In this edition we will be looking at the results of NULL Scans.
We are using Nmap
The other parts are located here:
Part1
Part2
Part3
Part4
Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!
Ok first off a NULL Scan is a scan in which there are no TCP Flags set. This is normally something that doesn't happen or shouldn't happen in the "real world". If the scanned ports are closed then we should get a RST (Reset) packet back from our target.
The basic scan uses the -sN flag.
So it will look like the following on a windows box with a firewall in place.
Code:
bt ~# nmap -sN -vv 192.168.1.4
And the following is our typical output:
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 11:35
Scanning 192.168.1.4 [1 port]
Completed ARP Ping Scan at 11:35, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:35
Completed Parallel DNS resolution of 1 host. at 11:35, 0.05s elapsed
Initiating NULL Scan at 11:35
Scanning 192.168.1.4 [1697 ports]
Completed NULL Scan at 11:36, 36.33s elapsed (1697 total ports)
Host 192.168.1.4 appears to be up ... good.
All 1697 scanned ports on 192.168.1.4 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Nmap finished: 1 IP address (1 host up) scanned in 37.093 seconds
Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
Code:
bt ~# nmap -sN -vv 192.168.1.4
This time I will show only the info that is relevant.
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
All 1697 scanned ports on 192.168.1.4 are closed
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
We also learned in both that the host is "up" as well as the network interface's MAC address.
But most importantly we probably didn't set off any alarms on the target network.
Because I did this on my network I know that it didn't.
Now lets look at one more scan, only this time we will do it against a *nix box.
Code:
bt ~# nmap -sN -vv 192.168.1.101
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Host 192.168.1.101 appears to be up ... good.
All 1697 scanned ports on 192.168.1.101 are open|filtered
MAC Address: 11:00:22:AA:BB:CC (Cisco-Linksys, LLC)
Nmap finished: 1 IP address (1 host up) scanned in 36.094 seconds
Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
The advantage of doing a NULL Scan are no TCP sessions are created for this scan, it is normally quiet from the perspective of the remote device's applications. Therefore, none of these scans should appear in any of the application logs. This is a huge advantage when scanning a firewall or router that is facing the internet on a target network. These scans are also some of the most minimal port-level scans that nmap can do. For a closed port, only two packets are transferred. This is all that is needed to find an open port!
The Disadvantages of doing this type of scan are, Some implementations of the TCP stack will render this scan useless. For instance with Microsoft this scan will show all ports as closed regardless of their actual state. But even this can work to your advantage, since any device showing open ports must not be a Windows-based device!
There is another caveat to the above, Software based firewalls can override this rule, as shown in the first scan.
So now that we know what a NULL Scan can do for us or against us we should be able to better protect our networks.
Ideally and in my opinion we want our box to respond as being open | filtered as shown above. This makes it harder for an intruder to guess what the target is.
No comments:
Post a Comment