For a good reason, SYN scan is the default scan option. Scanning can be done quickly for thousands of ports per second. In this article, we will discuss how to do stealth scans with Nmap on Linux.
This article goes over several ways to use Nmap to do covert scans.
To get through firewalls or find hosts that are still alive while avoiding detection, stealth scan techniques are used.
To carry out various stealth scan types, Nmap provides several flags and options, most of which are covered on this page. They are simple to put into practice and provide an enjoyable way to learn about IP packets.
After reading this article, the reader will have a deeper grasp of network packets and communications and extensive practical experience using Nmap for stealth scans.
Screenshots accompany each instruction in this article, making it simple for all readers to comprehend how to complete each step and see the outcomes.
Stealth Scans Overview
Firewalls typically pick up on new or existing connections.
To connect with the target, TCP delivers packets (Gathering information in the process). By blocking and logging this behavior, the firewall can alert the administrator to it.
Take into account that the user already has root access. After receiving the initial response from the target, Nmap employs stealth scan techniques that involve using SYN (Synchronization) and RST (Request) packets to break the connection.
By halting each brief conversation at a time and terminating the connection process before delivering an ACK reply, users can stop firewalls from noticing the scan.
A typical TCP scan starts with an initial SYN (Synchronization) message from Nmap (PC1) asking the target (PC2) to synchronize a connection, as seen in the figure below. If the targeted port is open, the target responds to Nmap with SYN+ACK (Acknowledgement and Synchronization) packets, verifying the reception of the SYN and the synchronization, and Nmap responds with ACK (Acknowledgment) packets.
Using SYN packets, a stealth scan is depicted in the accompanying image. As seen, PC1 (Nmap) replaces the final acknowledgment (ACK) packet it sends with a RST packet to cut off the connection and get around firewalls (Intrusion Detection Systems and custom firewalls will detect stealth scans).
How to do Stealth Scans with nmap on Linux
Techniques for nmap TCP SYN (Stealth) Scans
The user must use the -sS
(SYN) flag to do a SYN or stealth scan like the one shown in the previous second picture. The connection will be terminated by selecting this option.
Note: Use the sudo command instead of the SYN scan if you have root access.
An example of stealth scans using nmap against the network 192.168.0.0/24 on Linux is shown below:
Syntax:
$ sudo nmap -sS 192.168.0.0/24
Ping Scan for TCP SYN
SYN ping can be started with the -PS
parameter to find living hosts silently.
Syntax:
$ nmap -sn -PS80 192.168.0.1/24
A no-ping
scan without a port scan can also be done with the -sP
parameter.
Syntax:
$ nmap -sP 192.168.0.0/24
Null Scan with nmap on Linux
Firewalls and intrusion detection systems can recognize a SYN scan even when a RST packet is sent to prevent the connection from being logged (IDS). Nmap may be used with additional methods to perform covert scanning.
It analyzes the target’s packet answers, compares them to the protocol rules, and interprets the results. It also enables forging packets to produce the correct answers disclosing their nature, for instance, to determine if a port is closed or filtered by a firewall.
The next illustration illustrates a NULL scan that excludes SYN, ACK, and RST packets.
nmap’s NULL scan can yield three possible interpretations: Open|Filtered, Closed, or Filtered, where:
- Open|Filtered: Nmap cannot tell whether a port is open or being blocked by a firewall.
- Closed: This means the port is closed.
- Filtered: This means the port is filtered.
In the following real-world illustration, the user runs a NULL scan using the -sN
flag:
Syntax:
$ sudo nmap -v -sN -p 80 distroid.com
As seen in the example below, you can add the option -sV
to see if the port listed as Open|Filtered is indeed open. However, as noted in Nmap’s book, adding this flag may make it easier for the target to detect scans.
Syntax:
$ sudo nmap -sN -sV -p 80 distroid.com -v
nmap
= Run the command-v
= Run the command in verbose-sN
= This will run a NULL scan-sV
= Version-p
= Prefix for which port to scan.
Firewalls can occasionally stop SYN packets. The user can then send a packet with the SYN/ACK flags to get through firewalls that don’t block SYN/ACK packets in this situation.
The SYN/FIN header is one of the packets that are not blocked in SYN with ACK packets, and that permits the mixing of SYN with other headers.
The SYN and FIN headers are sent by the next scan type. There is little likelihood that this kind of scan will go undetected.
Syntax:
$ sudo nmap -sS --scanflags SYNFIN distroid.com -v
Xmas Scan with nmap on Linux
The Xmas scan was regarded as a stealth scan method that determined the type of remote system by examining the responses to Xmas packets.
Each operating system and network equipment responds differently to Xmas packets, disclosing details such as the operating system and port statuses.
Although Xmas is an outdated scan method, many firewalls, and intrusion detection systems nowadays can detect it. It is not advised to use them as a stealth tactic.
Syntax:
$ sudo nmap -sX -T2 distroid.com -v
TCP “Connect Scan” and TCP SYN stealth scan comparison:
Regular TCP Communication
- -“Can you hear me? Could we please meet?” (SYN packet requesting synchronization) (SYN packet requesting synchronization)
- -“Hi! I recognize you! I see you, we can meet” (where “we can meet” is a SYN packet and “I see you” is an ACK packet)
- -“Great!” (RSTet pack) (RSTet pack)
Stealth SYN Communication
- -”Can you hear me? Could we please meet? ” (SYN packet requesting synchronization) (SYN packet requesting synchronization)
- -“Hi! I recognize you! I see you, we can meet” (where “we can meet” is a SYN packet and “I see you” is an ACK packet)
- -”I sent you a request by mistake; please disregard it, I’m sorry” (RSTet pack)
In contrast to a TCP connection or Connect Scan, the second example above illustrates a SYN connection, which does not create a connection. As a result, neither your IP address nor a connection are recorded on the second device.
Other Non-Stealth nmap Flags on Linux
In addition to the stealth scan methods, we choose to outline certain flags.
It’s critical to stress that none of the indicators listed below are subtle.
The following screenshot demonstrates how the -O
flag can identify the target operating system:
Syntax:
$ sudo nmap -O distroid.com
The target most likely runs Linux with kernel version 2.4.x, as you can see in the previous screenshot. According to the report, detection conditions were challenging.
The following example aims to teach you how to find the software version (-sV
) listening behind ports. Gws was discovered, as you can see.
Syntax:
$ sudo nmap -sV google.com
The scan results are saved in a file when the -oN
switch is used.
In the example that follows, the user uses the -oN
flag to generate the “results.txt” file, which contains the scan output.
Syntax:
$ nmap -oN result.txt distroid.com
That’s it for techniques with stealth scans using nmap on Linux. To test them against various detection rules, use an intrusion detection system like Snort to evaluate their effectiveness.
Conclusion
Nmap offers a variety of stealth scan methods, as you can see. If the user is familiar with networking fundamentals, they are all simple to use and comprehend. Readers with little expertise should have no trouble replicating the provided practical examples. It is strongly advised to use the example in addition to the reading.
All of the steps provided apply to all Linux distributions.
If this guide helped you, please share it. 🙂