NMAP: NETWORK MAPPER:
NMAP is open source utility (A company that performs a public service) that is used for security auditing (Examine carefully for accuracy with the intent of verification) which is used to know the hosts and services on a computer network i.e application name and version, firewalls, operating system.
By default nmap performs an SYN SCAN which works against any compliant TCP stack .(TCP SYN SCAN uses common methods of port-identification that allow nmap to gather information about open ports without completing the TCP handshake process. When an open port is identified, the TCP handshake is reset before it can be completed. This technique is often referred to as "half open" scanning.) When it is having privileged access on host then TCP SYN SCAN is used by default if scan type is not specified on nmap command line.
---If nmap receives an acknowledgment to a SYN request, then the port is open. Nmap then sends an RST to reset the session, and the handshake is never completed.
---The SYN scan is a common scan when looking for open ports on a remote device, and its simple SYN methodology works on all operating systems. Because it only half-opens the TCP connections, it's considered a very 'clean' scan type.
---The TCP SYN scan only provides open, closed, or filtered port information. To determine operating system or process version information, more intrusive scanning is required, such as the version scan (-sV) or the operating system fingerprinting (-O) option.
It can be used to scan thousands of ports and clearly differentiate between open, closed ports. Irrespective of this it divides ports in to six states.
---“Open” : an application on the target machine is listening for connections/packets on that ports i.e an application is actively accepting TCP connections ,UDP datagrams on that port. It means that each open port is avenue for attack. It is the duty of an administrator to close or to protect them by using firewalls.
---“Closed” : It is not that all closed ports are safe. They are even accessible i.e, it receives and responds to nmap packets but there is no application listening on it and it shows that the ip address of the host. Closed ports may be opened at any time. So administrator should block such ports with a firewall then they will appear in a filtered state.
Hence, Closed ports have no application listening on them, though they could open up at any time.
---“Filtered”:Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Filtering can be done by using dedicated firewalls or some host-based firewall software.
Open ports cannot be determined by namp, because packet filtering prevents its investigation (probe) from reaching the port. Nmap provide very little information about this ports, sometimes they respond with ICMP error messages. But filters that simply drop investigation are more common which makes the nmap to retry, which slows down the scan.
---“Unfiltered”: This means that a port is accessible, but unable to determine whether it is open or closed. As the port is accessible there is a chance for an attacker to use this, so scanning unfiltered ports by other scan types may determine the state of port.
---“Open / filtered”:Whenever open ports does not respond to Nmap, then Nmap places as open or filtered i.e, lack of response from the host means that probe of Nmap has been dropped by packet filter or any response arosed.
---“Closed / filtered” :Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.
---In addition to this nmap can also provide information about MAC address, device types, reverse DNS names.
No comments:
Post a Comment