# Nmap - Intro
nmap logo

nmap

## Introduction Nmap, short for "Network Mapper," is a powerful open-source tool primarily used for network discovery and security auditing. It's designed to scan networks, identify hosts, services, and their corresponding ports, and analyze network configurations. It is generally used for footprinting or reconnaissance. ## Uses 1. Enumerating targets 2. Live hosts discovery 3. Open ports identification 4. Reverse-DNS lookup 5. Port scanning 6. Version detection 7. OS detection 8. Running scripts 9. Vulnerability assessment 10. Security auditing {% hint style="info" %} Before going further, lets understand about ports. Basically, ports are the network communication endpoints, used by network protocols to identify specific services running on the computer system. Ports are represented by numeric values ranging from 0 to 65535. The types of ports are [well-known ports](#user-content-fn-1)[^1] (0-1023), [reserved ports](#user-content-fn-2)[^2] (1024-49151) and [private ports](#user-content-fn-3)[^3] (49152-65535). {% endhint %} {% hint style="info" %} For port scanning, Nmap sends a TCP or UDP network packets and asks the port about their current status. There are generally 3 types of responses: * open (accepted) : the port responds to the scan * closed (not listening) : the port responds but is currently ins use and not available at the time * filtered (dropped/blocked) : the port does not respond due to unavailability or inaccessibility or due to filtering by firewall, IDS/IPS[^4], etc. Some other responses or states are: * unfiltered: Nmap cannot determine if the port is open or closed, although the port is accessible. This state is encountered when using an ACK scan `-sA`. * open | filtered: Nmap cannot determine whether the port is open or filtered. * closed | filtered: Nmap cannot decide whether a port is closed or filtered. {% endhint %} ## Nmap scanning types ### UDP scan (-sU) This scan sends UDP[^5] packets to every ports of the target system to identify open UDP ports. UDP does not establish a connection before sending data, making UDP scanning more challenging compared to TCP scanning. *Basic command:* ```bash nmap -sU [target] ``` ### Ping scan (-sP) It is used only to find out whether the host is available or not, i.e. for host discovery and not for port scanning. *Basic command:* ```bash nmap -sP [target] ``` ### TCP SYN scan (-sS) In a TCP[^6] SYN[^7] scan, also known as a half-open scan, Nmap sends SYN packets to target ports and analyzes the responses to determine the state of the ports. It is stealthier as it does not complete TCP handshake. For the SYN packets, if an ACK[^8] is received, the port is marked as open, while if a RST[^9] is received, it's marked as closed. If no response is received, the port is considered filtered. *Basic command:* ```bash nmap -sS [target] ``` ### TCP Connect scan (-sT) It is a TCP scan that establishes full TCP connection with the target port by initiating a three-way handshake. If a connection is successfully established (i.e., the target responds with a SYN-ACK packet), the scanning tool considers the port to be open. If no response or an error response (such as a RST packet) is received, the port is considered closed. *Basic command:* ```bash nmap -sT [target] ``` ### Null scan (-sN) This scan sends packets with no flags set. For this, closed ports respond with an RST packet, while open ports ignore the packet. *Basic command:* ```bash nmap -sN [target] ``` ### FIN scan (-sF) It sends FIN packets to the target. If a port is closed, an RST packet is sent back. If no response is received, the port is considered open or filtered. *Basic commands:* ```bash nmap -sF [target] ``` ### XMAS scan (-sX) It sends malformed packets with the flags like FIN, PSH, and URG. It is similar to a FIN scan, and relies on the lack of response to determine open ports, by responding with RST for closed port. *Basic command:* ```bash nmap -sX [target] ``` ## Custom Scan If you want to experiment with a new TCP flag combination beyond the built-in TCP scan types, you can do so using `--scanflags`. For instance, if you want to set SYN, RST, and FIN simultaneously, you can do so using `--scanflags RSTSYNFIN`. *Basic command:* ```bash nmap --scanflags [custom_flags] [target] ``` {% hint style="info" %} Firewalls might block the SYN packets. In this case, others scan techniques like NULL scan, FIN scan and Xmas scan are used in order to bypass those firewalls. {% endhint %} [^1]: System ports reserved for standard services and protocols, such as HTTP (port 80), HTTPS (port 443), FTP (port 21), SSH (port 22), and SMTP (port 25). [^2]: Ports reserved with registration under Internet Assigned Numbers Authority (IANA), for running services like MySQL (port 3306), SMB (ports 445 and 139), FTP (ports 20 and 21), etc. [^3]: Higher ports, which are dynamically assigned by the OS and are typically used for temporary communication sessions between client and server applications. [^4]: Intrusion Detection System and Intrusion Prevention System [^5]: UDP, short for User Datagram Protocol is a connectionless protocol used for sending datagrams over a network, and is commonly used for services like DNS, DHCP, SNMP, and others. [^6]: TCP, short for Transmission Control Protocol is a connection-oriented protocol, used for reliable transmission of data packets for web browsing, email, file transfer, remote access, and many others. [^7]: The SYN flag, short for "synchronize" is a control flag for TCP. [^8]: The ACK flag, short for "acknowledge" is a control flag for TCP. [^9]: The RST flag, short for "reset" is a control flag for TCP.