Question

Sometimes Nmap results show "tcpwrapped," which hides service details. What techniques can be used to get around this and gather more accurate service information?

Answer 1

​When conducting network scans with Nmap, encountering the tcpwrapped label indicates that a service is protected by TCP Wrapper or similar access control mechanisms. This means the service completed the TCP handshake but then closed the connection, typically due to access restrictions. Bypassing this protection without proper authorization is unethical and likely illegal.

However, understanding the context and employing legitimate techniques can aid in network troubleshooting and security assessments.

Understanding tcpwrapped

The tcpwrapped designation suggests that the target service uses TCP Wrapper to restrict access based on IP addresses or hostnames. When an unauthorized connection attempt is made, the service terminates the connection immediately after the handshake. This behavior is consistent with services protected by TCP Wrapper.

Legitimate Techniques to Gather Service Information

If you have authorization to assess the network and need to gather more information about services labeled as tcpwrapped, consider the following approaches:​

1. Use Different Scan Types:

   • TCP Connect Scan (-sT): This scan completes the full TCP handshake and may elicit different responses from the target service.​

   • Service Version Detection (-sV): Combining this with -sT can sometimes reveal additional information about the service.

   Example Command:

   nmap -sT -sV target_ip

2. Adjust Timing and Performance Options:

   • Timing Templates (-T): Using a slower timing template (e.g., -T2) can help avoid triggering security mechanisms.​

   • Parallelism (--min-parallelism, --max-parallelism): Adjusting these parameters can control the number of probes sent simultaneously.​

   Example Command:

   nmap -sT -sV --min-parallelism=50 --max-parallelism=150 -T2 target_ip

3. Employ Fragmentation and Custom Packet Options:

   • Fragment Packets (-f): Splits the probe into smaller packet fragments, potentially bypassing simple filtering rules.​

   • Set Maximum Transmission Unit (--mtu): Specifies a custom MTU size to evade detection.​

   Example Command:

   nmap -sT -sV -f --mtu 24 target_ip

Note: Use these options cautiously, as they can lead to network instability or detection by intrusion detection systems.

1. Spoof MAC Address:

   • MAC Address Spoofing (--spoof-mac): Alters the source MAC address of the scan packets, which can sometimes bypass access controls based on MAC addresses.​

   Example Command:

   nmap -sT -sV --spoof-mac 00:11:22:33:44:55 target_ip

Ensure that MAC address spoofing complies with local laws and policies.