Creating policy in Nesus

CREATING A NEW POLICY

We will now create a new custom policy for scanning a Windows machine on my local area network. To create a policy, click on “Policies” at the top and then the “+add” button. You will see a screen similar to the one shown here:

Enter the name of the policy. In my case, I entered “WindowsBox” since I am scanning a
Windows machine on my network. The visibility is set to private, which means that the policy will not be shared with other users.
You will also see lots of options under the policies tab. You can tweak these options according to your requirements. We will discuss a few of them, which are enabled by default, and also the ones that can be helpful in our penetration tests. I will leave the rest for you to explore on your own.

SAFE CHECKS

You should always enable “Safe Check.” This will only run the low-risk checks so that the availability of the target system is not compromised. If you don’t enable it, you are most likely to crash older system and hence causing denial of service, which is not recommended in a penetration test unless you are asked so.

SILENT DEPENDENCIES

This does not include dependent checks in your report, which will make your report much more effective without the list of dependencies.

AVOID SEQUENTIAL SCANS

When the “Avoid sequential scans” box is checked, nessus will scan the given IP addresses in a random order and not in the default sequential order. The advantage of this check is that it can get past some firewalls that block the “consecutive port” traffic.
For example, Nessus will scan for port 21, and then it will jump over to 53, and then jump to
another port.You don’t need to do much with the default options as these are used for most of your penetration tests. You can read more about each of the options in the “Nessus User Guide.”On the left sidebar, you would see other options such as credentials, plug-ins, and
preferences.

PORT RANGE

By default, nessus will perform a scan from ports 1–1024, but this, in my opinion, should not be set to default, because lots of administrative consoles and web services run on ports higher than 1024, This may lead to missing many vulnerabilities. So it’s recommended you check for all ports by changing the “default” keyword to “all”. This process may take more time, but will help in finding additional vulnerabilities.

CREDENTIALS

On the left sidebar, you will see “Credentials” options, which allow you to specify OS IDs, SMB, FTP, HTTP, and other credentials. This can help you perform an in-depth analysis with Nessus. Most of the time, you would not have access to these credentials, unless you are in a corporate environment.

PLUG-INS

The third option that you will see is for “plug-ins,” which will tell nessus what type of vulnerabilities it shall look for. The plug-ins are coded in “Nessus Attack Scripting Language.” Learning it will help you code your own plug-ins or modify existing ones.

From this screenshot, you can clearly see that nessus contains a huge list of plug-ins. However, we want to disable the “Denial of service” plug-in, since we don’t want to knock targets offline while performing the scan. Also, I would recommend you to be specific about the plug-ins and deselect certain checks that may not be useful for scanning. For example, if you are scanning against a Windows machine, you don’t need Fedora, Freebsd, and other checks enabled.

PREFERENCES

There are a lot of preferences in Nessus that you can customize to handle different types of
contents. The “Nessus User Guide” lists the important preferences you should be using.
Once you are done with it, click on the “Submit” button. This will save your policy.

SCANNING THE TARGET

Now that we are done with the hard part, we need to specify the targets to scan. The process is pretty straightforward. All you need to do is go inside the Scan option and specify the target and the policy that we created in the last step.
Once you have launched the scan, you will see this screen:

Once the scan is complete, go to the “Reports” tab and either download the report or view it in the panel by clicking on it.
There are different types of report formats for nessus. You can read the pros and cons of each report format in the “Nessus User Guide.” To download the report, go to the “Reports” menu, select the report, and click “Download” at the top.

If you are performing a vulnerability assessment, you can download the report in the preferred format and send it to the customer. However, if you are performing a penetration test and your goal is to exploit the vulnerability, choose the .nessus format, because this would enable you to import the information into Metasploit, and within Metasploit, you can perform various other checks and choose relative exploits based upon your findings.

Introduction to Nesus

NESSUS VULNERABILITY SCANNER

Nessus vulnerability scanner is often called the Swiss army knife of vulnerability scanners, as you might have noticed, the Nmap scripting engine has limited numbers of scripts and is only capable of detecting a few vulnerabilities, the reason you cannot completely rely on nmap for vulnerability assessment.
The most common approach used by Nessus is to look at the banners/version headers, which most of the times reveal interesting information about the target such as the version of the service that is running.

As you can see here, I have connected to a website’s FTP server on port 21. From the banner, we can see that it is running Pure-FTPd. However, it is not showing the exact version of the Pure-FTPd. Also, the banner information can be easily changed/faked. This may cause nessus to generate a false positive.
Nessus comes in two flavors:
1. Home feed
2. Professional feed

HOME FEED

Home feed is for personal use, and it contains information about everything from a vulnerability scanning perspective.

PROFESSIONAL FEED

Professional feed is for commercial usages mostly related to compliance checks and auditing purposes. This scanner is not available for free.

INSTALLING NESSUS ON BACKTRACK

Nessus comes preloaded in BackTrack. However, in order for nessus to work, we need the activation code, which can be obtained by signing up on the Nessus website, which will help us fetch the latest plug-ins from the Nessus website.
http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code

Next, you will have an option to choose “work feed” or “home feed.” Choose home feed and provide the e-mail address to which you want the activation code to be delivered.
Once you receive the code, you can issue the following command from your BackTrack con-
sole to register it:
 /opt/nessus/bin/nessus-fetch –register <insert activation code>

ADDING A USER

After we have successfully updated the plug-ins, we need to register a user to nessus, The command for that would be as follows:
 /opt/nessus/sbin/nessus-adduser

This will ask you for a username and a password; it will also ask you if you want to assign administrative privileges to that particular user. The output would look similar to the following:
Finally, you need to issue the following command in order to start the nessus server, which
would be accessible at https://localhost:8834.
 /etc/init.d/nessusd start
You can confirm if a nessus server is running by combining the netstat and grep command. The following command would highlight if a nessus server is listening upon port 8834:
 netstat –ano | grep 8834
Once you have completed these steps, you would need to navigate to https://localhost:8834 from your browser. Since you are accessing it the first time, you will be prompted to accept a generic certificate, which you need not do on subsequent visits.
Next, you just need to log in to nessus with the credentials you defined earlier. This is how your log-in screen would look like:

NESSUS CONTROL PANEL

Nessus control panel is divided into the following six main components:
Reports
This would be our actual findings compiled in the form of a report.
Mobile
This is a new feature added to the latest version of nessus for scanning mobile devices located on a network.
Scan
This tab is where we would spend most of our time after the policies tab. This enables us to scan the targets for vulnerabilities.
Policies
Policies are a core component of Nessus. In policies, we define what type of scan we want to perform on the target, which plug-ins to use, what targets should be excluded, what types of scans should be excluded, and so on.
Users
This is where we can add and delete users that can access the nessus.
Configuration
Configuration allows us to use a proxy and a bunch of other options for scanning.
Default Policies
As mentioned before, policies let us customize the type of scan and plug-ins we want to use to scan a target. Nessus comes preloaded with several default policies. Each policy has a different objective and is meant for different types of pentests. Some of the default policies are as follows:
External network scan
Internal network scan
Web app tests
Prepare for PCI DSS audits

The Nessus guidelines document, available on the official website, contains information about each of the default policies. Understanding the policies listed in this document will help in using Nessus more effectively.

Vulnerability assessment

Now that we have information on open ports, services, service version, and operating system of our target host/network, we will look for its potential vulnerabilities (weaknesses) in order to get one step closer into compromising our target.

Nessus vulnerability scanner would be the prime focus as it is one of the oldest
and best vulnerability scanners in the market. We will also see its integration with Metasploit and how Nessus could be used within Metasploit to perform vulnerability assessment more effectively.
We will also take a look at nmap’s scripting engine, which is a built-in feature inside nmap and can also be used for scanning different kinds of vulnerabilities. It is not as powerful as nessus as it includes very few plug-ins, but it can still be used to detect vulnerable hosts on a target network.

WHAT ARE VULNERABILITY SCANNERS AND HOW DO THEY WORK?

Vulnerability scanners scan computers, networks, or applications looking for potential weaknesses that could be used by attackers to compromise the target.
The way a vulnerability scanner works is that it probes the system by sending specific data to the target host/network, and based on its analysis of the response (fingerprint) received from the target, it can determine many things such as the following:

Open ports
Services
Operating System
Vulnerabilities

PROS AND CONS OF A VULNERABILITY SCANNER

The main advantage of any vulnerability scanner is task automation; it can automate many tasks such as reconnaissance, port scanning, service, and version detection. This can make your work faster and more effective than doing everything manually.
On the other hand, there are some disadvantages of using a vulnerability scanner. One of the main disadvantages is that the vulnerability scanners are very loud by nature and can be easily detected since we are sending lots of traffic over the network. So if you want to stay undetected/anonymous during the pentest, then this is not the best choice in my opinion.
The other problem with a vulnerability scanner is that it can produce lots of false positives,
meaning that it will report vulnerabilities in the target that may not exist in reality. However, it will also report a lot of false negatives, meaning that the scanner would miss or not report the vulnerabilities that actually exist.

VULNERABILITY ASSESSMENT WITH NMAP

One of the most powerful features in nmap is the nmap scripting engine, which can be used for automating many tasks. Nmap scripting engine contains many scripts for performing tasks such as OS fingerprinting, DNS enumeration, and SNMP enumeration. They can also be used for vulnerability scanning purposes. The scripts are written in Lua language, which is very well documented.Learning it will help you write your own scripts or modify existing ones.
The nmap scripts are located in the /usr/local/share/nmap/scripts directory in
BackTrack. Just navigate to the directory and you will see tons of useful scripts that can be used for target enumeration as well as scanning vulnerabilities.

UPDATING THE DATABASE

The scripts are frequently updated, so it’s very good practice to frequently update your nmap scripting engine database. You can use the following command to update the scripting engine:
nmap –script-updatedb

SCANNING MS08 _ 067 _ NETAPI

MS08 _ 067 _ netapi is one of the most commonly found vulnerabilities in Windows XP or
Windows 2003, and it’s one of the first vulnerabilities you should look for.
The nmap scripting engine has a script named “smb-check-vulns”, which will automatically test the specified targets against this vulnerability and report if a certain target is vulnerable to it.
Command:
nmap –script=smb-check-vulns <target iP>

The output shows that the target host is vulnerable to the ms08 _ 067 _ netapi exploit.

Alternatively, we can use the –script=vuln to execute all the scripts that are related to vulnerability scanning and can report additional vulnerabilities. At the same time, we need to keep in mind that this type of scan could be very loud and be easily detected.
Command:
nmap –script=vuln <target ip>

The output shows that the target machine is vulnerable to the MS08 _ 067 exploit.

Firewall bypass scanning

ADVANCED FIREWALL/IDS EVADING TECHNIQUES

The techniques that we have discussed here are very loud in nature and are often detected by firewalls and IDS. Even scan techniques such as XMAS, FIN, and NULL are not that accurate; also, they don’t work on the Windows operating system, so they have a limited advantage over firewalls and IDS.
In this section,I will discuss some of the techniques that can be used to evade firewall detection. There is no universal method to do this; it’s all based on trial and error. Thus, methods could work on some firewalls/IDS but fail with others. It all depends upon how strong the rule sets are.
The Nmap discusses a wide variety of techniques that could be used to get past firewalls.
We will now briefly look at some of them:
 Timing technique
 Fragmented packets
 Source port scan

TIMING TECHNIQUE

The timing technique is one of the best techniques to evade firewalls/IDS. The idea behind this technique is to send the packets gradually, so they do not end up being detected by firewalls/IDS. In nmap we can launch a timing scan by specifying the T command followed by a number ranging from 0 to 5. Increasing the values from T0 to T5 would increase the speed of the scan.

T0—Paranoid
T1—Sneaky
T2—Polite
T3—Normal
T4—Aggressive
T5—Insane
Example
We will perform a sneaky scan (T1) and analyze its behavior in wireshark:
nmap –T1 <Target iP>

WIRESHARK OUTPUT

From the wireshark output, you can clearly see the “TCP” packets being sent after a certain
time interval.

FRAGMENTED PACKETS

During fragmentation we split the packets into small chunks making it harder for the IDS to detect. They can get past some IDS because the IDS would analyze a single fragment but not all the packets. Therefore they will not find anything suspicious. However, many modern IDS can rebuild the fragments into a single packet, making them detectable.
Example
nmap –f 192.168.15.1

WIRESHARK OUTPUT

This output shows us that the packets are divided into 8 bytes of data.

SOURCE PORT SCAN

It is very common for a network administrator to allow traffic from a certain source port. We can use this to our advantage to bypass badly configured firewalls. Common ports that we can specify as source are 53, 80, and 21.
Example
The –g parameter helps us specify a source port, which in this case is 53 (DNS).
nmap –PN –g 53 192.168.15.1

Information gathering using nmap

SERVICE VERSION DETECTION

So, until now I discussed how to figure out the services that are running on a certain port. In this section, I use nmap to find the exact version of the service running on a port; this
could help us look for the potential exploits for that particular version of the service.
Nmap has a database named nmap-services that contain more than 2200 well-known services.Theservice version detection can be performed by specifying the –sv parameter to the nmap.
Command:
nmap –sV <target IP>

OS FINGERPRINTING

Nmap has a huge OS fingerprinting database with more than 2600 OS fingerprints. It sends TCP and UDP packets to the target machine, and the response that is received is compared with the database. If the fingerprint matches, it displays the results.
Command:
nmap –O <Target Address>
The sample output looks as follows:

Nmap also has other options for guessing OS, such as –osscan-limit, which would limit the detection to a few, more promising targets. This would save a lot of time. The second one
is –­osscan-guess, which detects in a better and more aggressive manner. You can also use the command to perform both OS and service version detection:
nmap –n –A –T5 <target IP>

The –n –T5 parameter would speed up our scan, but you should keep in mind that OS detection and service detection methods are very loud at the other end and are often easily detected by IDS and IPS.

POF

POF stands for passive OS fingerprinting. As the name suggests, it does not directly engage with the target while performing OS fingerprinting; it monitors and tries to identify the TCP stack, and based on the TCP stack type, it figures out the type of OS.
The following paragraph from official documentation describe the capabilities of POF:

Common uses for pof include reconnaissance during penetration tests; routine
network monitoring; detection of unauthorized network interconnects in corpo-
rate environments; providing signals for abuse-prevention tools; and miscellaneous
forensics.
Output

Nmap has various options for interpreting the output in a user-friendly and readable format. It supports different types of output formats. The output formats may allow us to filter out results from nmap such as open ports, closed ports, and hosts.
The three popular formats used are discussed in brief next.

Normal Format
Greppable Format
XML Format

NORMAL FORMAT

The normal format is used to output the results of nmap to any text file. Here is an example of a simple SYN scan. The results would be outputted to a file named rafay.txt.

Nmap –sS –PN <targetIP> –oN rafay.txt

GREPABLE FORMAT

In Unix-based operating systems, we have a very useful command “grep”, which can search for specific results such as ports and hosts. With the grepable format, the results are presented with one host per line.

Example:
nmap –sS 192.168.15.1 –oG rafay

This command would save the output into a grepable format, which is one host per line.
The following command will highlight all the ports that are open, which in this case is only
port 80.

XML FORMAT

The XML format is by far the most useful output format in nmap. The reason is that the XML output generated from nmap can be easily ported over to dradis framework and armitage.
Example

Anonymous scanning

We discussed a variety of scan types, including both TCP and UDP. We also discussed some of the scans that can be used for anonymous scanning; in other words, your host iP would not be revealed at the destination when you are performing port scanning. These types of scans are very useful if you wish to remain anonymous while scanning your target. Both the scan techniques we have discussed in this chapter rely specifically upon using another host/server to perform a scan for you.

IDLE SCAN

The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE
scan is to introduce a zombie to scan another host. This technique is stealthy because the victim host would receive packets from the zombie host and not the attacker host. In this way, the victim would not be able to figure out where the scan originated.
However, there are some prerequisites for launching the idle scan, which are as follows:

1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
2. The host should be IDLE on the network.

SCANNING FOR A VULNERABLE HOST

Let’s now talk about scanning for a vulnerable host for the zombie scan. We can use a tool called Hping2 for figuring out if a host is a good candidate for an IDLE scan. Hping2 is mainly used for firewall testing purposes; the creator of this tool is also the one who introduced the concept of IDLE scanning.
Command:
From your console, just type
hping2 –S –r <Target IP>
S—Sending a SYN flag
R—For the relative id

As you can see, the id is incremented by 1; this shows us that the host is a potential candidate for becoming our zombie and can be used to perform an IDLE scan.
Alternatively, we can use the metasploit auxiliary module for figuring out a good candidate for a zombie. In order to use the auxiliary module, we would need to start up the metasploit framework.
From the shell, type “msfconsole” to fire up metasploit. Once metasploit is started, issue the following command to load the auxiliary module:
msf> use auxiliary/scanner/ip/ipidseq
Next, you need to set the Rhosts value; you can either specify a range or a single target. Here is an example:
For a single host
Set RHOSTS <Target Ip>
For a range
Set RHOSTS 192.168.15.1–192.168.15.255

Finally, you need to issue the run command in order to finish the process. Here is the screenshot of how this would look:

PERFORMING AN IDLE SCAN WITH NMAP

Now that we have identified a good candidate for our zombie, let’s try performing an IDLE scan with nmap. The idle scan can be simply performed by specifying the –sI parameter with nmap, followed by the iP of our zombie host and the target that we want to scan against.

Command:
nmap –sI <IP Address Of Zombie> <IP Address Of The Target>

Also, one thing that would be worth mentioning here is that while performing an IDLE scan, you should also use the –pN option. This will prevent nmap from sending an initial packet from your real IP to the target host. Here is another example from the nmap book, which shows the idle scan being performed on riaa.com by using a host that belongs to adobe.com.

Firewall bypass scanning tools

NULL, FIN, AND XMAS SCANS

NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans for pentest is that many times they get past firewalls and IDS and can be really beneficial against Unix-based OS as all three of these scans do not work against Windows-based operating systems, because they send a reset packet regardless of whether the port is open or closed. The second disadvantage is that it cannot be exactly determined if the port is open or filtered. This leaves us to manually verify it with other scan types.

Source
192.168.0.8
Destination
192.168.0.7

A null scan is accomplished by sending no flags/bits inside the TCP header. If no response
comes, it means that the port is open; if a RST packet is received, it means that the port is closed or filtered.
Command:
nmap –sN <target Ip Address>

FIN SCAN

Source
192.168.0.8
Destination
192.168.0.7

A FIN flag is used to close a currently open session. In a FIN scan the sender sends a FIN flag to the target machine: if no response comes from the target machine, it means that the port is open; if the target machine responds with a RST, it means that the port is closed.
Command:
nmap –sF <target Ip Address>

XMAS SCAN

Source
192.168.0.8
Destination
192.168.0.7

The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination. It
lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works just like the FIN and null scans. If there is no response, the port is open; if the target machine responds with a RST packet, the port is closed.
Command:
nmap –sX <target Ip Address>

TCP ACK SCAN

Source
69.240.103.51
Destination
68.46.234.161

The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine the firewall and ACL rules (access list) and whether the firewall is able to keep track of the connections that are being made.
The way this works is that the source machine sends an acknowledge (ack) packet instead of a syn packet. If the firewall is stateful, it would know that the there was no SYN packet being sent and will not allow the packet to reach the destination.
Responses
 If there is no response, this means that the firewall is stateful and it’s filtering your packets.
 If you receive a reset packet, it means that the packet reached the destination.

The capture from wireshark also gives a better insight into the TCP ACK scan.

Command:
nmap –sA <target Ip Address>

UDP PORT SCAN

UDP stands for “user datagram protocol”; it does not ensure the reliability of the communication and is not used for communication, where the data are very important to us. There are many ports that use UDP; the UDP port scan can be used to determine the common services that are listening upon UDP. Some of the popular UDP services are DHCP, SNMAP, and DNS.
The UDP port scan works by sending an empty UDP header; any kind of UDP response from
the target port would reveal that the port is open. No response would mean that either the port is open or it is filtered. A closed port is determined on the basis of ICMP error messages; if it responds with “ICMP Port unreachable error,” this would mean that the port is closed. Any other ICMP response means that the port is filtered.
Command:
nmap –sU <target Ip Address>

Scanning open ports

SCANNING FOR OPEN PORTS AND SERVICES

Once we have successfully scanned the number of live hosts on a network, we attempt to find open ports and the services associated with them on a network. Port scanning is the process of discovering TCP and UDP open ports on the target host or network. Open ports reveal the services that are running upon the network. We perform port scanning in order to look for potential entry points into the systems.
One of the most challenging tasks with port scanning is to evade firewalls and intrusion detection and prevention mechanisms. Our goal is to make our scan less noisy. In this chapter, we will also discuss some stealth scanning techniques to make your scans less noisy.
There exist many tools such as netcat, hping2, and Unicornscan for scanning open ports, but nmap is our ultimate choice. However, we will look at some of the gui and command line tools too. But our main focus will be on nmap as it’s one of the most comprehensive port scanning tools.

TYPES OF PORT SCANNING

Port scanning is primarily divided into two main categories: TCP scanning and UDP scanning. Nmap supports a wide variety of scanning methods such as the TCP syn scan and the TCP connect scan, and we will discuss some of them here in great detail.
Nmap is very simple to use; the basic command line format for nmap is as follows:

nmap <Scan Type> <Option> <Target Specification>
A simple port can be launched by the following command:
nmap <target Ip Address>
This would return us the ports that are opened upon the target host.
We can also scan a range by either using the CIDR notation that we used earlier in the host
discovery process or using the * sign.
Command:
nmap 192.168.15.*

This would scan the whole range 192.168.15.1–255 and return open ports. Also, you can see
that nmap returns the service associated with each port.

UNDERSTANDING THE TCP THREE-WAY HANDSHAKE

The transmission control protocol (TCP) was made for reliable communication. It is used for a wide variety of protocols on the Internet and contributes toward reliable communication with the help of the three-way handshake.
Before understanding how port scanning works, we need to understand how the TCP three-
way handshake works.

 The first host sends a SYN packet to the second host.
 The second host responds with a SYN/ACK packet; it indicates that the packet was received.
 The first host completes the connection by sending an acknowledgment packet.
TCP Flags
SYN—Initiates a connection.
ACK—Acknowledges that the packet was received.
RST—Resets the connections between two hosts.
FIN—Finishes the connection.

There are many other flags, and I would recommend you to spend some time reading rfc 793,the TCP protocol specification. I cannot emphasize enough the importance of understanding the TCP IP; it will help you a lot.

PORT STATUS TYPES

With nmap you would see one of four port status types:
Open—It means that the port is accessible and an application is listening on it.
Closed—It means that the port is inaccessible and no application is listening on it.
Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets are being filtered, which probably means that the machine is behind a firewall.
Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if they are open or closed.

TCP SYN SCAN

The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan. You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip the DNS resolution.

1. SYN + Port 80
2. SYN/ACK
3. RST
Source
192.168.0.8
Destination
192.168.0.10

This diagram illustrates how a TCP SYN scan works:
 The source machine sends a SYN packet to port 80 in the destination machine.
 If the machine responds with SYN/ACK packet, Nmap would know that the particular port
is open on the target machine.
 The operating system would send a RST (Reset) packet in order to close the connection,
since we already know that the port is open.
 However, if there is no response from the destination after sending the SYN packet, the
nmap would know that the port is filtered.
 If you send a SYN packet and the target machine sends a RST packet, then nmap would
know that the port is closed.
Command: The command/syntax for the TCP SYN scan is as follows:
nmap –sS <target IP>

From this picture, you can see that I have specified two additional parameters (–n and –p).
The –n parameter tells the nmap not to perform the name resolution; this is commonly used to increase the speed of the scan. The –p parameter is used to specify the ports to scan, which in this case is port 80.

I also ran Wireshark (a network analysis tool) while performing this scan to record the behavior of the packets. The output was what we expected.
As you can see from the first line the source 192.168.15.14 sends a SYN packet to the desti-
nation 192.168.15.1. The destination responds with a SYN, ACK in the second line. The source 192.168.15.14 then sends a RST packet to close the connection, thus displaying the behavior discussed earlier. I have also used the “TCP” filter to filter out tcp protocol–related requests.
The positive side of this scan is that it is pretty fast; its downside is that it is often detected by IDS, IPS, and firewalls. We will talk about some techniques to perform noiseless scans later in this chapter.

TCP CONNECT SCAN

The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes the three-way handshake. The TCP connect scan becomes the default scan if the SYN scan is not supported by the machine. A common reason for that could be that the machine is not privileged to create its own RAW packet.

This diagram illustrates that it’s working:

1. The source machine sends a SYN packet at Port 80.
2. The destination machine responds with a SYN/ACK.
3. The source machine then sends an ACK packet to complete the three-way handshake.
4. The source machine finally sends the RST packet in order to close the connection.
The TCP connect scan can be accomplished by specifying an additional –sC parameter with
nmap.
Here is an example: