🛠️
Hacking tools
  • Welcome!
  • Nmap
    • Nmap - Intro
    • Commands
    • Nmap Switches
    • Nmap Scripting Engine
  • Metasploit
    • Metasploit - Intro
    • Metasploit Framework Console
    • Msfvenom
    • Meterpreter
  • Netcat
    • Netcat - Intro
    • Netcat - Advanced
  • John the Ripper
    • John the Ripper - Intro
    • John the Ripper - Commands
  • Web Directory Fuzzers
    • Gobuster
    • Ffuf
  • Hydra
    • Hydra - Intro
    • Hydra - Commands
  • SQLMap
Powered by GitBook
On this page
  • Introduction
  • Uses
  • Nmap scanning types
  • UDP scan (-sU)
  • Ping scan (-sP)
  • TCP SYN scan (-sS)
  • TCP Connect scan (-sT)
  • Null scan (-sN)
  • FIN scan (-sF)
  • XMAS scan (-sX)
  • Custom Scan
  1. Nmap

Nmap - Intro

PreviousWelcome!NextCommands

Last updated 7 months ago

Introduction

Nmap, short for "Network Mapper," is a powerful open-source tool primarily used for network discovery and security auditing. It's designed to scan networks, identify hosts, services, and their corresponding ports, and analyze network configurations. It is generally used for footprinting or reconnaissance.

Uses

  1. Enumerating targets

  2. Live hosts discovery

  3. Open ports identification

  4. Reverse-DNS lookup

  5. Port scanning

  6. Version detection

  7. OS detection

  8. Running scripts

  9. Vulnerability assessment

  10. Security auditing

Before going further, lets understand about ports. Basically, ports are the network communication endpoints, used by network protocols to identify specific services running on the computer system. Ports are represented by numeric values ranging from 0 to 65535.

The types of ports are (0-1023), (1024-49151) and (49152-65535).

For port scanning, Nmap sends a TCP or UDP network packets and asks the port about their current status. There are generally 3 types of responses:

  • open (accepted) : the port responds to the scan

  • closed (not listening) : the port responds but is currently ins use and not available at the time

  • filtered (dropped/blocked) : the port does not respond due to unavailability or inaccessibility or due to filtering by firewall, , etc.

Some other responses or states are:

  • unfiltered: Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan -sA.

  • open | filtered: Nmap cannot determine whether the port is open or filtered.

  • closed | filtered: Nmap cannot decide whether a port is closed or filtered.

Nmap scanning types

UDP scan (-sU)

This scan sends packets to every ports of the target system to identify open UDP ports. UDP does not establish a connection before sending data, making UDP scanning more challenging compared to TCP scanning.

Basic command:

nmap -sU [target]

Ping scan (-sP)

It is used only to find out whether the host is available or not, i.e. for host discovery and not for port scanning.

Basic command:

nmap -sP [target]

TCP SYN scan (-sS)

In a scan, also known as a half-open scan, Nmap sends SYN packets to target ports and analyzes the responses to determine the state of the ports. It is stealthier as it does not complete TCP handshake. For the SYN packets, if an is received, the port is marked as open, while if a is received, it's marked as closed. If no response is received, the port is considered filtered.

Basic command:

nmap -sS [target]

TCP Connect scan (-sT)

It is a TCP scan that establishes full TCP connection with the target port by initiating a three-way handshake. If a connection is successfully established (i.e., the target responds with a SYN-ACK packet), the scanning tool considers the port to be open. If no response or an error response (such as a RST packet) is received, the port is considered closed.

Basic command:

nmap -sT [target]

Null scan (-sN)

This scan sends packets with no flags set. For this, closed ports respond with an RST packet, while open ports ignore the packet.

Basic command:

nmap -sN [target]

FIN scan (-sF)

It sends FIN packets to the target. If a port is closed, an RST packet is sent back. If no response is received, the port is considered open or filtered.

Basic commands:

nmap -sF [target]

XMAS scan (-sX)

It sends malformed packets with the flags like FIN, PSH, and URG. It is similar to a FIN scan, and relies on the lack of response to determine open ports, by responding with RST for closed port.

Basic command:

nmap -sX [target]

Custom Scan

If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using --scanflags. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using --scanflags RSTSYNFIN.

Basic command:

nmap --scanflags [custom_flags] [target]

Firewalls might block the SYN packets. In this case, others scan techniques like NULL scan, FIN scan and Xmas scan are used in order to bypass those firewalls.

nmap
nmap logo