Nmap is probably the most famous reconnaissance tool among Pentesters and Hacker. It is essentially a port scanner that helps you scan networks and identify various ports and services available in the network, besides also providing further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. It also comes in handy during network auditing!
The barebone syntax of Nmap is:
$ nmap [FLAGS] [IP]
Note that you may also need to run it with sudo privileges at times to perform some particular types of scans,
Nmap is strong and powerful networking scanning to tool which allows for customizing our scans with the help of flags passed via the command line. Some of the important flags are :
- -h: Print a help summary page
- -sS: Perform a TCP SYN scan
- -sU: Perform a UDP scan
- -sV: Probe open ports to determine service/version info
- -O: Enable OS detection
- -v: Enable verbosity. You can even set the verbosity level as such :
- -vv: Level 2 verbosity. The minimum level of verbosity advised for use.
- -v3: Level 3 verbosity. You can always specify the verbosity level by specifying a number like this.
- -oA: Same Nmap output in “normal”, XML and grepable formats. However you can specify the format of your choice with :
- -oN: Redirect normal output to a given filename
- -oX: Produce output in a clean, XML format and store it in a given file
- -oG: Produce “grepable” output and store it to a file. Deprecated format as users are now moving towards XML outputs.
- -A: Enables “aggressive” scanning. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute)
- -p: Specify the ports to scan. It can be a single port as well as a range of ports. For Example :
nmap -p 80 127.0.0.0.1: This scans port 80 on localhost
nmap -p 1-100 127.0.0.1: This scans ports from 1 to 100 on localhost
nmap -p- 127.0.0.1: This scans all the ports on the localhost
Scan Types in Nmap
Nmap supports a lot of different scan types. However the most popular ones are:
1. TCP Connect Scans (
In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. In this scenario two things can occur :
- The target responds with an RST packet that signifies that the port is closed.
- Target doesn’t respond at all, probably due to a firewall dropping all incoming packets in which case the port will be considered filtered
- The target responds back with a TCP packet with the SYN/ACK flags set which would signify that the port is open and then Nmap would respond with a TCP packet with the ACK flag set and hence would complete the TCP 3-way handshake.
This is not a very reliable scan technique as it is easy to configure a firewall rule to respond back with RST packets or drop all incoming packets. Also this method is extremely slow as it waits for the entire TCP 3 way handshake.
2. SYN “Half-open” Scans (
SYN scans, also known as “Half-Open” or “Stealth Scan” are an improvement over the previous method. In the previous method where we were sending back a TCP packet with the ACK flag set after receiving an SYN/ACK packet, now we would be sending an RST packet. This prevents the server from repeatedly trying to make the requests and massively reduces scan times.
This method is an improvement on the previous ones because:
- They are faster
- They might be able to bypass some primitive firewalls
- Often, SYN Scans are not logged by applications running on the ports as most applications start logging a connection only after it has been fully established which is not the case with SYN Scans
However, it is not advisable to run SYN Scans on production environments as it might break certain unstable applications. It is also to be noted that SYN scans also require sudo privileges because it needs to craft raw packets.
Infact, when run with sudo privileges, nmap defaults to SYN Scans, otherwise it defaults to TCP scan.
3. UDP Scans (
UDP scans are much less reliable than the previous two as UDP connections are stateless by nature. This means that there’s no “feedback mechanism” like TCP. UDP works on the principle “Fire and Forget” which means that it sends packets directed to targets at certain ports and hopes that they would make it. This gives more emphasis on speed than quality. However, the lack of a feedback mechanism makes it difficult to identify open ports.
When an UDP packet is sent to a target port, there might be three scenarios :
- Usually there is no response received in which case nmap marks the port as open|filtered. If no response is received yet, it sends another UDP packet to double check and if yet again no response is received, it marks the port as open|filtered and moves on
- It might get a UDP response back which is very rare. In such a scenario, the port is marked open
- If the port is closed and it receives an ICMP echo request back which signifies that the port is unreachable.
Special Scans in Nmap
Apart from these, some less popular scan types which are even “stealthier” than a TCP SYN scan. These are as follows :
1. TCP Null Scans (
In TCP Null Scans, the TCP packets sent don’t have any of the flags set. According to RFC, under such a circumstance, the target should respond back with an RST if the port i s closed
2. TCP FIN Scans (
This is very similar to the TCP Null Scan except for the fact that instead of sending a completely empty TCP packet, it sends a packet with the FIN flag set which is used to gracefully close a connection. Accordingly the target must respond back with an RST for closed ports as per RFC.
3. TCP Xmas Scans (
TCP Xmas Scans is also very similar to the last two scan techniques except for the fact that they use TCP packets with the PSH, URG and FIN flags set. Like the last two scan types, this too expects RST packets for closed ports under RFC.
As these scans are of a similar nature, they also have similar outputs which is very similar to that of UDP Scans. In this case, we can only have the following three responses :
- open|filtered : When no response is received then the port is categorized as this this because no response can mean only two things :
- The port is open
- The port is protected behind a firewall hence filtered
- filtered : When the port is protected behind a firewall which sends an ICMP ping back
- closed : When it receives and RST packet
It is also to be note that though RFC 793 mandates that network hosts respond to malformed packets with a RST TCP packet for closed ports, and don’t respond at all for open ports, some systems reject this convention. This behaviour is mostly observed in Microsoft Windows Servers and some CISCO devices where all malformed packets are dropped by default.
Scanning A Network For Hosts using Nmap
One of the most important things to do on connecting to a network is to obtain a list of all active hosts on the network before further probing. This can be done via an “Ping Sweep”, which as the name implies, involves sending ICMP packet to all the IPs in the network and await for responses. The hosts which reply back with an ICMP packet are considered active in this case.
You can specify your target IP ranges by using hypens or via CIDR as follows :
$ nmap -sn 192.168.0.1-254
$ nmap -sn 192.168.0.0/24
-sn flag suppresses any port scans, and forces nmap to rely solely on ICMP echo packets (or ARP requests if run with superuser privileges) to identify active hosts in the network. It also sens a TCP SYN packet to the target’s port 443 and a TCP ACK request ( TCP SYN if run with superuser privileges) to the target’s port 80.
Nmap Scripting Engine
The Nmap Scripting Engine(NSE) is a powerful addition to Nmap which allows us to even further extend its functionality. Written in Lua, we can use it to write our scripts and automate a lot of our work like testing for vulnerabilities and exploitation.
There are many categories available. Some useful categories include:
safe:- Won’t affect the target
intrusive:- Not safe: likely to affect the target
vuln:- Scan for vulnerabilities
exploit:- Try to exploit a vulnerability
auth:- Attempt to bypass authentication for running services
brute:- Try to brute force credentials for running services
discovery:- Attempt to query running services for further information about the network (
To run a script, we need to specify it as
You can also specify multiple scripts to run at the same time by separating the script names like
Some scripts also require an argument which can be specified with
Some scripts have an built-in help menus which can be referred with :
$ nmap --script-help <script-name>
You can find a comprehensive list of scripts here.
Nmap has a lot of free and well-drafted documentation. You can find a lot of the information about the flags, scripts, and much more on their official website. You can experiment with the various flags and scripts and see how their outputs differ under different environments.