Noise Avoidance: Network Scanning with Nmap and Zenmap

Jason Haddix, Preston Thornburg, Arian (@Cyber_Pwnd), Mohsan (@Pwn__Star), Dani Goland, and Olivia Gallucci at Meow Wolf, Las Vegas 2022. Used on a post about nmap.

Although I am a security student, I am not a security expert. Please read my general disclaimer.

What are Nmap and Zenmap?

Nmap is a command-line network scanner used to detect hosts and services. Zenmap is a GUI version of nmap. Both programs work by sending packets to a user-specified host and analyzing the host’s response or lack thereof.

Images source: https://nmap.org/

Example

Below is a noisy nmap scan I use for CTFs and other informal environments. This scan will be saved to a text file, so that it can be easily refereed to later.

sudo nmap -sC -sV -Pn -T5 -n -O -A -oN /path/filename.txt ip_address 
  • sC – scans with default NSE scripts
  • sV – version of service
  • Pn – disables host discovery, scans ports only
  • T5 – fast scan, assumes fast network
  • n – never DNS resolution
  • O – remote OS detection
  • A – OS detection, script scanning

Scan types

There are other options you can choose as well, but these are some common options:

OptionTypeDescription
sS TCP SYN scanMost basic scan. Stealthy because it doesn’t complete the TCP connection. 
sT TCP connect scanCompletes TCP connection (3-way handshake), requesting a response from each host it scans. Usually more reliable than TCP SYN scan. 
sU UDP scansCompletes UDP process. Queries DNS, SNMP, and DHCP ports. Useful for vulnerability scanning. 
sYSCTP INIT scanSS7 and SIGTRAN. Stealthy on external networks because it does not complete the SCTP process. 
sNTCP NULLGreat when there is a firewall because it can reveal port status without directly querying the port. 
Source: Port Scanning Techniques by Nmap

Learn more: Nmap Cheat Sheet by Nathan House

Noise

Noise refers to the amount of disruption your scan creates on target machines. Noisier scans are easier for the target to detect that it is being scanned and enable intrusion detection systems or administrators to prevent further intrusion. For example, a TCP scan connects to the target machine using a three-way handshake; a potentially better alternative would be to use TCP with SYN (-sS), which does not complete the three-way handshake.

Many default options that Nmap provides operate on ignoring stealth. For instance, the -A option—which enables operating system detection, version detection, script scanning, and traceroute—uses banner grabbing, a technique used to connect to every open port and retrieves to determine the daemon and its version.

Source: Man – Nmap

Other Nmap options may help avoid specific detection (i.e., connection throttling, idle or zombie scanning, packet fragmentation, and source port spoofing), but the scans often aren’t holistic.

If you are a red teamer trying to avoid detection, consider running scripts built for stealth. Scrips also help thwart silly mistakes like forgetting to include -P0, which prevents the default ping Nmap sends and often alerts firewalls of the scan.

Testing against IDS

One of the most common IDS is Snort. It is open source and free to download. Since Snort is common, studying its methods is a great way to determine how you should create your Nmap scan. By testing if Snort detects your scans, you can better determine how to build them.

An example of this is scanning below the preset threshold for detection. For example, Snort’s default threshold is 15 ports, so if you scan below that, it is less likely to be detected.

Sources:
Why is nmap being so noisy with “-A” option? – Stack Exchange
They see me scannin’; they hatin’ – Heisenbugs and other unobservables
How to Perform Stealthy Reconnaissance on a Protected Network – Wonder How To
How to Evade a Network Intrusion Detection System (NIDS) Using Snort – Wonder How To

This post is part of IGME 599, an Honors FOSS Independent Study at the Rochester Institute of Technology.

Join 1,216 other subscribers
Portrait of Olivia Gallucci in garden, used in LNP article.

Written by Olivia Gallucci

Olivia is an honors student at the Rochester Institute of Technology. She writes about security, open source software, and professional development.