In addition to a basic network scan, Nmap can run specific scans that exploit idiosyncrasies in platforms or protocols. This tip explains how to run these scans to tell the difference betweeen open and closed ports on your customer's network.Nmap: More port scanning techniques
In our last tip we looked at the basic Nmap commands for scanning network machines and services. In this tip I want to look at some of the scans that exploit certain idiosyncrasies of specific platforms or protocols in order to better differentiate between open and closed ports.
Nmap's TCP Null (option –sN), FIN (option –sF) and Xmas (option –sX) scans exploit a subtle loophole in the TCP protocol specification as described in RFC 793. When scanning systems compliant with this RFC (such as most Unix-based systems), any packet not containing set SYN, RST or ACK bits will result in a returned RST (reset) packet if the port is closed, and no response at all if the port is open. If a RST packet is received, the port is considered closed, while no response means it is open or possibly filtered. The key advantage to these scans is that they can pass through certain non-stateful firewalls and packet-filtering routers.
Read more on custom Nmap scans.
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This tip originally appeared on SearchSecurity.com.
This was first published in December 2006