Nmap: Data Packets

Nmap TCP packets structure

One of the most important packets are TCP ones, and based on the TCP data packet structure, we need to define special properties in Nmap data packets

Lab

During this research we setup a simple lab with 2 machines on a LAN. One is the attacker and the other is the receiver. In addition, we will capture the traffic during a Nmap port scan using specific Nmap commands that match the capture traffic. Results table can be found here.

Analysis of data packets

Using the TCP data packet structure, we will divide the information obtained during the capturing of data packets using Nmap and highlight specific properties that can help us identify Nmap packets

To begin with, we used a very well known Nmap command:

nmap –O –v <ipaddress>

This command attempts to find out the Operating system running on the target machine. So, how exactly does Nmap attempt to discover the OS?

Nmap phases

Nmap contains different kind of functions that can be used depending on our purpose.

Port scanning phase:

This is the core of Nmap and where we shall begin our journey into identifying how NMAP proceeds to scan ports:See section on Port Scanning on https://nmap.org/book/nmap-phases.html

Port scanning

Basically by scanning 1000 of the most popular , TCP and UDP ports, Nmap has created a classification that can identify a certain type of OS using empirical scan data.Therefore the first pattern in identifying NMAP scans is by checking multiple TCP packets sent by the same IP address using the same Source Port, as our captured data has confirmed.

The response of those requests, serve Nmap to classify or attempt to classify the OS.Nmap focuses on identifying ICMP error messages of the type 3 on the response.Unfortunately for our research, the responses sent by the target machine will not serve us much to identify the NMAP scanning probes because this responses only served to the attacker and not the target machine. This information however gives us a very good idea how NMAP works.