LabEx
Log InJoin For Free

Perform Window Scanning in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to perform window scanning in Nmap, a valuable skill in network security. The lab starts with running a basic window scan on a target IP address, then progresses to scanning a specific port range. You'll also add verbosity to the scan, save the results to a file, analyze the scan in the Xfce terminal, and compare it with an ACK scan. This hands - on experience will enhance your understanding of Nmap's window scanning capabilities.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/scan_types("Scan Types and Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/output_formats -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/save_output -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/port_scanning -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/scan_types -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/target_specification -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/verbosity -.-> lab-547107{{"Perform Window Scanning in Nmap"}} nmap/service_detection -.-> lab-547107{{"Perform Window Scanning in Nmap"}} end

Run window scan with nmap -sW 192.168.1.1

In this step, we will perform a Window scan using Nmap. A Window scan is a type of TCP scan that can sometimes reveal more information about open and filtered ports than other scan types. It's particularly useful when firewalls are in place that might block other types of scans.

Before we begin, let's briefly discuss what a Window scan does. The Window scan exploits a quirk in some TCP implementations. It sends a TCP packet with the SYN flag set to the target host. If the port is open, the target responds with a SYN/ACK packet. Nmap then examines the TCP window size of the response. Based on this window size, Nmap can determine if the port is open or filtered.

Now, let's execute the Window scan. We'll use the following command:

nmap -sW 192.168.1.1

Replace 192.168.1.1 with the actual IP address of the target you want to scan. If you are unsure what IP address to use, you can use the loopback address 127.0.0.1 which refers to your own machine.

Open your Xfce terminal. You can find the terminal icon on the desktop or in the applications menu.

In the terminal, type the following command and press Enter:

nmap -sW 127.0.0.1

This command tells Nmap to perform a Window scan (-sW) on the loopback address (127.0.0.1).

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT     STATE  SERVICE
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

The output shows the open, closed, or filtered ports on the target machine. In this example, ports 135, 139, and 445 are closed. The specific ports and their states will vary depending on the target system.

Scan port range with nmap -sW -p 1-100 127.0.0.1

In this step, we will extend the Window scan by specifying a port range. This allows us to focus our scan on a specific set of ports, which can be useful for identifying services running on a target machine.

By default, Nmap scans a predefined set of commonly used ports. However, you can customize the scan to target specific ports or a range of ports using the -p option. This is particularly helpful when you want to check if a specific service is running on a non-standard port or when you want to limit the scan time by focusing on a smaller set of ports.

Now, let's execute the Window scan with a port range. We'll use the following command:

nmap -sW -p 1-100 127.0.0.1

This command tells Nmap to perform a Window scan (-sW) on ports 1 through 100 (-p 1-100) of the loopback address (127.0.0.1).

Open your Xfce terminal.

In the terminal, type the following command and press Enter:

nmap -sW -p 1-100 127.0.0.1

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE  SERVICE
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

The output shows the open, closed, or filtered ports within the specified range (1-100) on the target machine. In this example, ports 22, 25, and 80 are closed. The specific ports and their states will vary depending on the target system.

Add verbosity with nmap -v -sW 192.168.1.1

In this step, we will add verbosity to the Window scan. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding the results.

Nmap's verbosity option (-v) increases the amount of information displayed during the scan. This can include details about the scan phases, the packets being sent and received, and the reasons why Nmap is making certain decisions. Using verbosity can be particularly useful when you are trying to diagnose network issues or when you want to understand how Nmap is interpreting the responses from the target.

Now, let's execute the Window scan with verbosity. We'll use the following command:

nmap -v -sW 192.168.1.1

Replace 192.168.1.1 with the actual IP address of the target you want to scan. If you are unsure what IP address to use, you can use the loopback address 127.0.0.1 which refers to your own machine.

Open your Xfce terminal.

In the terminal, type the following command and press Enter:

nmap -v -sW 127.0.0.1

This command tells Nmap to perform a Window scan (-sW) on the loopback address (127.0.0.1) and to increase the verbosity level (-v).

You should see output similar to the following (the exact output will vary):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Window Scan at 10:10
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed Window Scan at 10:10, 0.12s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp open   http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

The output now includes more information about the scan process, such as the start and end times, the number of ports scanned, and any scripts that were loaded. The specific details will vary depending on the target system and the Nmap configuration.

Save window scan with nmap -sW -oN window.txt 127.0.0.1

In this step, we will save the results of the Window scan to a file. This is useful for later analysis or for sharing the results with others.

Nmap provides several options for saving scan results in different formats. The -oN option saves the results in a "normal" human-readable format. This format is easy to read and understand, but it may not be suitable for automated parsing. Other options include -oX for XML format and -oS for script kiddie format.

Now, let's execute the Window scan and save the results to a file named window.txt in the ~/project directory. We'll use the following command:

nmap -sW -oN window.txt 127.0.0.1

This command tells Nmap to perform a Window scan (-sW) on the loopback address (127.0.0.1) and to save the results in normal format (-oN) to the file window.txt.

Open your Xfce terminal.

In the terminal, type the following command and press Enter:

nmap -sW -oN window.txt 127.0.0.1

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE  SERVICE
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

The scan results are now saved in the window.txt file in your ~/project directory.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat window.txt

You should see the Nmap scan report in the output.

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE  SERVICE
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http
## Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Analyze window scan in Xfce terminal

In this step, we will analyze the results of the Window scan that we saved to the window.txt file in the previous step. Understanding the output of Nmap scans is crucial for identifying potential vulnerabilities and security risks.

The window.txt file contains a human-readable report of the scan results. The report includes information about the target host, the ports that were scanned, and the state of each port.

Open your Xfce terminal.

First, let's display the contents of the window.txt file using the cat command:

cat window.txt

You should see output similar to the following (the exact output will depend on the target system and the scan options used):

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE  SERVICE
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http
## Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Let's break down the key parts of this output:

  • Nmap scan report for localhost (127.0.0.1): This line indicates that the scan was performed on the loopback address 127.0.0.1.
  • Host is up: This line confirms that the target host is reachable.
  • PORT STATE SERVICE: This section lists the ports that were scanned and their corresponding states and services.
  • 22/tcp closed ssh: This line indicates that port 22 (SSH) is closed.
  • 25/tcp closed smtp: This line indicates that port 25 (SMTP) is closed.
  • 80/tcp closed http: This line indicates that port 80 (HTTP) is closed.

The STATE column is particularly important. In a Window scan, the possible states are typically open, closed, or filtered.

  • open: Indicates that the port is listening for connections.
  • closed: Indicates that the port is not listening for connections, but the host is reachable.
  • filtered: Indicates that Nmap cannot determine whether the port is open or closed because network filtering is preventing Nmap from reaching the port.

In this example, all the scanned ports are reported as closed. This means that the target host is reachable, but it is not accepting connections on these ports.

You can use this information to identify potential vulnerabilities or security risks. For example, if a port is unexpectedly open, it may indicate that a vulnerable service is running on that port.

Now, let's use grep command to find the open ports in the window.txt file.

grep "open" window.txt

If there are no open ports, the command will not return any output. In our example, the output is empty.

Compare with ACK scan in Xfce terminal

In this step, we will perform an ACK scan and compare its results with the Window scan we performed earlier. This comparison will help us understand the differences between these two scan types and how they can be used to gather different types of information about a target system.

An ACK scan (-sA) sends TCP ACK packets to the target host. Unlike a SYN scan, an ACK scan does not attempt to establish a connection. Instead, it is used to determine whether a firewall is present and how it handles unsolicited ACK packets.

If a firewall is present and configured to block unsolicited ACK packets, the ACK scan will report all ports as filtered. If a firewall is not present or is configured to allow unsolicited ACK packets, the ACK scan will report ports as either unfiltered or closed.

Now, let's perform an ACK scan on the loopback address (127.0.0.1) and save the results to a file named ack.txt.

Open your Xfce terminal.

In the terminal, type the following command and press Enter:

nmap -sA -oN ack.txt 127.0.0.1

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE      SERVICE
22/tcp  unfiltered ssh
25/tcp  unfiltered smtp
80/tcp  unfiltered http

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Now, let's compare the results of the ACK scan with the Window scan.

Recall the output of the Window scan (from window.txt):

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE  SERVICE
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http
## Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

In the Window scan, the ports were reported as closed. In the ACK scan, the ports are reported as unfiltered. This difference is due to the way these two scan types work. The Window scan attempts to establish a connection, while the ACK scan only sends ACK packets.

The unfiltered state in the ACK scan means that Nmap cannot determine whether the port is open or closed because the ACK packets are not being filtered. This could indicate that there is no firewall present, or that the firewall is configured to allow unsolicited ACK packets.

You can also use cat command to display the contents of the ack.txt file:

cat ack.txt

You should see the Nmap scan report in the output.

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000070s latency).
Other addresses for localhost (alias(es)): localhost

PORT    STATE      SERVICE
22/tcp  unfiltered ssh
25/tcp  unfiltered smtp
80/tcp  unfiltered http

## Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds

Summary

In this lab, participants learn to perform window scanning in Nmap. They start by running a basic window scan using the command nmap -sW followed by an IP address, understanding how it exploits TCP implementation quirks to reveal port states. They then scan a specific port range with nmap -sW -p 1-100, add verbosity to the scan using -v, and save the scan results to a file with -oN. Finally, they analyze the window scan and compare it with an ACK scan in the Xfce terminal.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner