By Konstantinos Patronas

Nmap network reconnaissance using TCP Ping

In a previous article we had discussed about Nmap network reconnaissance using various ICMP requests , which can be a powerful tool that…

Nmap network reconnaissance using TCP Ping
Photo by Lisa Keffer on Unsplash

In a previous article we had discussed about Nmap network reconnaissance using various ICMP requests , which can be a powerful tool that does not usually trigger an IDS but what we can do in case that ICMP is disabled in order to avoid scanning? We can use TCP Ping.

What is TCP Ping?

A TCP Ping is sends a SYN or ACK packet to a target, if the target reply back with a response the host is considered alive.

TCP SYN Ping scan

  • Nmap sends a TCP SYN packet to a port, if the port is closed the target replies back with an RST packet; this means that there is no service listening on this port of the target but the target is alive.
  • In case that there is a service listening on this port of the target the target will reply with a TCP SYN/ACK packet indicating that the TCP connection can be established; then nmap will reply back with an RST packet to reset the connection, this is very important because in most cases the non-completion of the connection will not be recorded in any target log nor will trigger the IDS.

TCP ACK Ping scan

  • Nmap sends an empty TCP packet with the ACK flag set to a port.
  • If the target is non-reachable or offline, it should not reply to this request. Otherwise, it will return an RST packet and can be considered as alive.
  • RST packets are sent because the TCP ACK packet sent is not associated with an existing valid connection.
  • As the TCP SYN technique since the connection is not completed it will not recorded to any log nor will trigger an IDS.

TCP Connect scan

The TCP Connect scan is very similar to the TCP SYN ping but it completes the three way handshake in the same way like an application would connect to the target port, for example a web browser to connect to a web server listening on port 80. TCP SYN ping is preferred than TCP Connect scan because

  • Since does not complete the three way handshake most likely the target will not log anything
  • Will not trigger an IDS

The TCP Connect scan can be an option when

  • You cannot run nmap with sudo/Administrator privileges

Examples

TCP SYN Ping

  • -sn : Don't do port scan, port scan in nmap launches a series of scanning operations including ICMP and TCP ACK and SYN scans and in case of not running under sudo/Administrator rights a full TCP Connect scan
  • --disable-arp-ping : Don't do arp ping
  • -PS : Do a TCP SYN Ping, PS can accept parameters in the form of<port> : -PS22
    <port list> : -PS22,80
    <port range> : -PS1-1500

In case of no port option provided defaults to port 80nmap --disable-arp-ping -sn -PS 192.168.1.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-13 12:11 EEST
Nmap scan report for h288a (192.168.1.1)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.2 (192.168.1.2)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.3 (192.168.1.3)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.6 (192.168.1.6)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.9 (192.168.1.9)
Host is up (0.14s latency).
Nmap scan report for 192.168.1.15 (192.168.1.15)
Host is up (0.29s latency).
Nmap scan report for 192.168.1.48 (192.168.1.48)
Host is up (0.23s latency).
Nmap scan report for 192.168.1.85 (192.168.1.85)
Host is up (0.098s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 5.26 seconds

TCP ACK Ping

The same options apply for TCP ACK Pingnmap --disable-arp-ping -sn -PA 192.168.1.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-13 12:24 EEST
Nmap scan report for h288a (192.168.1.1)
Host is up (0.011s latency).
Nmap scan report for 192.168.1.2 (192.168.1.2)
Host is up (0.010s latency).
Nmap scan report for 192.168.1.3 (192.168.1.3)
Host is up (0.011s latency).
Nmap scan report for 192.168.1.4 (192.168.1.4)
Host is up (0.035s latency).
Nmap scan report for 192.168.1.9 (192.168.1.9)
Host is up (0.010s latency).
Nmap scan report for 192.168.1.15 (192.168.1.15)
Host is up (0.24s latency).
Nmap scan report for 192.168.1.48 (192.168.1.48)
Host is up (0.50s latency).
Nmap scan report for 192.168.1.85 (192.168.1.85)
Host is up (0.25s latency).
Nmap done: 256 IP addresses (8 hosts up) scanned in 7.07 seconds

TCP Connect Scan

  • -sT :Do a TCP Connect scan
  • -p : If missing will scan ports defined in nmap configuration file# nmap --disable-arp-ping sT 192.168.1.0/24
    Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-13 12:27 EEST
    Nmap scan report for h288a (192.168.1.1)
    Host is up (0.0056s latency).
    Not shown: 995 closed ports
    PORT      STATE    SERVICE
    53/tcp    open     domain
    80/tcp    open     http
    443/tcp   open     https
    9103/tcp  filtered jetdirect
    52869/tcp open     unknownNmap scan report for 192.168.1.2 (192.168.1.2)
    Host is up (0.0035s latency).
    Not shown: 996 closed ports
    PORT      STATE    SERVICE
    1900/tcp  filtered upnp
    5030/tcp  filtered surfpass
    9999/tcp  filtered abyss
    51103/tcp filtered unknownNmap scan report for 192.168.1.3 (192.168.1.3)
    Host is up (0.0056s latency).
    Not shown: 994 closed ports
    PORT     STATE    SERVICE
    80/tcp   open     http
    3827/tcp filtered netmpi
    8008/tcp open     http
    8009/tcp open     ajp13
    8443/tcp open     https-alt
    9000/tcp open     cslistenerNmap scan report for 192.168.1.4 (192.168.1.4)
    Host is up (0.018s latency).
    All 1000 scanned ports on 192.168.1.4 (192.168.1.4) are closedNmap scan report for 192.168.1.6 (192.168.1.6)
    Host is up (0.087s latency).
    All 1000 scanned ports on 192.168.1.6 (192.168.1.6) are closedNmap scan report for 192.168.1.9 (192.168.1.9)
    Host is up (0.0075s latency).
    Not shown: 996 closed ports
    PORT     STATE    SERVICE
    9/tcp    filtered discard
    80/tcp   open     http
    554/tcp  open     rtsp
    2105/tcp filtered ekloginNmap scan report for 192.168.1.15 (192.168.1.15)
    Host is up (0.029s latency).
    All 1000 scanned ports on 192.168.1.15 (192.168.1.15) are closedNmap scan report for 192.168.1.48 (192.168.1.48)
    Host is up (0.26s latency).
    All 1000 scanned ports on 192.168.1.48 (192.168.1.48) are closedNmap scan report for prometheus (192.168.1.49)
    Host is up (0.00091s latency).
    Not shown: 997 filtered ports
    PORT    STATE SERVICE
    135/tcp open  msrpc
    139/tcp open  netbios-ssn
    445/tcp open  microsoft-dsNmap scan report for 192.168.1.76 (192.168.1.76)
    Host is up (0.013s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    2869/tcp open  icslapNmap scan report for 192.168.1.85 (192.168.1.85)
    Host is up (0.073s latency).
    All 1000 scanned ports on 192.168.1.85 (192.168.1.85) are closedNmap done: 256 IP addresses (11 hosts up) scanned in 244.51 seconds

Notice the following:

  • TCP full scan found more hosts alive than TCP SYN (9) and TCP ACK (8) but took far more time, 244 seconds vs 5 and 7 seconds respectively, also TCP SYN and ACK scans might pass an IDS without get caught!

I hope you found this article interesting!