By Meghna Gangwar
While we believe that this content benefits our community, we have not yet thoroughly reviewed it. If you have any suggestions for improvements, please let us know by clicking the “report an issue“ button at the bottom of the tutorial.
Nmap is probably the most famous reconnaissance tool among Pentesters and Hacker. It is essentially a port scanner that helps you scan networks and identify various ports and services available in the network, besides also providing further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. It also comes in handy during network auditing!
The barebone syntax of Nmap is:
$ nmap [FLAGS] [IP]
Note that you may also need to run it with sudo privileges at times to perform some particular types of scans,
Nmap is strong and powerful networking scanning to tool which allows for customizing our scans with the help of flags passed via the command line. Some of the important flags are :
nmap -p 80 127.0.0.0.1: This scans port 80 on localhost
nmap -p 1-100 127.0.0.1: This scans ports from 1 to 100 on localhost
nmap -p- 127.0.0.1: This scans all the ports on the localhost
Nmap supports a lot of different scan types. However the most popular ones are:
In this type of scan, Nmap sends a TCP packet to a port with the SYN flag set. In this scenario two things can occur :
This is not a very reliable scan technique as it is easy to configure a firewall rule to respond back with RST packets or drop all incoming packets. Also this method is extremely slow as it waits for the entire TCP 3 way handshake.
SYN scans, also known as “Half-Open” or “Stealth Scan” are an improvement over the previous method. In the previous method where we were sending back a TCP packet with the ACK flag set after receiving an SYN/ACK packet, now we would be sending an RST packet. This prevents the server from repeatedly trying to make the requests and massively reduces scan times.
This method is an improvement on the previous ones because:
However, it is not advisable to run SYN Scans on production environments as it might break certain unstable applications. It is also to be noted that SYN scans also require sudo privileges because it needs to craft raw packets.
Infact, when run with sudo privileges, nmap defaults to SYN Scans, otherwise it defaults to TCP scan.
UDP scans are much less reliable than the previous two as UDP connections are stateless by nature. This means that there’s no “feedback mechanism” like TCP. UDP works on the principle “Fire and Forget” which means that it sends packets directed to targets at certain ports and hopes that they would make it. This gives more emphasis on speed than quality. However, the lack of a feedback mechanism makes it difficult to identify open ports.
When an UDP packet is sent to a target port, there might be three scenarios :
Apart from these, some less popular scan types which are even “stealthier” than a TCP SYN scan. These are as follows :
In TCP Null Scans, the TCP packets sent don’t have any of the flags set. According to RFC, under such a circumstance, the target should respond back with an RST if the port i s closed
This is very similar to the TCP Null Scan except for the fact that instead of sending a completely empty TCP packet, it sends a packet with the FIN flag set which is used to gracefully close a connection. Accordingly the target must respond back with an RST for closed ports as per RFC.
TCP Xmas Scans is also very similar to the last two scan techniques except for the fact that they use TCP packets with the PSH, URG and FIN flags set. Like the last two scan types, this too expects RST packets for closed ports under RFC.
As these scans are of a similar nature, they also have similar outputs which is very similar to that of UDP Scans. In this case, we can only have the following three responses :
It is also to be note that though RFC 793 mandates that network hosts respond to malformed packets with a RST TCP packet for closed ports, and don’t respond at all for open ports, some systems reject this convention. This behaviour is mostly observed in Microsoft Windows Servers and some CISCO devices where all malformed packets are dropped by default.
One of the most important things to do on connecting to a network is to obtain a list of all active hosts on the network before further probing. This can be done via an “Ping Sweep”, which as the name implies, involves sending ICMP packet to all the IPs in the network and await for responses. The hosts which reply back with an ICMP packet are considered active in this case.
You can specify your target IP ranges by using hypens or via CIDR as follows :
$ nmap -sn 192.168.0.1-254
$ nmap -sn 192.168.0.0/24
-sn flag suppresses any port scans, and forces nmap to rely solely on ICMP echo packets (or ARP requests if run with superuser privileges) to identify active hosts in the network. It also sens a TCP SYN packet to the target’s port 443 and a TCP ACK request ( TCP SYN if run with superuser privileges) to the target’s port 80.
The Nmap Scripting Engine(NSE) is a powerful addition to Nmap which allows us to even further extend its functionality. Written in Lua, we can use it to write our scripts and automate a lot of our work like testing for vulnerabilities and exploitation.
There are many categories available. Some useful categories include:
safe:- Won’t affect the target
intrusive:- Not safe: likely to affect the target
vuln:- Scan for vulnerabilities
exploit:- Try to exploit a vulnerability
auth:- Attempt to bypass authentication for running services
brute:- Try to brute force credentials for running services
discovery:- Attempt to query running services for further information about the network (
To run a script, we need to specify it as
You can also specify multiple scripts to run at the same time by separating the script names like
Some scripts also require an argument which can be specified with
Some scripts have an built-in help menus which can be referred with :
$ nmap --script-help <script-name>
You can find a comprehensive list of scripts here.
Nmap has a lot of free and well-drafted documentation. You can find a lot of the information about the flags, scripts, and much more on their official website. You can experiment with the various flags and scripts and see how their outputs differ under different environments.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.