Nmap

May 18, 2025

Enumeration, Live hosts, Reverse DNS

  1. We want a general scan we can start with nmap with no flags

  2. We want to scan only live hosts we can do this by nmap -sn to skip port scanning

  3. We also can use an arp scan to discover live hosts using nmap -PR -sn

  4. We can use ICMP scan to discover live hosts using nmap -PE -sn or use the timestamp by nmap -PP -sn or using Address mask by nmap -PM -sn

  5. We can use the TCP full hand shake by nmap -PS -sn and if used sudo it will not complete the full hand shake

  6. We can use TCP ACK scan by nmap -PA -sn

  7. We can use UDP scan by nmap -PU -sn

  8. We can use reverse dns lookup by nmap -R or to specify a specific server nmap --dns-servers

Port Scanning

TCP flags

  1. URG: Urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent, and that a TCP segment with the URG flag set is processed immediately without consideration of having to wait on previously sent TCP segments.
  2. ACK: Acknowledgement flag indicates that the acknowledgement number is significant. It is used to acknowledge the receipt of a TCP segment.
  3. PSH: Push flag asking TCP to pass the data to the application promptly.
  4. RST: Reset flag is used to reset the connection. Another device, such as a firewall, might send it to tear a TCP connection. This flag is also used when data is sent to a host and there is no service on the receiving end to answer.
  5. SYN: Synchronize flag is used to initiate a TCP 3-way handshake and synchronize sequence numbers with the other host. The sequence number should be set randomly during TCP connection establishment.
  6. FIN: The sender has no more data to send.

TCP and UDP Scans

  1. Open: indicates that a service is listening on the specified port.
  2. Closed: indicates that no service is listening on the specified port, although the port is accessible. By accessible, we mean that it is reachable and is not blocked by a firewall or other security appliances/programs.
  3. Filtered: means that Nmap cannot determine if the port is open or closed because the port is not accessible. This state is usually due to a firewall preventing Nmap from reaching that port. Nmap’s packets may be blocked from reaching the port; alternatively, the responses are blocked from reaching Nmap’s host.
  4. Unfiltered: means that Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.
  5. Open|Filtered: This means that Nmap cannot determine whether the port is open or filtered.
  6. Closed|Filtered: This means that Nmap cannot decide whether a port is closed or filtered.
  1. nmap -sT default
  2. nmap -sS SYN scan requires sudo and faster than -sT
  3. nmap -sU UDP scan

Fine-Tuning

You can control the scan timing using -T<0-5>. -T0 is the slowest (paranoid), while -T5 is the fastest. According to Nmap manual page, there are six templates:

  • paranoid (0)
  • sneaky (1)
  • polite (2)
  • normal (3)
  • aggressive (4)
  • insane (5)

To avoid IDS alerts, you might consider -T0 or -T1. For instance, -T0 scans one port at a time and waits 5 minutes between sending each probe, so you can guess how long scanning one target would take to finish. If you don’t specify any timing, Nmap uses normal -T3. Note that -T5 is the most aggressive in terms of speed; however, this can affect the accuracy of the scan results due to the increased likelihood of packet loss. Note that -T4 is often used during CTFs and when learning to scan on practice targets, whereas -T1 is often used during real engagements where stealth is more important.

Alternatively, you can choose to control the packet rate using --min-rate <number> and --max-rate <number>. For example, --max-rate 10 or --max-rate=10 ensures that your scanner is not sending more than ten packets per second.

Moreover, you can control probing parallelization using --min-parallelism <numprobes> and --max-parallelism <numprobes>. Nmap probes the targets to discover which hosts are live and which ports are open; probing parallelization specifies the number of such probes that can be run in parallel. For instance, --min-parallelism=512 pushes Nmap to maintain at least 512 probes in parallel; these 512 probes are related to host discovery and open ports.

Advanced Port scanning

  1. TCP Null scan sets all the flags in the tcp to zero if no response then the port is open if there is a response then the port is closed we use nmap -sN

  2. TCP FIN scan sets the FIN flag to 1 and if there is no response then the port is open if there is a response then the port is closed we use nmap -sF

  3. The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option nmap -sX.

  4. Uriel Maimon first described this scan in 1996. In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan won’t work on most targets encountered in modern networks; however, we include it in this room to better understand the port scanning mechanism and the hacking mindset. To select this scan type, use the nmap -sM option.

  5. TCP ACK Scan useful to understand the firewall rules and configurations by setting the ACK flag to 1 and we use nmap -sA

  6. Window Scan similar to ACK scan but it reveals more than it in way that if they respond differently from the ACK then it could mean it is not blocked by the firewall. Looks at the TCP Window size in the received RST packet. we use nmap -sW

Spoofing and Decoys

  • Spoofing (-e, –spoof-source, –spoof-mac) lets you forge your source IP or MAC address, hiding your real origin from the target.
  • Decoys (-D) generate scans from multiple fake IP addresses (decoys) alongside your real one, confusing logs and making it harder to identify the true scanner.
  • Spoofing often fails to get responses back unless you’re on the same network or control the routing path.
  • Decoys work best with connectionless scans (like -sS or -sU) and are most effective when combined with real spoofing or on local networks.
  • Both techniques aim to evade detection and complicate traceback, but they don’t make you invisible to skilled defenders or upstream monitoring.
  • Idle (Zombie) Scansudo nmap -sI ZOMBIE_IP MACHINE_IP
  • Fragment IP data into 8 bytes-f or 16 bytes -ff
  • --reasonexplains how Nmap made its conclusion
  • -vverbose
  • -d debug

Post Port Scanning

  1. service version -sV
  2. OS version -O
  3. traceroute --traceroute
  4. scripts --script or -sC
  5. saving
    1. Normal -oN
    2. Grepable -oG
    3. XML -oX
    4. all -oA

Tags:

Categories: