Nmap Scanning patterns

It is essential to identify patterns in the network captures that can help us pin point as much accurate data as possible, specifically we want to recognize when NMAP has been used to scan our target machines. We will proceed to dissect different data capture packets and look at characteristics that help us emphasize further their uniqueness.

Source Port - Destination Port ==> SYN

When analyzing Wireshark data packets, we can see a clear structure. In our captured first data sample, the first request to an open port from Nmap tool is identified as 51577 to destination port 8080. Consequent scans keep on using the same source port, but the destination is different, example source port is 51577 but the destination will change to 23, 21, 135, 3306. Basically there is a range of ports Nmap attempts to scan in order to determine about their services behind,depending if the ports are 'open', Closed, filtered, unfiltered among other NMAP classifications.

Multiple scans are sent in sessions/blocks including different ports on each attempt or the same ports.

Some of the characteristics identified in the NMAP data packets so far:

1. The use of the same Source port looking for a multiple type of destination ports as defined in NMAP target post list
2. TCP /ICMP/UDP as protocol
3. Length is between 54 and 64 , at most 70
4. No ACK request is sent after receiving a SYN/ACK response but instead a RST packet is sent in his place