Nmap Scanning - Published Article

NMAP Scanning


Nmap is a Network Mapper tool used to scan Network to discover live Hosts, Open Ports and Services, OS Finger Printing etc. Nmap is commonly used for Security Audits and Network Inventory. Nmap is a de facto tool for Port Scanning. Nmap gives the state of the Service/port as open, filtered, closed or unfiltered. Nmap has vast options and we will focus on the most used ones.

open: Ports on the victim machine are listening i.e. waiting for connections

filtered: Nmap cannot conclude whether port is open or closed because Firewall appliance, router rules, host based firewall software, IPS etc., are blocking the port

closed: Ports which doesn't have any services running


unfiltered: Ports are responsive to Nmap's probes but Nmap cannot determine if ports are open or closed. Result sometimes can be shown as open|filtered or closed|filtered.


Below snapshot shows the topology. We are using Kali Linux as Nmap Scanner.



Ping Scan/No port scan/Ping Sweep (-sn)

This scan prints out all hosts which are “alive”. When a privileged user scans LAN, ARP packets are employed and only SYN packets are sent using a connect() for unprivileged user.


Figure 1. ARP Packets generated by Ping Scan


Figure 2. Ping Scan Result

Otherwise, default host discovery sends ICMP echo request, ICMP timestamp request, TCP SYN to port 443 and TCP ACK to port 80.

Subnet Scanning

Nmap can scan all the hosts present in a given subnet. In the below snapshot it scans all the hosts up and running out of 254 hosts present in subnet.


Figure 3. Subnet Scanning


Before diving deeply into port scanning using TCP, we should understand header structure of TCP Packet and different flags. TCP has 9 Flags, but we mainly use 6 flags or their combination as part of TCP port scan, which are named based on their Flag.

TCP SYN scan (-sS)

It is Nmap's default scan. SYN Scan is often referred as half-open scanning, because we don't open a full TCP connection. Nmap sends a SYN packet, pretending to open a real connection, victim responds with SYN/ACK, which indicates that the port is listening (open), while a RST (reset) is indicative as a non-listening port. If no response is received after several retransmissions or ICMP unreachable error is a respond back then the port is marked as filtered.


Figure 4. TCP SYN Scan

TCP Connect scan (-sT)

The connect() system call completes 3-way handshake to connect target ports rather than performing the half-open reset that SYN scan does.


Figure 5. TCP connect() Scan

TCP ACK scan (-sA)

ACK scan is used for firewall enumeration to map out firewall ACL's. With ACK scan, open and closed ports return response back as RST packet, indicating, that systems are reachable by the ACK packet, but we cannot determine if the ports are open/closed, so they are flagged as unfiltered. Ports that don't respond or throw ICMP error messages are labeled as filtered.


Figure 6. TCP ACK Scan

TCP Window scan (-sW)

Window scan is similar to ACK scan. Nmap examines TCP Window field of the RST packets, some systems use positive window size for open ports, while closed ports have zero window.

TCP Maimon scan (-sM)

Exactly the same as NULL, FIN, and Xmas scans, except the probe sets FIN,ACK flags.

RST packet should be generated as irrespective to open or closed port, but many
BSD-derived systems simply drop the packet if the port is open.

Below TCP Scans exploits certain loopholes in RFC 793. If a port is in closed state, an incoming segment containing a RST is discarded. An incoming segment with no RST causes a RST to be sent in response. If the packets are sent to open ports without the SYN, RST, or ACK bits set, TCP/ should drop the segment.

TCP Null scan (-sN)

This type of scan does not set any flag bits (TCP flag header is 0). Port information is not seen in the output of the scan.


Figure 7. TCP Null Scan

TCP Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.


Figure 8. TCP Xmas Scan

Custom TCP scan (--scanflags)

This scan is for advanced users, where arbitrary TCP flags can be set to scan.

IP protocol scan (-sO)

IP protocol scan allows Nmap to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. Protocol scan works in a similar fashion to UDP scan. Below snapshot shows the wire communication of IP Protocol Scan.


Figure 9. Packets sent during Protocol Scan

If Nmap receives responses in any protocol from the target host, Nmap marks that protocol as open, if the response for protocol scan is ICMP unreachable protocol, Nmap marks the protocol as closed. Below snapshot shows the result of IP Protocol Scan.


Figure 10. Protocol Scan Results

UDP Scanning

UDP scan works by sending an empty UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent. An ICMP port unreachable error (type 3, code 3) indicates closed port. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as filtered. UDP Scanning has set challenges like rate limiting of destination unreachable messages, because open and filtered ports do not send any response, leaving Nmap to time out and then conduct retransmissions.


Figure 11. UDP Port Scanning

IPv6 Address Scan

The scan is similar to other scans, but here we see that the Layer 3 header i.e. IP header is IPv6 instead of IPv4.

nmap -6 -sS -T4 -p80,139,443,444


Service Detection (-sV)


Figure 12. Service Detection


Nmap can detect OS of a remote machine by using TCP/IP Stack fingerprinting. Nmap performs tests like TCP ISN sampling, TCP options of support and ordering, IP ID sampling, and the initial window size check and then compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match.


Figure 13. OS detection match


Fragmentation (-f)

The -f option causes the requested scan to use tiny fragmented IP packets.


Figure 14. Sets of fragments

Spoofing (-S)

This scan spoofs the source IP Address with the address passed as argument, while Nmap won't receive reply packets back (they will be addressed to the IP you are spoofing).


NMAP Scripting Engine (NSE) is one of Nmap's most powerful features, which uses various Lua scripts to Audit network, scan for Vulnerabilities, Enumerating hosts etc. On Kali Linux NSE scripts are present at



Figure 15. Nmap Script Scanning









Praveen Darshanam has over seven years of experience in Information Security with companies like McAfee, Cisco Systems and iPolicy Networks. His core expertise and passions are Vulnerability Research, Application Security, Malware Analysis, Signature Development, Snort etc. He pursued Bachelor of Technology (B.Tech) in Electrical Engineering (EE) and Master of Engineering (MS/ME/M.Tech) in Control and Instrumentation (C&I, EE) from one of the premier institutes of India. He holds industry Certifications like CHFI, CEH and ECSA. He is a known Ethical Hacking trainer in India. He also blogs at http://blog.disects.com/


September 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013