Perform Stealth Network Scanning with Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to perform stealth network scanning using Nmap, a powerful open - source tool for network discovery and security auditing. Stealth scanning is crucial in cybersecurity, enabling security professionals to identify network vulnerabilities while reducing the risk of detection.

You will explore different Nmap scanning techniques, starting from basic stealth scans and moving on to more advanced covert methods. These skills are essential for security professionals conducting network audits without triggering existing security systems or alerting potential threats on the network. By the end of the lab, you'll gain practical experience with Nmap's stealth scanning and know how to apply these techniques in real - world security assessments.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/installation("Installation and Setup") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/syn_scan("SYN Scan") nmap/NmapGroup -.-> nmap/stealth_scanning("Stealth and Covert Scanning") subgraph Lab Skills nmap/installation -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} nmap/port_scanning -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} nmap/scan_types -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} nmap/target_specification -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} nmap/syn_scan -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} nmap/stealth_scanning -.-> lab-415933{{"Perform Stealth Network Scanning with Nmap"}} end

Setting Up Your Testing Environment

In this step, we're going to get your environment ready for the stealth network audit. We'll set up a simple web server that will act as the target for our scanning. Having a controlled target like this is crucial because it allows you to practice stealth scanning techniques without affecting real - world systems.

First, we need to open a terminal. The terminal is like a command - line interface where you can type commands to interact with your computer. Once you've opened the terminal, you'll navigate to your workspace. Your workspace is a specific directory where you'll keep all your project - related files. To do this, use the following command:

cd /home/labex/project

The cd command stands for "change directory". It tells the system to move you from your current location to the specified directory, which in this case is /home/labex/project.

Now that you're in your workspace, we'll create a new directory called stealth. Directories are like folders on your computer, and creating a dedicated directory helps you organize your work. Use the following command to create the directory:

mkdir -p /home/labex/project/stealth

The mkdir command is used to make a new directory. The -p option ensures that if any intermediate directories in the path don't exist, they will be created as well.

After creating the directory, you need to navigate into it. This way, any files you create will be stored inside the stealth directory. Use the cd command again:

cd /home/labex/project/stealth

Next, we'll create a simple HTML file. HTML (Hypertext Markup Language) is the standard language for creating web pages. This file will be served by our web server, simulating a real - world web service. Use the following command to create the file:

echo "Robotics server running..." > index.html

The echo command prints the text "Robotics server running..." to the terminal. The > symbol redirects that output and writes it into a new file called index.html.

Now, we need to set up a DNS resolver. DNS (Domain Name System) is like a phone book for the internet. It translates domain names (like google.com) into IP addresses. By setting up a DNS resolver, we ensure that our system can properly connect to other networks. Use the following command:

sudo sh -c 'echo "nameserver 8.8.8.8" > /etc/resolv.conf'

The sudo command gives you administrative privileges to perform actions that require special permissions. The sh -c is used to run a shell command. We're writing the line "nameserver 8.8.8.8" into the /etc/resolv.conf file, which is where the system stores DNS configuration.

Finally, we'll start a simple web server using the nc (netcat) command. Netcat is a versatile networking utility that can be used for various tasks, including setting up a simple server. This server will listen on port 8080 and serve the HTML file we created earlier. Use the following command:

nc -lvp 8080 < index.html &

Let's break down this command:

  • nc is the netcat utility for network connections. It allows you to create connections between different network endpoints.
  • -l tells netcat to listen for incoming connections. Instead of trying to connect to another server, it will wait for others to connect to it.
  • -v enables verbose output. This means that netcat will provide more detailed information about what it's doing.
  • -p 8080 specifies the port to listen on. Ports are like doors on a computer, and in this case, we're opening port 8080 for incoming connections.
  • < index.html feeds the content of index.html to any connection. When a client connects to our server, it will receive the content of the index.html file.
  • & runs the process in the background. This way, you can continue using the terminal to run other commands while the server is running.

After running the command, you should see output indicating that the server is listening on port 8080:

Listening on 0.0.0.0 8080

You now have a web server running on port 8080 that will act as your target for the stealth scanning exercises.

Performing Basic Stealth Scans with Nmap

In this step, we're going to learn how to perform a basic stealth scan using Nmap. But first, let's understand what a stealth scan is. Stealth scanning, also known as SYN scanning, is a really useful technique in the world of network security. When you're trying to figure out which ports are open on a target system, a stealth scan can help you do that while reducing the chances of being detected by the target. This is important because if the target system detects your scan, it might take defensive actions or log your activity.

Now, before we start the scan, we need to make sure we're in the right place. We'll navigate back to our main workspace. This is like going back to your home base where all your project - related files are stored. To do this, we'll use the following command:

cd /home/labex/project

Understanding Stealth Scanning

To fully understand how a stealth scan works, we first need to know about traditional TCP connections. A traditional TCP connection follows a three - way handshake process. This is a set of steps that the client and the server go through to establish a connection.

  1. The client sends a SYN (synchronize) packet to the server. This is like the client saying "Hey, I want to start a conversation."
  2. If the server is ready to talk, it responds with a SYN - ACK (synchronize - acknowledge) packet. It's like the server saying "Sure, I'm ready to talk."
  3. Finally, the client sends an ACK (acknowledge) packet to complete the connection. This is the client saying "Great, let's start the conversation."

However, a stealth scan doesn't follow this full process. Instead:

  1. The client sends a SYN packet to the server, just like in a normal connection.
  2. If the port on the server is open, the server responds with a SYN - ACK packet.
  3. But here's the difference. Instead of sending an ACK packet to complete the connection, the client sends a RST (reset) packet. This stops the connection from being fully established.

The reason this is useful is that the target system is less likely to log this kind of interaction because the connection is never fully set up. So, it's a sneaky way to find out which ports are open without leaving a big trail.

Executing a Stealth Scan

Now that we understand how a stealth scan works, let's execute one against our local web server. We'll use the following Nmap command:

sudo nmap -sS -p 8080 localhost > /home/labex/project/stealth_scan.txt

Let's break down this command so you know exactly what each part does:

  • sudo is used because stealth scans require raw socket access. Raw socket access is a low - level way of interacting with the network, and it needs special permissions. So, we use sudo to run the command with administrative privileges.
  • nmap is the scanning tool we're using. It's a very popular and powerful tool for network exploration and security auditing.
  • -sS specifies that we want to perform a SYN stealth scan. This tells Nmap to use the stealth scanning technique we just learned about.
  • -p 8080 tells Nmap to only scan port 8080. Sometimes, you might want to scan multiple ports, but in this case, we're just interested in port 8080.
  • localhost is the target of our scan. Since we're running this on our local machine, localhost refers to our own computer.
  • > /home/labex/project/stealth_scan.txt redirects the output of the scan to a text file. This way, we can save the results and look at them later.

After running the scan, we want to see the results. To do this, we'll use the following command:

cat /home/labex/project/stealth_scan.txt

When you run this command, you should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 12:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Notice that Nmap correctly identified that port 8080 is open. This means our stealth scan was successful in detecting the web server we set up in Step 1.

The advantage of using this scanning technique is that it gives us accurate results. At the same time, it's less intrusive than a full TCP connect scan. A full TCP connect scan goes through the entire three - way handshake, which is more likely to be noticed by the target system and trigger alerts on monitored systems. So, the stealth scan is a great option when you want to be more discreet.

Advanced Covert Scanning Techniques

In this step, we're going to explore more advanced scanning techniques that offer an even higher level of stealth. These techniques are crucial in cybersecurity because they allow you to gather information about a target network without easily being detected. One such powerful technique is the Idle Scan, also known as the Zombie Scan. This method enables you to scan a target while masking your identity behind another host.

Before we start, it's important to ensure that you are in your workspace. This is where all your project - related files and commands will be executed. To navigate to your workspace, run the following command in your terminal:

cd /home/labex/project

Understanding Idle Scanning

The Idle Scan is one of the most stealthy scanning techniques available in Nmap. But how does it work? Well, it uses a third - party host, which we call a "zombie", to carry out the scan. This makes it seem like the scan is coming from the zombie host instead of you.

Let's break down the process of an Idle Scan step by step:

  1. First, the scanner sends a probe to the zombie host. This probe helps the scanner figure out the current IP ID sequence of the zombie. The IP ID sequence is a unique number that the host assigns to each IP packet it sends.
  2. Next, the scanner sends a SYN packet to the target. However, it sets the source IP address of this packet to be the IP address of the zombie. A SYN packet is used to initiate a TCP connection.
  3. If the port on the target is open, the target will respond with a SYN - ACK packet. This packet is sent to the zombie because that's the source IP address it saw in the SYN packet.
  4. The zombie, which wasn't expecting this SYN - ACK packet, will send a RST packet back to the target. A RST packet is used to reset a TCP connection.
  5. The scanner then probes the zombie again. It checks if the IP ID sequence of the zombie has increased.
  6. If the IP ID sequence has incremented, it indicates that the port on the target is open. This is because the zombie sent a RST packet in response to the SYN - ACK from the target.

The beauty of this technique is its stealth. The target only sees communication coming from the zombie, not from the actual scanner. So, it's very difficult for the target to detect that it's being scanned.

Executing an Idle Scan

Now, let's execute an idle scan using Nmap. In a real - world situation, you would use an external zombie host. But for this lab, we'll simulate the process using your local machine.

Run the following command in your terminal:

sudo nmap -sI 127.0.0.1 localhost -p 8080 > /home/labex/project/idle_scan.txt

Let's understand each part of this command:

  • sudo is used because Nmap needs raw socket access to perform the idle scan. Raw socket access allows Nmap to create and send custom IP packets, which is necessary for this type of scan.
  • nmap is the well - known scanning tool that we're using for this task.
  • -sI 127.0.0.1 specifies that we're performing an idle scan and using 127.0.0.1 (which is the localhost) as the zombie host.
  • localhost is the target that we want to scan.
  • -p 8080 tells Nmap to only scan port 8080 on the target.
  • > /home/labex/project/idle_scan.txt redirects the output of the scan to a text file. This way, we can easily review the results later.

After running the scan, let's examine the results. Use the following command to view the contents of the output file:

cat /home/labex/project/idle_scan.txt

You might see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-25 12:10 UTC
Idle scan using zombie 127.0.0.1 (127.0.0.1:80); Class: Incremental
Skipping Idle Scan against localhost (127.0.0.1) -- you can't idle scan your own machine (localhost).
Nmap scan report for localhost (127.0.0.1)
Host is up.

PORT     STATE   SERVICE
8080/tcp unknown http-proxy

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds

Notice that Nmap reports that it's skipping the idle scan. This is because you're trying to use your own machine as both the zombie and the target. In a real - world scenario where you have separate hosts, this technique would be very effective for covert scanning.

Even though we have this limitation in our lab environment, this exercise still shows you how to use the idle scan command. In practice, you would choose a different host as the zombie, and the scan would run without this warning message.

This advanced technique is very valuable when you need maximum stealth. It makes it extremely difficult for the target to trace the scan back to the actual scanner.

Understanding Scan Output and Practical Applications

In this final step, we're going to focus on learning how to interpret the scan results you've obtained and understand how these results are applied in real - world cybersecurity scenarios. This knowledge is crucial because it allows you to effectively use stealth scanning techniques when dealing with actual security challenges.

First, we need to navigate to your workspace. Your workspace is like a dedicated area where all your project - related files are stored. To get there, we'll use the cd command. The cd command stands for "change directory", and it's used to move from one directory to another in the file system. Run the following command in your terminal:

cd /home/labex/project

Comparing Different Scan Types

Now, let's compare the outputs of the different scan types you've performed. By comparing these outputs, you can see the differences in how each scan type reveals information about the target network.

The following command will display the results of the stealth scan. The echo command is used to print text to the terminal, and the cat command is used to display the contents of a file. Here, we're first printing a header to indicate that these are the stealth scan results, and then showing the actual content of the stealth_scan.txt file:

echo "=== Stealth Scan Results ===" && cat /home/labex/project/stealth_scan.txt

Similarly, this command will show the results of the idle scan:

echo "=== Idle Scan Results ===" && cat /home/labex/project/idle_scan.txt

Interpreting Port States

When you analyze the scan results, you'll notice that Nmap reports ports in different states. Understanding these states is key to making sense of the scan data.

  1. open - This means that a service is actively accepting connections on this port. For example, if a web server is running on a particular port, that port will be reported as open.
  2. closed - The port is accessible, but there's no service listening on it. It's like a door that's unlocked but no one is inside.
  3. filtered - A firewall or other network obstacle is blocking the port. It's as if there's a security guard preventing access to that port.
  4. unfiltered - The port is accessible, but Nmap can't determine if it's open or closed. It's like looking at a door and not being able to tell if someone is inside.
  5. open|filtered - Nmap can't determine if the port is open or filtered. There's some uncertainty about the state of the port.
  6. closed|filtered - Nmap can't determine if the port is closed or filtered.

In your stealth scan, port 8080 was reported as open. This indicates that your web server is actively accepting connections on that port, which means it's ready to serve web pages or other services to clients.

Practical Applications

Understanding how to interpret these results has several practical applications in cybersecurity:

  1. Identify security gaps: Open ports might represent potential entry points for attackers. If there are unnecessary open ports, attackers could use them to gain unauthorized access to your system.
  2. Verify firewall configurations: Filtered ports indicate that firewall rules are properly blocking access. This helps you ensure that your network is protected from unwanted traffic.
  3. Conduct security audits: Regular scanning helps ensure that only necessary ports are open. By periodically scanning your network, you can detect any new open ports that might pose a security risk.
  4. Prepare remediation plans: Based on scan results, you can develop plans to address security issues. For example, if you find an unnecessary open port, you can close it.

Now, let's create a simple report summarizing your findings and recommendations. A report is a useful way to document what you've discovered and what actions should be taken.

cat << EOF > /home/labex/project/scan_report.txt
## Network Scan Report

### Findings:
- Port 8080 is open and running an HTTP proxy service
- This port was successfully detected using stealth scanning techniques

### Recommendations:
- Ensure this port is intended to be open
- Implement proper access controls if this service is necessary
- Close the port if the service is not required
- Regularly scan the network to detect changes in the network footprint
EOF

To view your report, use the cat command again:

cat /home/labex/project/scan_report.txt

This report format is useful for documenting your findings and providing actionable recommendations based on scan results. It helps you communicate the security status of your network to others and take appropriate actions.

Clean Up

Before finishing, we need to clean up our environment. In Step 1, we started a web server, and now we need to stop it. We'll use the pkill command, which is used to terminate processes based on their name or other criteria. The -f option tells pkill to search in the full command line of the processes.

pkill -f "nc -lvp 8080"

This command terminates the netcat process that was running our web server on port 8080.

You have now completed a comprehensive exploration of stealth scanning techniques with Nmap, from basic setup to advanced methods and practical application of the results.

Summary

In this lab, you have learned how to perform stealth network scanning using Nmap, a crucial skill for cybersecurity professionals. You started by setting up a test environment with a simple web - server to practice scanning in a controlled setting. Then, you explored basic stealth scanning with the SYN scan technique, which offers accurate results and reduces the risk of detection, making it useful for security audits without alerting monitored systems.

Next, you delved into more advanced covert scanning methods, such as the Idle Scan, which can hide the scan's origin. Although its application was limited in the lab, you grasped how it works in real - world scenarios. Finally, you learned to interpret scan results and create actionable reports, enabling you to identify security gaps and develop remediation plans. Mastering these stealth scanning techniques equips you to conduct thorough network assessments and address potential threats proactively.