Nmap question

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...
Post Reply
Co00okie
n00b
Posts: 2
Joined: Fri Nov 29, 2019 1:45 am

Nmap question

Post by Co00okie » Sun Dec 01, 2019 10:53 am

Hi, serious noob here. Been interested in computers since school. Never really read that much about them until recently. I got intrigued how computers went from electrical switches 1's and 0's to actual words on a screen. Had a play with python 3 but my understanding of maths hindered me going past booleons.
My question really atm is about the nmap command on kali Linux. From what I've read it's a "noisy" command. Meaning the target computer can see that it's been done? Or the target computer knows who's done it? I'm not sure.
So if someone typed nmap and your ip address would you get a notification or is it a little more complex than that? Other than the person performing the recon getting the required data what happens the other side and how do you cover your tracks so to speak?

User avatar
Cool_Fire
Not a sandwich
Posts: 1895
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Nmap question

Post by Cool_Fire » Sun Dec 01, 2019 4:16 pm

Hi,

Nmap being referred to as 'noisy' means that it's fairly easy to detect by machine you are scanning. Exactly what this looks like depends on the software being used to detect the scan. If it's a desktop machine with some firewall software, the user might indeed get a pop-up. For most larger commercial networks it would trigger an alert that gets send to their network/security team.

If you want to be more stealthy about it, the easiest thing to do is to throttle nmap to make far fewer requests per second. This will make the scan take longer of course, but your scan will be far more likely to be lost in the background noise of internet traffic. (-T3 is the default timing selection for nmap, but you can go as slow as -T0 if you want.)

You also have options like using a TCP SYN or TCP FIN scan (-sS or -sF options for nmap) but this is a bit of a double-edged sword. Some detection systems won't trigger on this type of scan since nmap does not make full connections to the target, but it is still detectable and if it does get noticed, it's far more suspicious since it's uncommon to see large numbers of these types of network packets in normal traffic.

It is also worth noting that usually none of this is a problem as port scans are incredibly common and hit pretty much every public IP address several times a day. Unless you're trying to evade getting blocked by some intrusion prevention system, you'll likely never need any of these tricks.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Co00okie
n00b
Posts: 2
Joined: Fri Nov 29, 2019 1:45 am

Re: Nmap question

Post by Co00okie » Sun Dec 01, 2019 7:14 pm

Thanks cool_fire you pretty much answered my follow up question to this aswell. Lol I will have to do a bit more googling to find out what TCP SYN and TCP FIN are as I literally only found out about nmap the other day on a YouTube video. You said the TCP SYN and TCP FIN data packets are more suspicious as its more unusual to see it happen and it is not uncommon to see someone scan a public ip address. What would be an IT departments response to such a scan or is more to do with what happens after you find open ports?
The reason I ask is because I'm literally in the process of watching a tutorial about setting up a virtual box machine to have a play with. Which in itself is OK but in the real world if I were to do some of the stuff this tutorial is saying to some IT professionals system what could they do about it?

Sorry if this comes across as a little interagorative your the first real person that I've had a chance to ask. Non of my friends are really that technical and I feel if I rang my IT department up and asked him he might assume the worst. (could you imagine receiving that call? Like "hi hyperthetically speaking what would you do if I walked round the perimeter of your house looking for a way in what would you do about it?) :lol: :lol:

User avatar
Cool_Fire
Not a sandwich
Posts: 1895
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Nmap question

Post by Cool_Fire » Wed Dec 04, 2019 7:14 am

Co00okie wrote:
Sun Dec 01, 2019 7:14 pm
What would be an IT departments response to such a scan or is more to do with what happens after you find open ports?
Usually the response would be to just the block the IP address. Most likely this would be an automated action performed by an intrusion prevention system. That is, if it's one public IP scanning another public IP. If we're talking about scanning internal systems over a LAN, they might go investigate.

But yes, there would also be much more to do once you know what ports are open. Unless of course just knowing what ports are open was your goal. Usually you'll want to do at least service fingerprinting (nmap does this automatically, depending on the scan type) to figure out what services are listening on those open ports. From there on it'll depend entirely on what the results of your scan are, but at that point you're going beyond just port scanning.
Co00okie wrote:
Sun Dec 01, 2019 7:14 pm
The reason I ask is because I'm literally in the process of watching a tutorial about setting up a virtual box machine to have a play with. Which in itself is OK but in the real world if I were to do some of the stuff this tutorial is saying to some IT professionals system what could they do about it?
Starting with a virtual machine is always a good idea, but if you want a real world target to try out, it's probably be to start with something like "scanme.nmap.org". As the name suggests, this is a server owned by nmap, set up specifically so people can try out nmap on it. Beyond that you could try getting permission from someone who owns a public server. (I hereby give you permission to nmap "insomnia247.nl" if you want.)

As for what IT staff could do about it; Well, not much really. Even if they wanted to go through the trouble, port scanning is entirely legal usually. Even in cases where it's not, I can't imagine anyone ever getting prosecuted for it. (I'm not a lawyer though, so I can only speak from personal experience.)
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply