Scanning with Nmap –A primer - BETA Version of the Article

There is another article which is to be published in the Issue dedicated to Network Mapping, coming out on our website this week.

We encourage you to acquaint with Author's practical knowledge on the topic and give us your feedback in comments section as well as via email: [email protected]

Enjoy reading and visit our pre-order section


Karina Radzykhovska and PenTest Magazine Team

Scanning with Nmap –A primer


(Account Security Officer at Hewlett-Packard India Sales Pvt.Ltd & Board Member, CGEIT Coordinator& e-journal editor of ISACA Mumbai Chapter)


Scanning is the process of identifying systems which are active and determining what type of services is running in that system. It can be said without doubt that nmap is widely used as scanning and enumeration tool.


In the sequence of penetration testing, reconnaissance, which is the first step, leads us to a number of attackable systems, probably in terms of IP numbers. During scanning, which is the second step; we will map IP addresses to open ports and services.


Scanning comprises of three phases:

  1. Determining if the system is active
  2. Scanning for ports or port scanning
  3. Scanning for vulnerabilities


The first step is the process of finding whether a system is turned on or active and communicates with other machine. The second step is the process of identifying specific ports and services running in that system.


A port is a data connection that allows a computer to exchange information with other computers, software or devices. Ports were the natural evolution for the networking computers from floppies as that of isolated systems. Some common ports and their corresponding services are listed below:

Port Numbers Service







FTP Data transferFTP ControlSSH








So while scanning, if we get open ports, they are of special interest as it is a potential gateway into the target system.


The final step is the process of locating and identifying known weaknesses in the services and software running on the host system.


Port Scanning


The Objective of port scanning is to determine which ports are open and what services are running, like that of e-mail, ftp, printing etc. There are total of 65,535 port numbers. Since port numbers are 16 bits long, it gives a combination of 65,536 ways, from 0 to 65,535.


Nmap is the one best tool to conduct port scanning. Nmap was written by Gordon “Fyodor” Lyon and is available for free from


Three way handshake


When two computers want to connect, the first computer connects to the second by sending a SYN packet to a specified port number. If the second computer is listening, it will respond with a SYN/ACK. The first computer after receiving SYN/ACK replies with an ACK packet. Now the two machines will be communicating until it is closed.


Now let us move on to discuss various types of scans using Nmap. There are numerous types of scans, which can be done by Nmap and hence please be warned that some of these scans could cause the target system to crash under the load of unusual packets. Getting appropriate permission from the target owners or alerting them of undesirable consequences is very important.

TCP Connect Scan

This is the most basic and stable of all the scans, as it actually completes the three-way handshake. But ensure you do not flood the target machine from a fast machine on a high bandwidth connection.

To run a TCP connect, the command can be as follows:

Nmap –sT –p- -PN ( an arbitrary and imaginary ip number)

The first word “nmap” causes the Nmap port scanner to start. The second command “-sT” tells Nmap to run a TCP connect scan. The “-p-” is used to tell Nmap to scan all the ports, not just the default 1000 ports. It is to be noted that if a specific port range is not used, Nmap will scan the 1000 most common ports.

It is better to specify the ports, as this command will fetch you all the ports, even if the administrators have hidden the service by running it on a non-standard port.

We use “-PN” switch to skip the host discovery phase and run the scan on all the addresses, as if the system were alive and responds to ping requests.

Lastly, the target IP address is specified, which ofcourse is an imaginary number.

Suppose if you want to scan all the hosts, you will issue the following command:

Nmap –sT –p- -PN

Connect scans are easy to detect. Since a complete connection is made to the end system, it will record the connection in its logs displaying the attacker’s IP address. Hence stealthier scan techniques are preferred by attackers.


TCP Syn Scan

The Syn scan is the most popular scan and it stops after completing the first two steps and does not complete the entire three way handshake. Also referred as half-open scan, the attacking machine sends a SYN packet to each target port. If the port is open, the target system sends a SYN-ACK response. The attacking machine then immediately sends a RESET packet, aborting the connection before it is completed. In a SYN scan, only the first two parts of the three-way handshake occurs.

To run a SYN scan, the following command is issued:

Nmap –sS -p- -PN

The command is exactly the same as that of the previous one, but for “sS” used in place of “ st”. The advantages of SYN scans are that they are stealthier and faster. Though logging normally happens for three-way handshake connections, all modern firewalls and intrusion detection systems in use today will report a SYN scan.


UDP Scan

UDP is an acronym for User Datagram Protocol, while TCP stands for Transmission Control Protocol. Computers can communicate with one another using either of the two protocols.

TCP is considered as a “connection oriented protocol”, because it requires that the communication between both the sender and the receiver is in sync. On the other hand, UDP is said to be “connectionless”, because the sender simply sends packets to the receiver with no mechanisms to ensure that the packets arrive at the destination.

It is to be noted that not every service uses TCP. DHCP, DNS (for individual lookups), SNMP, and TFTP use UDP. To run a UDP scan, the command will be as follows:

Nmap –sU

It is important to remember that UDP connection does not require a response from the receiver. So no response will be received, even if the service as available and accepting UDP packets. To get a more useful response from the target system, we can edit the command to be as follows:

Nmap –sUV where V stands for version scanning, which will help us get us better results on “open” ports.

FIN, Xmas Tree and Null Scans

Connect scans followed the TCP connection while TCP SYN scans followed the first two commands. The FIN, Xmas Tree and Null scans all violate the protocol by sending packets which are not at the start of the connection.

FIN stands for Finish, instructs the target system to close down the connection. The target system cannot close a non-existent connection. As per the TCP specification, it responds with a RESET packet, which indicates to the attacker that the target system is closed. If the port is open and an unexpected FIN arrives, the port sends nothing back. Therefore if nothing is coming back, it can be reasonably concluded that port is open and is listening, though a firewall might have blocked the incoming packet or the response. Thus FIN scans can be used to determine which ports might be open and which are closed.

Xmas Tree scan sends packets with URG, ACK, PSH, RST, SYN and FIN control bits set. A Null scan involves sending TCP packets with no control bits set.

Xmas Tree and Null scan expect the same behaviour from the target system as a FIN scan. A closed port sends a RESET and a listening port sends nothing.

This technique does not work against Windows based system, but for other platforms, these scans are very useful. To execute a Xmas tree scan, the command is as follows:

Nmap –sX -p- -PN


September 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013