Nmap Scans That You Should Know About

Q: What is Nmap?

Nmap (“Network Mapper”) is an open-source software for network discovery and security auditing. It has emerged as one of the most popular free network discovery tools. Nmap is now one of the core tools used by network administrators to map their networks. It uses raw IP packets to determine hosts available on the network, services (application name and version) those hosts are running, operating systems (and OS versions), the type of packet filters/firewalls in use, and many other characteristics.

I will list several different hosts and port scans that I have found useful when performing network and penetration tests on systems. These scans are in no particular order and will explain how they work in detail.

Useful Nmap Options to keep in mind:

  • -h : display an extended help menu of Nmap
  • -v : Increases the verbosity level (displays a more detailed output of the scan)
  • -T<1-5> : allows for the use of “timing templates,” which allows the user to specify how aggressive they wish to be with their scans while leaving Nmap to pick the exact timing values. There are six timing templates (0-5)
  • –script : Allows the use of scripts that can automate the host scanning process. Nmap has several different scripts you can choose from, and you can even create scripts using the Nmap Scripting Engine
  • -oN : saves your scan output to a file
  • -p <port number> : This allows you to specify which ports you want to scan.
  • -sn : Discover online hosts without port-scanning the live systems. (Nmap port scans all live hosts by default)
  • -O : Enables OS detection
  • -A (Aggressive) : Enable OS detection, version detection, script scanning, and traceroute

Host Discovery

Note: The “/24” at the end of the machine IP means that Nmap will scan all the IP addresses available in the subnet. Ex: 192.168.1.0/24

ICMP Echo Ping

nmap -PE -sn <Machine-IP/24>

This scan will send ICMP echo packets to each IP address on the subnet. We expect live hosts to reply; however, you must remember that many firewalls block ICMP.

Because ICMP echo requests are usually blocked, you might also consider ICMP Timestamp or ICMP Address Mask requests to check if a system is online. Nmap uses a timestamp request (ICMP Type 13) and checks whether it will get a Timestamp reply (ICMP Type 14). Using the -PP option tells Nmap to use ICMP timestamp requests.

TCP SYN Ping

nmap -PS -sn <Machine-IP/24>

We can use this scan to send a packet to a TCP port with the SYN flag set, 80 by default, and wait for a response. The port should reply with a SYN/ACK if the host is up. However, if the host is not up, it would result in an RST reply.

UDP Ping

nmap -PU -sn <Machine-IP/24>

As opposed to TCP SYN ping, sending a UDP packet to an open port is not expected to lead to a reply. However, if we send a UDP packet to a closed UDP port, we can expect to get an ICMP port unreachable packet; this can indicate that the target system is up and available.

Port Scans

TCP SYN Scan

nmap -sS <IP address>

The default scan mode in Nmap is the SYN scan. This scan utilizes the TCP protocol to do 3-way handshakes. However, the SYN scan does not complete the handshake; instead, it sends a SYN packet via TCP to all the intended ports. If an acknowledgment packet is received, it is sure that a port is open. No response means that the port is either closed or not available.

Once we receive the response from the server, Nmap tears down the connection. Because we didn’t establish a TCP connection, this decreases the chances of the scan being logged.

TCP Connect Scan

nmap -sT <IP address>

TCP connect scan works by completing the TCP 3-way handshake. Since we are interested in learning whether the TCP port is open, we tear the connection as soon as it is confirmed by sending an RST/ACK request.

This scan can be helpful if you are not a privileged user (root or sudoer).

UDP Scan

nmap -sU <IP address>

UDP is a connectionless protocol, and hence it does not require any handshake for connection establishment. This scan can be helpful in the Windows system to know whether the UDP layer is open to attacks or not.

However, we cannot guarantee that a service listening on a UDP port would respond to our packets. It generally sends empty UDP packets and takes more time than TCP Scan.

FIN Scan

nmap -sF <IP address>

The FIN scan sends a TCP packet with the FIN flag set. Similarly, the host will send no response if the TCP port is open. However, Nmap cannot be sure if the port is available or if a firewall is blocking the traffic related to this TCP port.

If the target system sends an RST packet, the port is closed. Since we know what ports are closed, we can infer the open or filtered ports.

TCP ACK Scan

nmap -sA <IP address>

The ACK scan will send a TCP packet with the ACK flag set. The target would respond to the ACK with RST regardless of the state of the port. This behavior happens because a TCP packet with the ACK flag set should only be sent in response to a received TCP packet to acknowledge the receipt of some data, unlike in our case. Hence, this scan won’t tell us whether the target port is open in a simple setup.

This kind of scan would be helpful if there were a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall. In other words, this type of scan is more suitable for discovering firewall rule sets and configurations.