Nmap
- Which systems are up?
- What services are running on these systems?
Scan Types:
- ARP scan: This scan uses ARP requests to discover live hosts
- ICMP scan: This scan uses ICMP requests to identify live hosts
- TCP/UDP ping scan: This scan sends packets to TCP ports and UDP ports to determine live hosts.
- ARP from Link Layer
- ICMP from Network Layer
- TCP from Transport Layer
- UDP from Transport Layer
When no host discovery options are provided, Nmap follows the following approaches to discover live hosts:
- When a privileged user tries to scan targets on a local network (Ethernet), Nmap uses ARP requests. A privileged user is
rootor a user who belongs tosudoersand can runsudo. - When a privileged user tries to scan targets outside the local network, Nmap uses ICMP echo requests, TCP ACK (Acknowledge) to port 80, TCP SYN (Synchronize) to port 443, and ICMP timestamp request.
- When an unprivileged user tries to scan targets outside the local network, Nmap resorts to a TCP 3-way handshake by sending SYN packets to ports 80 and 443.
If you want to use Nmap to discover online hosts without port-scanning the live systems, you can issue nmap -sn TARGETS.
If you want Nmap only to perform an ARP scan without port-scanning, you can use nmap -PR -sn TARGETS, where -PR indicates that you only want an ARP scan.
Although this would be the most straightforward approach, it is not always reliable. Many firewalls block ICMP echo; new versions of MS Windows are configured with a host firewall that blocks ICMP echo requests by default. Remember that an ARP query will precede the ICMP request if your target is on the same subnet.
nmap -PE -sn MACHINE_IP/24 –> ICMP Echo request
nmap -PP -sn MACHINE_IP/24 –> ICMP timestamp request (ICMP type13)
nmap -PM -sn MACHINE_IP/24 –> ICMP Type 17 address mask queries
nmap -PS -sn MACHINE_IP/24 — TCP SYN ping scan ( does not require a privileged account)
nmap -PA -sn MACHINE_IP/24 — TCP ACK ping scan (requires a privileged account)
nmap -PU -sn MACHINE_IP/24 — UDP scan
Nmap’s default behaviour is to use reverse-DNS online hosts. Because the hostnames can reveal a lot, this can be a helpful step. However, if you don’t want to send such DNS queries, you use -n to skip this step.
By default, Nmap will look up online hosts; however, you can use the option -R to query the DNS server even for offline hosts. If you want to use a specific DNS server, you can add the --dns-servers DNS_SERVER option.
| Scan Type | Example Command |
|---|---|
| ARP Scan | sudo nmap -PR -sn MACHINE_IP/24 |
| ICMP Echo Scan | sudo nmap -PE -sn MACHINE_IP/24 |
| ICMP Timestamp Scan | sudo nmap -PP -sn MACHINE_IP/24 |
| ICMP Address Mask Scan | sudo nmap -PM -sn MACHINE_IP/24 |
| TCP SYN Ping Scan | sudo nmap -PS22,80,443 -sn MACHINE_IP/30 |
| TCP ACK Ping Scan | sudo nmap -PA22,80,443 -sn MACHINE_IP/30 |
| UDP Ping Scan | sudo nmap -PU53,161,162 -sn MACHINE_IP/30 |
Remember to add -sn if you are only interested in host discovery without port-scanning. Omitting -sn will let Nmap default to port-scanning the live hosts.
| option | Purpose |
|---|---|
-n | no DNS lookup |
-R | reverse-DNS lookup for all hosts |
-sn | host discovery only |
Masscan
Masscan uses a similar approach to discover the available systems. However, to finish its network scan quickly, Masscan is quite aggressive with the rate of packets it generates. The syntax is quite similar: -p can be followed by a port number, list, or range. Consider the following examples:
masscan MACHINE_IP/24 -p443masscan MACHINE_IP/24 -p80,443masscan MACHINE_IP/24 -p22-25masscan MACHINE_IP/24 ‐‐top-ports 100
Nmap considers the following six states:
- Open: indicates that a service is listening on the specified port.
- Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
- Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
- Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan
-sA. - Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
- Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
TCP Flags
The TCP header is the first 24 bytes of a TCP segment. The following figure shows the TCP header as defined in RFC 793
The TCP header flags are:
- URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
- ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
- PSH: Push flag asking TCP to pass the data to the application promptly.
- RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
- SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
- FIN: The sender has no more data to send.
TCP Connect scan
It is important to note that if you are not a privileged user (root or sudoer), a TCP connect scan is the only possible option to discover open TCP ports.
Note that we can use -F to enable fast mode and decrease the number of scanned ports from 1000 to 100 most common ports.
It is worth mentioning that the -r option can also be added to scan the ports in consecutive order instead of random order. This option is useful when testing whether ports open in a consistent manner, for instance, when a target boots up.
TCP SYN scan
Unprivileged users are limited to connect scan. However, the default scan mode is SYN scan, and it requires a privileged (root or sudoer) user to run it. SYN scan does not need to complete the TCP 3-way handshake; instead, it tears down the connection once it receives a response from the server. Because we didn’t establish a TCP connection, this decreases the chances of the scan being logged. We can select this scan type by using the -sS option.
TCP SYN scan is the default scan mode when running Nmap as a privileged user, running as root or using sudo.
nmap -sS TARGET
UDP scan
UDP is a connectionless protocol, and hence it does not require any handshake for connection establishment. We cannot guarantee that a service listening on a UDP port would respond to our packets. However, if a UDP packet is sent to a closed port, an ICMP port unreachable error (type 3, code 3) is returned.
Fine Tuning
- port list:
-p22,80,443will scan ports 22, 80 and 443. - port range:
-p1-1023will scan all ports between 1 and 1023 inclusive, while-p20-25will scan ports between 20 and 25 inclusive.
You can request the scan of all ports by using -p-, which will scan all 65535 ports. If you want to scan the most common 100 ports, add -F. Using --top-ports 10 will check the ten most common ports.
You can control the scan timing using -T<0-5>. -T0 is the slowest (paranoid), while -T5 is the fastest. According to Nmap manual page, there are six templates:
- paranoid (0)
- sneaky (1)
- polite (2)
- normal (3)
- aggressive (4)
- insane (5)
To avoid IDS alerts, you might consider -T0 or -T1. For instance, -T0 scans one port at a time and waits 5 minutes between sending each probe.
Nmap uses normal -T3.
–T5 is the most aggressive in terms of speed; however, this can affect the accuracy of the scan results due to the increased likelihood of packet loss.
–T4 is often used during CTFs and when learning to scan on practice targets, whereas -T1 is often used during real engagements where stealth is more important.
Alternatively, you can choose to control the packet rate using --min-rate <number> and --max-rate <number>. For example, --max-rate 10 or --max-rate=10 ensures that your scanner is not sending more than ten packets per second.
Moreover, you can control probing parallelization using --min-parallelism <numprobes> and --max-parallelism <numprobes>.
Nmap probes the targets to discover which hosts are live and which ports are open; probing parallelization specifies the number of such probes that can be run in parallel. For instance, --min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel; these 512 probes are related to host discovery and open ports.
| Port Scan Type | Example Command |
|---|---|
| TCP Connect Scan | nmap -sT 10.10.113.70 |
| TCP SYN Scan | sudo nmap -sS 10.10.113.70 |
| UDP Scan | sudo nmap -sU 10.10.113.70 |
These scan types should get you started discovering running TCP and UDP services on a target host.
| Option | Purpose |
|---|---|
-p- | all ports |
-p1-1023 | scan ports 1 to 1023 |
-F | 100 most common ports |
-r | scan ports in consecutive order |
-T<0-5> | -T0 being the slowest and T5 the fastest |
--max-rate 50 | rate <= 50 packets/sec |
--min-rate 15 | rate >= 15 packets/sec |
--min-parallelism 100 | at least 100 probes in parallel |
Nmap Advanced Port scans
NULL SCAN
The null scan does not set any flag; all six flag bits are set to zero. You can choose this scan using the -sN option. A TCP packet with no flags set will not trigger any response when it reaches an open port.
However, we expect the target server to respond with an RST packet if the port is closed.
FIN SCAN
The FIN scan sends a TCP packet with the FIN flag set. You can choose this scan type using the -sF option. Similarly, no response will be sent if the TCP port is open.
However, the target system should respond with an RST if the port is closed.
Xmas SCAN
The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option -sX.
Like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered.
On scenario where these three scan types can be efficient is when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless.
In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan won’t work on most targets encountered in modern networks.
To select this scan type, use the -sM option.
TCP ACK Scan
An ACK scan will send a TCP packet with the ACK flag set. Use the -sA option to choose this scan.
The target would respond to the ACK with RST regardless of the state of the port. This behaviour happens because a TCP packet with the ACK flag set should be sent only in response to a received TCP packet to acknowledge the receipt of some data, unlike our case. Hence, this scan won’t tell us whether the target port is open in a simple setup.
This kind of scan would be helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall. In other words, this type of scan is more suitable to discover firewall rule sets and configuration.
Window Scan
Another similar scan is the TCP window scan. The TCP window scan is almost the same as the ACK scan; however, it examines the TCP Window field of the RST packets returned. Select this scan type with the option -sW.
We expect to get an RST packet in reply to our “uninvited” ACK packets, regardless of whether the port is open or closed.
Custom Scan
If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using --scanflags. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using --scanflags RSTSYNFIN.
It’s possible to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response.
In general, you expect to specify the network interface using -e and to explicitly disable ping scan -Pn. Therefore, instead of nmap -S SPOOFED_IP 10.10.245.236, you will need to issue nmap -e NET_INTERFACE -Pn -S SPOOFED_IP 10.10.245.236 to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses.
When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using --spoof-mac SPOOFED_MAC. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11).
Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. The concept is simple, make the scan appears to be coming from many IP addresses so that the attacker’s IP address would be lost among them. As we see in the figure below, the scan of the target machine will appear to be coming from 3 different sources, and consequently, the replies will go the decoys as well.
You can launch a decoy scan by specifying a specific or random IP address after -D. For example, nmap -D 10.10.0.1,10.10.0.2,ME 10.10.245.236 will make the scan of 10.10.245.236 appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then ME to indicate that your IP address should appear in the third order. Another example command would be nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.245.236, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources.
Fragmented Packets (to escape from firewall/IDS)
Nmap provides the option -f to fragment packets. Once chosen, the IP data will be divided into 8 bytes or less. Adding another -f (-f -f or -ff) will split the data into 16 byte-fragments instead of 8. You can change the default value by using the --mtu; however, you should always choose a multiple of 8.
sudo nmap -sS -p80 -f TARGET
Idle/Zombie scan (alternate for spoofed scans)
nmap -sI ZOMBIE_IP 10.10.245.236
The idle scan, or zombie scan, requires an idle system connected to the network that you can communicate with. Practically, Nmap will make each probe appear as if coming from the idle (zombie) host, then it will check for indicators whether the idle (zombie) host received any response to the spoofed probe. This is accomplished by checking the IP identification (IP ID) value in the IP header.
Finally, the attacker sends another SYN/ACK packet to the idle host and the idle host will respond with a RST packet with an incremented IP ID (because it already sent a RST to Target machine). Attacker now compares the IP ID values to know the port status on the target machine.
Additional options
You might consider adding --reason if you want Nmap to provide more details regarding its reasoning and conclusions.
Providing the --reason flag gives us the explicit reason why Nmap concluded that the system is up or a particular port is open.
If -vv does not satisfy your curiosity, you can use -d for debugging details or -dd for even more details. You can guarantee that using -d will create an output that extends beyond a single screen.
| Port Scan Type | Example Command |
|---|---|
| TCP Null Scan | sudo nmap -sN 10.10.141.75 |
| TCP FIN Scan | sudo nmap -sF 10.10.141.75 |
| TCP Xmas Scan | sudo nmap -sX 10.10.141.75 |
| TCP Maimon Scan | sudo nmap -sM 10.10.141.75 |
| TCP ACK Scan | sudo nmap -sA 10.10.141.75 |
| TCP Window Scan | sudo nmap -sW 10.10.141.75 |
| Custom TCP Scan | sudo nmap --scanflags URGACKPSHRSTSYNFIN 10.10.141.75 |
| Spoofed Source IP | sudo nmap -S SPOOFED_IP 10.10.141.75 |
| Spoofed MAC Address | --spoof-mac SPOOFED_MAC |
| Decoy Scan | nmap -D DECOY_IP,ME 10.10.141.75 |
| Idle (Zombie) Scan | sudo nmap -sI ZOMBIE_IP 10.10.141.75 |
| Fragment IP data into 8 bytes | -f |
| Fragment IP data into 16 bytes | -ff |
| Option | Purpose |
|---|---|
--source-port PORT_NUM | specify source port number |
--data-length NUM | append random data to reach given length |
These scan types rely on setting TCP flags in unexpected ways to prompt ports for a reply. Null, FIN, and Xmas scan provoke a response from closed ports, while Maimon, ACK, and Window scans provoke a response from open and closed ports.
| Option | Purpose |
|---|---|
--reason | explains how Nmap made its conclusion |
-v | verbose |
-vv | very verbose |
-d | debugging |
-dd | more details for debugging |
dding -sV to your Nmap command will collect and determine service and version information for the open ports. You can control the intensity with --version-intensity LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light has an intensity of 2, while -sV --version-all has an intensity of 9.
It is important to note that using -sV will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS is not possible when -sV option is chosen.
OS Detection
Nmap can detect the Operating System (OS) based on its behaviour and any telltale signs in its responses. OS detection can be enabled using -O; this is an uppercase O as in OS.
example: nmap -sS -O Target
Traceroute
If you want Nmap to find the routers between you and the target, just add --traceroute
nmap -sS –traceroute target
Nmap provides support for scripts using the Lua language. A part of Nmap, Nmap Scripting Engine (NSE) is a Lua interpreter that allows Nmap to execute Nmap scripts written in Lua language. However, we don’t need to learn Lua to make use of Nmap scripts.
Nmap default installation can easily contain close to 600 scripts.
| Script Category | Description |
|---|---|
auth | Authentication related scripts |
broadcast | Discover hosts by sending broadcast messages |
brute | Performs brute-force password auditing against logins |
default | Default scripts, same as -sC |
discovery | Retrieve accessible information, such as database tables and DNS names |
dos | Detects servers vulnerable to Denial of Service (DoS) |
exploit | Attempts to exploit various vulnerable services |
external | Checks using a third-party service, such as Geoplugin and Virustotal |
fuzzer | Launch fuzzing attacks |
intrusive | Intrusive scripts such as brute-force attacks and exploitation |
malware | Scans for backdoors |
safe | Safe scripts that won’t crash the target |
version | Retrieve service versions |
vuln | Checks for vulnerabilities or exploit vulnerable services |