Skip to content

NMAP – How to run an NMAP -sS SYN Stealth Scan on Windows 7 – The Visual Guide

04/07/2014

Nmap has four primary scans, the default stealth scan is the  SYN Scan or -sS option.

Fact 1 – The SYN Stealth Scan -sS

  • DEFAULT scan if you have ROOT or ADMIN privileges.
  • You need ROOT or ADMIN access to run the -sS scan
  • STEALTH Scan – never creates a session, very quiet, not recorded in application logs

Fact 2 – Never completes the 3 way handshake

Nmap sends a SYN to start the session.

The Server responds with a SYN-ACK.

Nmap sends a RST to ABORT the connection.

tcp syn scan

The 3 way handshake is never completed.  This is also called “Half Open” scanning, or the stealth scan.

If you’re hacking someone, this is your scan of choice.

  • Identifies OPEN ports – the server sends a SYN-ACK – this is how NMAP knows the port is open
  • Identifies Closed ports – the servers sends a RST – so NMAP knows the port is closed
  • If target is behind a firewall, no response is received – this is how NMAP knows the port has been suppressed therefore the port is filtered
  • Identifies OPEN, CLOSED and FILTERED PORTS
  • Whereas the -sT or TCP Connect scan is the scan of last resort.

Disadvantages

1. It requires Root or ADMIN rights.

2. Generates a lot of RST’s on the network… which will be noticed.

 

Step 1 – Syntax

nmap -sS 192.168.1.1    {just one IP}

nmap -sS –open 192.168.1.* {Just open connections – nice clean output}

nmap -sS 192.168.1.1/24   {for the entire subnet in CIDR notation}

nmap -sS  192.168.0.* -p 80, 8080, 8000 -sV -vv   { for multiple ports on a subnet}

zenmapnmap -sS –open 192.168.1.*

nmap open

Windows version of NMAP Gui is called Zenmap – above we used the 192.168.1.*/24 notation.

NMAP will then list open ports, and identify the router, printers etc.

Other fun scans:

nmap -p 80 192.168.1.1 {TCP and UDP on port 80}

nmap -p U:53 192.168.1.1 {UDP on port 53 ie DNS}

nmap -p 80,443 192.168.1.1 {just 2 ports}

nmap -p 80-200 192.168.1.1

nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

nmap –top-ports 5 192.168.1.1 {Top 5 ports}

nmap –top-ports 10 192.168.1.1 {Top 10 ports}

nmap top ports

 

References:

Professor Messer Guide to NMAP

http://www.professormesser.com/secrets-of-network-cartography-a-comprehensive-guide-to-nmap/

Download NMAP with Windows Installer (Zenmap)

http://nmap.org/download.html

Nmap Commands – Cyberciti

http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/

NMAP SCANNING Book – Written by the developer of NMAP **AMAZING STUFF

http://www.amazon.co.uk/gp/product/0979958717

 

 

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: