Trending News: Dow Plummets Over 400 Points as Trump’s 50% EU Tariff Threat Sparks Market JittersIntroduction to Network Scanning Tools: NmapBitcoin Shatters Records Above $110,000: Institutional Demand and Regulatory Shifts Fuel Crypto’s Historic RallyNetwork Topologies and ArchitecturesCommon Network Protocols: HTTP, HTTPS, DNS, SMTPUnderstanding IP Addressing: IPv4 and IPv6Crypto Mogul’s Faked Death Triggers Memecoin Chaos: The Rise and Fall of LLJEFFYIntroduction to Networking Concepts: TCP/IP Model, OSI ModelMEXC Lists Doodles (DOOD) with 50,000 USDT Worth of DOOD and 50,000 USDT Bonus Prize PoolWhat is Software Architecture?India-Pakistan Conflict: Live Updates on Military Strikes and Escalating TensionsSetting up a Virtual Lab Environment for Ethical HackingCommon Cybersecurity Threats: Malware, Phishing, and Social EngineeringThe Ethical Hacker’s Code of Ethics and Legal ConsiderationsThe Ultimate Guide to the Best Contract Management Platforms in 2025Introduction to Ethical Hacking: Definition, Scope, and BenefitsUnderstanding the CIA Triad: Confidentiality, Integrity, and AvailabilityWhat is Cybersecurity and Why is it Important?What’s New in Chrome DevTools (Version 136)The Future of Ethereum (ETH): What to Expect in the Coming YearsStablecoins Steal the Spotlight: How Tether and USDT Are Now Driving Bitcoin’s Price, Says MEXC ExecutiveGold Did the Impossible. Is Bitcoin Next?The Best Crypto Exchanges in 2025: Pioneering the Future of Digital Finance
Fri. May 23rd, 2025
Trending News: Dow Plummets Over 400 Points as Trump’s 50% EU Tariff Threat Sparks Market JittersIntroduction to Network Scanning Tools: NmapBitcoin Shatters Records Above $110,000: Institutional Demand and Regulatory Shifts Fuel Crypto’s Historic RallyNetwork Topologies and ArchitecturesCommon Network Protocols: HTTP, HTTPS, DNS, SMTPUnderstanding IP Addressing: IPv4 and IPv6Crypto Mogul’s Faked Death Triggers Memecoin Chaos: The Rise and Fall of LLJEFFYIntroduction to Networking Concepts: TCP/IP Model, OSI ModelMEXC Lists Doodles (DOOD) with 50,000 USDT Worth of DOOD and 50,000 USDT Bonus Prize PoolWhat is Software Architecture?India-Pakistan Conflict: Live Updates on Military Strikes and Escalating TensionsSetting up a Virtual Lab Environment for Ethical HackingCommon Cybersecurity Threats: Malware, Phishing, and Social EngineeringThe Ethical Hacker’s Code of Ethics and Legal ConsiderationsThe Ultimate Guide to the Best Contract Management Platforms in 2025Introduction to Ethical Hacking: Definition, Scope, and BenefitsUnderstanding the CIA Triad: Confidentiality, Integrity, and AvailabilityWhat is Cybersecurity and Why is it Important?What’s New in Chrome DevTools (Version 136)The Future of Ethereum (ETH): What to Expect in the Coming YearsStablecoins Steal the Spotlight: How Tether and USDT Are Now Driving Bitcoin’s Price, Says MEXC ExecutiveGold Did the Impossible. Is Bitcoin Next?The Best Crypto Exchanges in 2025: Pioneering the Future of Digital Finance
Fri. May 23rd, 2025

Introduction to Network Scanning Tools: Nmap

Network Scanning

Network scanning is a fundamental skill for ethical hackers. It allows you to discover hosts and services on a network, which is the first step in identifying potential vulnerabilities. Nmap is the industry-standard tool for network scanning, offering a wide range of features and options for discovering and fingerprinting network devices. This lesson will provide a comprehensive introduction to Nmap, covering its basic usage, scan types, and output interpretation.

Introduction to Nmap

Nmap (“Network Mapper”) is a free and open-source utility for network discovery and security auditing. It’s used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a wealth of information about a target, including:

  • Host Discovery: Identifying live hosts on a network.
  • Port Scanning: Determining which ports are open, closed, or filtered on a target host.
  • Service Detection: Identifying the applications and versions running on open ports.
  • Operating System Detection: Determining the operating system and hardware characteristics of a target host.
  • Firewall Detection: Identifying the presence and rules of firewalls.

Nmap is a command-line tool, but graphical user interfaces (GUIs) like Zenmap are also available. However, understanding the command-line interface is crucial for leveraging Nmap’s full potential.

Basic Nmap Usage

The most basic Nmap scan involves specifying a target IP address or hostname.

nmap <target>

For example:

nmap scanme.nmap.org

This command performs a basic TCP connect scan on the target, scanning the most common 1000 ports. Nmap will report the state of each port:

  • Open: The application is actively accepting TCP connections, UDP datagrams, or SCTP associations on this port.
  • Closed: A closed port is accessible, but there is no application listening on it.
  • Filtered: Nmap cannot determine whether the port is open because packet filtering prevents probes from reaching the port. Filtering is usually due to firewall devices.
  • Unfiltered: The port is accessible, but Nmap cannot determine whether it is open or closed. Only occurs with ACK scan.
  • Open|Filtered: Nmap determines that a port is either open or filtered, but cannot determine which state it is in.
  • Closed|Filtered: Nmap determines that a port is either closed or filtered, but cannot determine which state it is in.

Target Specification

Nmap offers flexible ways to specify targets:

  • Single IP Address: nmap 192.168.1.1
  • IP Address Range: nmap 192.168.1.1-254 or nmap 192.168.1.0/24 (CIDR notation)
  • Hostname: nmap example.com
  • Multiple Targets: nmap 192.168.1.1 192.168.1.2 example.com
  • Read Targets from File: nmap -iL targets.txt (where targets.txt contains a list of IP addresses or hostnames, one per line)

Common Nmap Options

Here are some commonly used Nmap options:

  • -v: Verbose mode (increases the level of detail in the output). Use -vv for even more verbosity.
  • -A: Enables aggressive scan mode. This enables OS detection, version detection, script scanning, and traceroute.
  • -T<0-5>: Sets the timing template. Higher values are faster but more likely to be detected. T0 is the slowest (“paranoid”), T5 is the fastest (“insane”). T3 is the default.
  • -F: Fast scan mode. Scans only the ports listed in the nmap-services file (default: the top 1000 ports).
  • -p <port range>: Specifies the ports to scan. Examples: -p 22-p 1-100-p U:53,T:21-25,80 (scan UDP port 53, TCP ports 21, 22, 23, 24, 25, and 80).
  • -oN <filename>: Output scan results to a normal text file.
  • -oG <filename>: Output scan results to a grepable text file (easier to parse with scripts).
  • -oX <filename>: Output scan results to an XML file.

Nmap Scan Types

Nmap offers various scan types, each with its own advantages and disadvantages. The choice of scan type depends on the target environment and the desired level of stealth.

TCP Connect Scan (-sT)

The TCP connect scan is the most basic form of TCP scanning. It completes the full TCP three-way handshake to establish a connection with the target port.

  • How it works: Nmap initiates a TCP connection by sending a SYN packet to the target port. If the port is open, the target responds with a SYN/ACK packet. Nmap then completes the handshake by sending an ACK packet. If the port is closed, the target responds with a RST packet.
  • Advantages: Simple and reliable. Doesn’t require root privileges on most systems.
  • Disadvantages: Easily detectable, as it completes the TCP handshake.

Example:

nmap -sT scanme.nmap.org

TCP SYN Scan (-sS)

The TCP SYN scan, also known as “stealth scan” or “half-open scan,” is a more stealthy alternative to the TCP connect scan.

  • How it works: Nmap sends a SYN packet to the target port. If the port is open, the target responds with a SYN/ACK packet. However, Nmap doesn’t complete the handshake by sending an ACK packet. Instead, it sends a RST packet to close the connection. If the port is closed, the target responds with a RST packet.
  • Advantages: More stealthy than TCP connect scan, as it doesn’t complete the TCP handshake.
  • Disadvantages: Requires root privileges on most systems to craft raw packets.

Example:

sudo nmap -sS scanme.nmap.org

UDP Scan (-sU)

The UDP scan is used to discover open UDP ports on a target.

  • How it works: Nmap sends a UDP packet to the target port. If the port is open, the application listening on the port may respond with a UDP packet. If the port is closed, the target should respond with an ICMP “port unreachable” error. However, firewalls may block these ICMP errors, making UDP scanning less reliable.
  • Advantages: Can identify UDP services that are often overlooked.
  • Disadvantages: Can be slow and unreliable due to the nature of UDP. Firewalls often filter UDP traffic and ICMP error messages.

Example:

sudo nmap -sU scanme.nmap.org

TCP Null Scan (-sN), FIN Scan (-sF), and Xmas Scan (-sX)

These scans exploit the TCP RFC to determine port states.

  • How they work:
    • Null Scan: Sends a TCP packet with no flags set.
    • FIN Scan: Sends a TCP packet with only the FIN flag set.
    • Xmas Scan: Sends a TCP packet with the FIN, PSH, and URG flags set (hence the name “Xmas,” as in Christmas tree, because of the many flags set). If a port is open, the target should ignore the packet. If a port is closed, the target should respond with a RST packet.
  • Advantages: Can sometimes bypass firewalls and intrusion detection systems (IDS).
  • Disadvantages: Not all systems respond according to the RFC. Windows, for example, always responds with a RST packet, regardless of the port state.

Example:

sudo nmap -sN scanme.nmap.org
sudo nmap -sF scanme.nmap.org
sudo nmap -sX scanme.nmap.org

ACK Scan (-sA)

The ACK scan is used to map firewall rulesets, determining whether a firewall is stateful or stateless.

  • How it works: Nmap sends a TCP packet with the ACK flag set. If a firewall is stateless, it will typically allow the packet through, regardless of whether a connection has been established. If a firewall is stateful, it will drop the packet unless a connection has been established.
  • Advantages: Can help map firewall rules.
  • Disadvantages: Cannot determine whether ports are open or closed.

Example:

sudo nmap -sA scanme.nmap.org

Window Scan (-sW)

The Window scan is similar to the ACK scan but can sometimes detect open ports on certain systems due to anomalies in the TCP window size.

  • How it works: Nmap sends a TCP packet with the ACK flag set. It analyzes the TCP window size in the response. Certain operating systems may report a non-zero window size for open ports, even though they should respond with a RST packet.
  • Advantages: Can sometimes detect open ports that ACK scans cannot.
  • Disadvantages: Unreliable and only works on certain systems.

Example:

sudo nmap -sW scanme.nmap.org

TCP Maimon Scan (-sM)

The TCP Maimon scan is another technique for attempting to evade firewalls.

  • How it works: Nmap sends a TCP packet with the FIN and ACK flags set. According to the RFC, the target should respond with a RST packet, regardless of the port state. However, some systems may not respond correctly, allowing you to infer the port state.
  • Advantages: Can sometimes bypass firewalls.
  • Disadvantages: Unreliable and not widely used.

Example:

sudo nmap -sM scanme.nmap.org

Protocol Scan (-sO)

The Protocol scan determines which IP protocols (e.g., ICMP, TCP, UDP, IGMP) are supported by the target.

  • How it works: Nmap sends raw IP packets with different protocol headers. It analyzes the ICMP “protocol unreachable” errors to determine which protocols are supported.
  • Advantages: Can identify unusual or unexpected protocols.
  • Disadvantages: Requires root privileges.

Example:

sudo nmap -sO scanme.nmap.org

Host Discovery Options

Host discovery is the process of identifying live hosts on a network. Nmap offers several options for host discovery:

  • -sn: Ping scan – disable port scan. This option tells Nmap not to perform a port scan after host discovery. It simply pings the target to see if it’s alive.
  • -Pn: Treat all hosts as online — skip host discovery. This option tells Nmap to skip host discovery and treat all specified targets as online. This can be useful if you know that the target is up but Nmap is not detecting it.
  • -PS <port list>: TCP SYN ping to the specified ports. This option sends TCP SYN packets to the specified ports. By default, it sends to port 80.
  • -PA <port list>: TCP ACK ping to the specified ports. This option sends TCP ACK packets to the specified ports. By default, it sends to port 80.
  • -PU <port list>: UDP ping to the specified ports. This option sends UDP packets to the specified ports. By default, it sends to port 40125.
  • -PE: ICMP Echo Request ping. This option sends ICMP echo request packets (the same as the ping command).
  • -PP: ICMP Timestamp Request ping.
  • -PM: ICMP Netmask Request ping.
  • -n: Don’t do DNS resolution. This option tells Nmap not to perform DNS resolution on the target IP addresses. This can speed up the scan.
  • -R: Always do DNS resolution. This option tells Nmap to always perform DNS resolution on the target IP addresses.

Example:

nmap -sn 192.168.1.0/24

This command performs a ping scan on the 192.168.1.0/24 network, identifying all live hosts.

Port Specification and Scan Order

By default, Nmap scans the most common 1000 TCP ports. You can customize the port range using the -p option.

  • -p <port range>: Specifies the ports to scan. Examples: -p 22-p 1-100-p U:53,T:21-25,80 (scan UDP port 53, TCP ports 21, 22, 23, 24, 25, and 80).

You can also specify the scan order using the --scan-delay and --max-rtt-timeout options. These options can be useful for avoiding detection or for scanning slow networks.

Version Detection

Version detection allows Nmap to determine the application name and version number running on an open port.

  • -sV: Enables version detection.

Nmap uses a database of service fingerprints to identify services based on their responses.

Example:

nmap -sV scanme.nmap.org

This command performs a version detection scan on scanme.nmap.org. Nmap will attempt to identify the services running on open ports and report their version numbers.

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) allows you to extend Nmap’s functionality by writing scripts in the Lua programming language. NSE scripts can be used for a wide range of tasks, including:

  • Vulnerability detection
  • Exploitation
  • Authentication bypass
  • Information gathering

Nmap comes with a large library of pre-written NSE scripts. You can use the --script option to specify which scripts to run.

  • --script <script name>: Runs the specified script.
  • --script <script category>: Runs all scripts in the specified category.
  • --script default: Runs the default set of scripts.
  • --script safe: Runs the safe scripts.
  • --script vuln: Runs scripts that check for known vulnerabilities.

Example:

nmap --script vuln scanme.nmap.org

This command runs all scripts in the vuln category against scanme.nmap.org. These scripts will check for known vulnerabilities in the services running on the target.

Output Interpretation

Nmap’s output provides a wealth of information about the target. Understanding how to interpret this output is crucial for effective network scanning.

Here’s an example of Nmap output:

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:00 EDT
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.031s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::a02d:212
Not shown: 995 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
135/tcp   filtered msrpc
139/tcp

kaundal

👨‍💻 Tech Lead | AI, Web3 & Blockchain 🌐 📚 APIs, leadership & coding hacks Let’s build the future!

Related Posts

Network Topologies and Architectures
Network Topologies and Architectures

Network topologies and architectures are the fundamental building blocks of any network infrastructure. Understanding these concepts is crucial for ethical hackers as it allows them to visualize the network’s structure,…

Continue reading
Common Network Protocols: HTTP, HTTPS, DNS, SMTP
Common Network Protocols: HTTP, HTTPS, DNS, SMTP

Understanding network protocols is crucial for ethical hackers. These protocols are the languages that devices use to communicate, and knowing how they work allows you to identify vulnerabilities and potential…

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Latest Cryptocurrency Updates News

Dow Plummets Over 400 Points as Trump’s 50% EU Tariff Threat Sparks Market Jitters

Dow Plummets Over 400 Points as Trump’s 50% EU Tariff Threat Sparks Market Jitters
Beginner Hacking

Introduction to Network Scanning Tools: Nmap

Introduction to Network Scanning Tools: Nmap
Uncategorized

Bitcoin Shatters Records Above $110,000: Institutional Demand and Regulatory Shifts Fuel Crypto’s Historic Rally

Bitcoin Shatters Records Above $110,000: Institutional Demand and Regulatory Shifts Fuel Crypto’s Historic Rally
Beginner Hacking

Network Topologies and Architectures

Network Topologies and Architectures
Beginner Hacking

Common Network Protocols: HTTP, HTTPS, DNS, SMTP

Common Network Protocols: HTTP, HTTPS, DNS, SMTP
Uncategorized

Understanding IP Addressing: IPv4 and IPv6

Understanding IP Addressing: IPv4 and IPv6