Types of Scans 115
In Nmap to perform a NULL scan, issue the following command:NMAP –sN
ACK Scanning
Another interesting variation of setting flags is the ACK scan, which is used to test whether
any filtering is being done on a port. Filtering indicates that a stateful firewall is present
between the attacker and the target. The results that come back from the probe tell the
attacker whether a firewall or router is in use.
To perform an ACK scan in Nmap, use the following command:
NMAP –sA –P0
So what do you do as a pen tester if packet filters, firewalls, and other devices start to
pick up evidence of your attack? Many methods are available to evade or minimize the risk
of detection when scanning. For example, fragmenting works by breaking a packet into
multiple pieces with the goal of preventing detection devices from seeing what the original
unfragmented packet intends to do. Think of it as taking a large picture and cutting it into
little pieces like a jigsaw puzzle. If you don’t know what the original picture looks like, you
have to reassemble a bunch of colored pieces to figure it out.
In Nmap, if you wish to fragment a packet you can do so by using the –sS switch as
follows:
NMAP –sS –T4 –A –f –v
Remember fragmenting, because you will use it to evade intrusion detec-
tion systems, firewalls, routers, and other devices and systems.Other tools that can perform fragmenting are Fragtest and Fragroute. These last two
tools are command-line tools only, but perform the same function as our other
fragmenting tools.
UDP Scanning
The previous techniques all assume that TCP is being used, but what if you are presented
with a situation where UDP is the only option? If this is the case, you have to change your
approach a bit, but you can still get results.