In this lab, you will learn how to perform TCP Xmas scanning using Nmap. The lab covers various aspects of Xmas scanning, including running a basic scan on a target IP, scanning specific ports, adding verbosity to the scan, saving scan results, comparing Xmas scans with FIN scans, and analyzing the results in the Xfce terminal. You'll understand how Xmas scans work by setting FIN, PSH, and URG flags in the TCP header to identify open or filtered ports on a target system.
In this step, we will perform an Xmas scan using Nmap. An Xmas scan is a type of port scan that sets the FIN, PSH, and URG flags in the TCP header. This type of scan is named "Xmas" because the set flags resemble a Christmas tree. It's useful for identifying open or filtered ports on a target system.
Before we begin, let's understand what these flags mean:
When a host receives an Xmas scan packet, it should respond with an RST (reset) packet if the port is closed. If the port is open, the host should drop the packet and not respond. However, some systems may not respond correctly, which can help identify the operating system or firewall rules.
Now, let's run the Xmas scan against the target IP address 192.168.1.1. Open your Xfce terminal and execute the following command:
sudo nmap -sX 192.168.1.1This command tells Nmap to perform an Xmas scan (-sX) on the target IP address 192.168.1.1. You will need sudo privileges to run this command.
After the scan completes, Nmap will display the results. The output will show which ports are considered open, closed, or filtered based on the responses (or lack thereof) from the target system.
Example output (the actual output will vary depending on the target system):
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Nmap done: 1 IP address (1 host up) scanned in 3.21 secondsIn this example, all 1000 scanned ports are reported as filtered. This means that Nmap was unable to determine whether the ports are open or closed because the target system is likely blocking or filtering the scan packets.
In this step, we will focus our Xmas scan on specific ports. This is useful when you want to quickly check the status of particular services running on a target machine, rather than scanning all ports. We will scan ports 22 (SSH) and 80 (HTTP) on the localhost (127.0.0.1).
The -p option in Nmap allows you to specify which ports to scan. You can provide a single port, a range of ports (e.g., 1-100), or a comma-separated list of ports (e.g., 22,80,443).
To scan ports 22 and 80 using an Xmas scan, open your Xfce terminal and execute the following command:
sudo nmap -sX -p 22,80 127.0.0.1This command tells Nmap to perform an Xmas scan (-sX) on ports 22 and 80 (-p 22,80) of the target IP address 127.0.0.1 (localhost). You will need sudo privileges to run this command.
After the scan completes, Nmap will display the results for the specified ports. The output will indicate whether the ports are open, closed, or filtered.
Example output (the actual output may vary):
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000029s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondsIn this example, both ports 22 and 80 are reported as filtered. This means that Nmap could not determine whether these ports are open or closed, possibly due to firewall rules or other network configurations on the localhost.
In this step, we will add verbosity to our Xmas scan. Verbosity in Nmap means increasing the amount of information displayed during the scan. This can be helpful for understanding what Nmap is doing and for troubleshooting any issues that may arise.
The -v option in Nmap increases the verbosity level. You can use -v for normal verbosity or -vv for even more detailed output.
To run an Xmas scan with verbosity, open your Xfce terminal and execute the following command:
sudo nmap -v -sX 192.168.1.1This command tells Nmap to perform an Xmas scan (-sX) on the target IP address 192.168.1.1 with verbosity enabled (-v). You will need sudo privileges to run this command.
The output will now include more information about the scan process, such as the ports being scanned, the packets being sent, and any responses received.
Example output (the actual output will vary depending on the target system and the network configuration):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Xmas Scan at 10:00
Scanning 192.168.1.1 [1000 ports]
Completed Xmas Scan at 10:00, 0.00s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Nmap done: 1 IP address (1 host up) scanned in 3.21 secondsThe verbose output provides more details about the scan's progress, including the start and end times, the number of ports scanned, and any errors or warnings encountered.
In this step, we will learn how to save the results of an Xmas scan to a file. This is useful for later analysis or for documenting your findings. Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format.
To save the results of an Xmas scan to a file named xmas.txt, open your Xfce terminal and execute the following command:
sudo nmap -sX -oN xmas.txt 127.0.0.1This command tells Nmap to perform an Xmas scan (-sX) on the target IP address 127.0.0.1 (localhost) and save the results in normal format (-oN) to the file xmas.txt. The file will be created in your current directory, which is ~/project. You will need sudo privileges to run this command.
After the scan completes, you can view the contents of the xmas.txt file using the cat command or a text editor like nano.
cat xmas.txtExample output (the actual output may vary):
## Nmap 7.80 scan initiated Tue Oct 27 10:00:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000029s latency).
All 1000 scanned ports on localhost (127.0.0.1) are filtered
## Nmap done at Tue Oct 27 10:00:00 2023 -- 1 IP address (1 host up) scanned in 0.12 secondsAlternatively, you can use nano to open and view the file:
nano xmas.txtThis will open the xmas.txt file in the nano text editor, allowing you to examine the scan results. Remember to save and exit nano by pressing Ctrl+X, then Y to confirm saving, and finally Enter.
In this step, we will compare the results of an Xmas scan with a FIN scan. Both Xmas and FIN scans are types of stealth scans that can be used to identify open ports on a target system. They work by sending specially crafted TCP packets to the target and analyzing the responses.
First, let's run a FIN scan on the localhost (127.0.0.1):
sudo nmap -sF 127.0.0.1This command tells Nmap to perform a FIN scan (-sF) on the target IP address 127.0.0.1. You will need sudo privileges to run this command.
Example output (the actual output may vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000029s latency).
All 1000 scanned ports on localhost (127.0.0.1) are filtered
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondsNow, let's compare this output with the output from the Xmas scan we performed earlier. You can either scroll back in your terminal history to find the previous Xmas scan output, or you can re-run the Xmas scan:
sudo nmap -sX 127.0.0.1Example output (the actual output may vary):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:01 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000029s latency).
All 1000 scanned ports on localhost (127.0.0.1) are filtered
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondsObserve the similarities and differences between the two scan results. In many cases, the results will be identical, showing all ports as filtered. This is because many modern firewalls and operating systems are configured to drop or ignore these types of packets.
To further compare, you can save the FIN scan results to a file, similar to what we did with the Xmas scan:
sudo nmap -sF -oN fin.txt 127.0.0.1Then, you can use the diff command to compare the two files:
diff xmas.txt fin.txtThis command will show you any differences between the xmas.txt and fin.txt files. If the scans produced identical results, the diff command will not output anything.
In this step, we will analyze the results of the Nmap scans we have performed. Understanding the output of Nmap scans is crucial for identifying potential vulnerabilities and security risks.
Let's start by examining the xmas.txt file, which contains the results of the Xmas scan. You can view the contents of this file using the cat command or a text editor like nano:
cat xmas.txtor
nano xmas.txtThe output will typically include the following information:
In the case of Xmas and FIN scans, you will often see that all ports are reported as "filtered". This means that Nmap was unable to determine whether the ports are open or closed because the target system did not respond to the scan packets in a way that allowed Nmap to make a definitive determination. This is a common result when scanning systems protected by firewalls or intrusion detection systems (IDS).
If you see ports reported as "open" or "closed", it indicates that the target system responded to the scan packets in a predictable way. However, it's important to note that Xmas and FIN scans can be unreliable, and the results may not always be accurate.
To get a more accurate picture of the target system's open ports, you may need to use other types of Nmap scans, such as a TCP connect scan (-sT) or a SYN scan (-sS). These scans are more reliable but may also be more easily detected by firewalls and IDS.
In summary, analyzing Nmap scan results involves carefully examining the output to identify potential vulnerabilities and security risks. It's important to understand the different types of Nmap scans and the limitations of each scan type. By combining different scan techniques and carefully analyzing the results, you can gain a more complete understanding of the target system's security posture.
In this lab, participants learn to perform TCP Xmas scanning using Nmap. They start by running a basic Xmas scan on a target IP (192.168.1.1) with the nmap -sX command, understanding that it sets FIN, PSH, and URG flags in the TCP header to identify open or filtered ports. They also learn to scan specific ports, add verbosity to the scan, and save the results to a file. Additionally, they compare Xmas scans with FIN scans and analyze the results in the Xfce terminal.
