Understanding Stealth Scanning

To fully understand how a stealth scan works, we first need to know about traditional TCP connections. A traditional TCP connection follows a three - way handshake process. This is a set of steps that the client and the server go through to establish a connection.

  1. The client sends a SYN (synchronize) packet to the server. This is like the client saying "Hey, I want to start a conversation."
  2. If the server is ready to talk, it responds with a SYN - ACK (synchronize - acknowledge) packet. It's like the server saying "Sure, I'm ready to talk."
  3. Finally, the client sends an ACK (acknowledge) packet to complete the connection. This is the client saying "Great, let's start the conversation."

However, a stealth scan doesn't follow this full process. Instead:

  1. The client sends a SYN packet to the server, just like in a normal connection.
  2. If the port on the server is open, the server responds with a SYN - ACK packet.
  3. But here's the difference. Instead of sending an ACK packet to complete the connection, the client sends a RST (reset) packet. This stops the connection from being fully established.

The reason this is useful is that the target system is less likely to log this kind of interaction because the connection is never fully set up. So, it's a sneaky way to find out which ports are open without leaving a big trail.

Executing a Stealth Scan

Now that we understand how a stealth scan works, let's execute one against our local web server. We'll use the following Nmap command:

sudo nmap -sS -p 8080 localhost > /home/labex/project/stealth_scan.txt

Let's break down this command so you know exactly what each part does:

  • sudo is used because stealth scans require raw socket access. Raw socket access is a low - level way of interacting with the network, and it needs special permissions. So, we use sudo to run the command with administrative privileges.
  • nmap is the scanning tool we're using. It's a very popular and powerful tool for network exploration and security auditing.
  • -sS specifies that we want to perform a SYN stealth scan. This tells Nmap to use the stealth scanning technique we just learned about.
  • -p 8080 tells Nmap to only scan port 8080. Sometimes, you might want to scan multiple ports, but in this case, we're just interested in port 8080.
  • localhost is the target of our scan. Since we're running this on our local machine, localhost refers to our own computer.
  • > /home/labex/project/stealth_scan.txt redirects the output of the scan to a text file. This way, we can save the results and look at them later.

After running the scan, we want to see the results. To do this, we'll use the following command:

cat /home/labex/project/stealth_scan.txt

When you run this command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 12:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Notice that Nmap correctly identified that port 8080 is open. This means our stealth scan was successful in detecting the web server we set up in Step 1.

Understanding Port States

When analyzing scan results, you'll notice that Nmap reports ports in different states:

  1. open - A service is actively accepting connections on this port
  2. closed - The port is accessible, but no service is listening
  3. filtered - A firewall or network obstacle is blocking the port
  4. unfiltered - The port is accessible, but Nmap can't determine if it's open or closed
  5. open|filtered - Nmap can't determine if the port is open or filtered

In our scan, port 8080 is reported as open, indicating our web server is actively accepting connections.

The advantage of using stealth scanning is that it gives us accurate results while being less intrusive than a full TCP connect scan. A full TCP connect scan goes through the entire three-way handshake, which is more likely to be noticed by the target system and trigger alerts on monitored systems.

Advanced Covert Scanning Techniques

In this step, we're going to explore more advanced scanning techniques that offer an even higher level of stealth. These techniques are crucial in cybersecurity because they allow you to gather information about a target network without easily being detected. One such powerful technique is the Idle Scan, also known as the Zombie Scan. This method enables you to scan a target while masking your identity behind another host.

Before we start, it's important to ensure that you are in your workspace. This is where all your project - related files and commands will be executed. To navigate to your workspace, run the following command in your terminal:

cd /home/labex/project

Understanding Idle Scanning

The Idle Scan is one of the most stealthy scanning techniques available in Nmap. But how does it work? Well, it uses a third - party host, which we call a "zombie", to carry out the scan. This makes it seem like the scan is coming from the zombie host instead of you.

Let's break down the process of an Idle Scan step by step:

  1. First, the scanner sends a probe to the zombie host. This probe helps the scanner figure out the current IP ID sequence of the zombie. The IP ID sequence is a unique number that the host assigns to each IP packet it sends.
  2. Next, the scanner sends a SYN packet to the target. However, it sets the source IP address of this packet to be the IP address of the zombie. A SYN packet is used to initiate a TCP connection.
  3. If the port on the target is open, the target will respond with a SYN - ACK packet. This packet is sent to the zombie because that's the source IP address it saw in the SYN packet.
  4. The zombie, which wasn't expecting this SYN - ACK packet, will send a RST packet back to the target. A RST packet is used to reset a TCP connection.
  5. The scanner then probes the zombie again. It checks if the IP ID sequence of the zombie has increased.
  6. If the IP ID sequence has incremented, it indicates that the port on the target is open. This is because the zombie sent a RST packet in response to the SYN - ACK from the target.

The beauty of this technique is its stealth. The target only sees communication coming from the zombie, not from the actual scanner. So, it's very difficult for the target to detect that it's being scanned.

Executing an Idle Scan

Now, let's execute an idle scan using Nmap. In a real - world situation, you would use an external zombie host. But for this lab, we'll simulate the process using your local machine.

Run the following command in your terminal:

sudo nmap -sI 127.0.0.1 localhost -p 8080 > /home/labex/project/idle_scan.txt

Let's understand each part of this command:

  • sudo is used because Nmap needs raw socket access to perform the idle scan. Raw socket access allows Nmap to create and send custom IP packets, which is necessary for this type of scan.
  • nmap is the well - known scanning tool that we're using for this task.
  • -sI 127.0.0.1 specifies that we're performing an idle scan and using 127.0.0.1 (which is the localhost) as the zombie host.
  • localhost is the target that we want to scan.
  • -p 8080 tells Nmap to only scan port 8080 on the target.
  • > /home/labex/project/idle_scan.txt redirects the output of the scan to a text file. This way, we can easily review the results later.

After running the scan, let's examine the results. Use the following command to view the contents of the output file:

cat /home/labex/project/idle_scan.txt

You might see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 12:10 UTC
Idle scan using zombie 127.0.0.1 (127.0.0.1:80); Class: Incremental
Skipping Idle Scan against localhost (127.0.0.1) -- you can't idle scan your own machine (localhost).
Nmap scan report for localhost (127.0.0.1)
Host is up.

PORT     STATE   SERVICE
8080/tcp unknown http-proxy

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds

Notice that Nmap reports that it's skipping the idle scan. This is because you're trying to use your own machine as both the zombie and the target. In a real - world scenario where you have separate hosts, this technique would be very effective for covert scanning.

Even though we have this limitation in our lab environment, this exercise still shows you how to use the idle scan command. In practice, you would choose a different host as the zombie, and the scan would run without this warning message.

This advanced technique is very valuable when you need maximum stealth. It makes it extremely difficult for the target to trace the scan back to the actual scanner.

Comparing Scan Results

Let's compare the outputs of both scan types to see the differences:

echo "=== Stealth Scan Results ===" && cat /home/labex/project/stealth_scan.txt
echo "=== Idle Scan Results ===" && cat /home/labex/project/idle_scan.txt

Both scans successfully detected the open port 8080, but the idle scan shows additional information about the scanning technique being used.

Clean Up

Before finishing, let's clean up our environment by stopping the web server:

pkill -f "nc -lvp 8080"

This terminates the netcat process running our web server on port 8080.

Summary

In this lab, you have learned how to perform stealth network scanning using Nmap, a crucial skill for cybersecurity professionals. You started by setting up a test environment with a simple web server to practice scanning in a controlled setting. Then, you explored basic stealth scanning with the SYN scan technique, which offers accurate results and reduces the risk of detection, making it useful for security audits without alerting monitored systems.

Finally, you delved into more advanced covert scanning methods, such as the Idle Scan, which can hide the scan's origin. Although its application was limited in the lab environment, you learned how it works in real-world scenarios. You also practiced interpreting scan results by understanding different port states and comparing outputs from different scanning techniques. Mastering these stealth scanning techniques equips you to conduct thorough network assessments in cybersecurity work.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux