Nmap Scans Explanation with Commands
Swiss-Knife of TCP/IP Portscans
What is Nmap? Port Scanner / Network Scanner
Nmap is a port scanning utility that can use a number of techniques to determine what ports are open, as well as complex information such as identifying the underlying operating system of the target system.
Nmap helps you scan the network, identify the live hosts/computers on the network, create network diagrams and get valuable information about the live hosts such as operating system, open ports, etc.
Nmap can be run for a single host or for a whole range of IP addresses.
PS: Unauthorized port scanning is illegal. If you want to explore, practice on your own personal network or virtual machines.
If you are using a security distribution of Linux, such as Backtrack and Kali Linux, Nmap comes built in and can be run without any requiring additional action.
In case one is using plain Linux distro, please use the following commands to install Nmap.
sudo apt-get install g
tar jxvf nmap-5.61TEST5.tar.bz2
Man Nmap to view the different options and examples for the scanning.
Simplest Syn Scan:
nmap -sS <target_ip>
Sends a TCP Syn packet and expecting a SYN-ACK back, leaving the connection half open.
Now, these half-open connections might raise alerts in the Intrusion Detection/Prevention systems deployed in the Network. Therefore we move to a stealthier scan.
Full TCP Open Scan
namp -sT <target_ip>
In this scan, we do a full handshake,
meaning the scan sends the SYN and gets the SYN-ACK back, and then sends the acknowledgement (ACK) back to the target machine.
One can also do a UDP Scan as mentioned below.
nmap -sU <target_ip>
The UDP scan can take longer because we don’t receive acknowledgment that the connection with the port was established, hence a lot of retransmissions are required.
Scan for a Specific Host:
nmap -p 80 192.168.1.1
for TCP Port: nmap -p T:80 192.168.1.1
for UDP Port: nmap -p U:80 192.168.1.1
Christmas Tree Scan:
nmap -sX <target_ip>
For firewall evasion, or any instance in which more stealth scans are required. All the TCP flags are set, hence the TCP packet lights up like a Christmas tree.
nmap -sN <target_ip>
Does not set any bits (TCP flag header is 0).
nmap -sF <target_ip>
Sets just the TCP FIN bit.
Scan a Host by the hostname:
nmap -v www.example.com (-v option for verbose mode to get more information)
Scan Multiple IP addresses with Nmap:
nmap 192.168.1.1 192.168.1.2 192.168.1.3
or nmap 192.168.1.1,2,3
Scan for a Range of IP’s:
or use wildcard: nmap 192.168.1.*
Scan the entire subnet with Nmap:
For OS detection use the option -A
nmap -A -v 192.168.1.2
nmap -v -O –osscan-guess 192.168.1.1
Provide list of Hosts in a file:
nmap -iL /tmp/host_list.txt
Exclude some Hosts while a scan:
nmap 192.168.1.1/24 –exclude 192.168.1.9
Advanced Scanning with Nmap
Idle Scan: This is the Advanced Scanning methodology that allows you to send packets to the target from an IP that is not your own; instead a side channel is established on the zombie host to get information on the open ports in the target host.
The IDS will display the scan coming from the Zombie machine we specify and is very useful when conducting Man in the Middle attack.
Click Here to get More Information On Idle Scan as Idle Scan is a topic in itself .
nmap -sI <target-ip> -oX nmap.xml