Nmap is a very great tool for port scanning but before writing this post I didn’t fully understand how Nmap worked. I feel I spent a lot of time trying to learn Nmap so this post is aimed at trying to explain Nmap quickly for anybody wanting to learn.
Host Discovery
Nmap allows us to easily run a sweep scan against a network. In simple terms, it is just a ping scan against all the devices on a network to see if they’re up. On a local network, Nmap will default to an ARP scan. You can initiate this scan with the -sn flag. The command below runs a sweep against the whole subnet but can be used for an individual host.
$ nmap -sn 10.10.10.1/24
Note About Ping Scans
One thing to remember is that most windows firewalls block ICMP echo requests, and ping scans can be turned off with the -Pn flag. Because by default most of the scans start with a ping scan, we may have to disable them manually.
$ nmap [target_ip] -Pn
Plain Scan
When conducting a plain scan, you start by initiating Nmap with just the host as an argument. The host can be either an IP address or a domain. The default scan without sudo privileges established a full TCP connection, which we will get to in a minute. Below is an example of how the command would look. You can also run a full-scan with the -sT flag.
$ nmap scanme.nmap.org
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 03:41 CST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.071s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
9929/tcp open nping-echo
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
If we look at the scan results, we can break down what Nmap does under the hood line by line, in the following order:
- Nmap starts the scan.
- Nmap attempts to perform a DNS resolution, matching the domain scanme.nmap.org to its IP address.
- Nmap performs a sweep-scan to see if the host is up.
- Nmap attempts to connect to the target ports using a full three-way handshake.
What IS A TCP Connection
Before we go over a full scan lets go over what a TCP three-way handshake looks like. First let’s go over what TCP flags are sent and what they mean. Then well explain the three-way handshake. Below is a table with the flags and what they mean in simple terms.
TCP Flag Meanings in Simple Terms
| Flag | Flags Meaning |
|---|---|
| SYN | Want to talk? |
| SYN-ACK | Hey, I’m acknowledging you want to talk, let’s talk. |
| ACK | Now that I know your listening I’ll tell you what I needed to say. |
| RST | I don’t want to talk to you. |
Before computers can communicate, they need to establish a connection. Computer 1 says, Hey, do you want to talk? Computer 2 either responds with, Sure, let’s talk. or it will say, Leave me alone, and reset the connection. Computer 1 will then respond, ‘Now that I know you’re listening and that you want to talk, let’s talk. Basically Computer 1 ensures Computer 2 is listening or even wants to talk before it says anything.
Three-way Handshake
- Computer 1 (client) sends a SYN packet to initiate the connection.
- Computer 2 (server) responds with a SYN-ACK packet to acknowledge.
- Computer 1 (client) sends an ACK packet to confirm the connection.
Full TCP Connect Scan/Full-Scan
For each port, Nmap will send a SYN packet. When a port responds with a SYN-ACK, Nmap responds with an RST-ACK packet to reset the connection and marks the port as open. An (RST-ACK) packet combines both the RST and ACK flags, acknowledging the connection and resetting it simultaneously. The port is marked as closed if it receives an RST packet, and as filtered if there’s no response, possibly indicating a firewall.
How Nmap Handles Each Response for a Full-Scan
| Nmap’s Initial Request | Response Nmap Received | How Nmap Handles the Response |
|---|---|---|
| SYN | SYN-ACK | Nmap completes the three-way handshake, resets the connection, and marks the port as open |
| RST | RST | Nmap marks the port as closed. |
| (No response) | No response | Nmap marks the port as filtered |
The SYN Scan/Half-Scan
A half-scan is considered stealthier than a full scan because it does not complete the full three-way handshake. Because of this, it creates fewer logs, making it a little more difficult for firewalls to detect. A half-scan is the same as a full-scan with one key difference—it doesn’t complete the connection. Instead, Nmap responds with an RST packet, immediately resetting the connection. You can run a SYN scan by using the -sS flag.
$ nmap [target_ip] -sS
How Nmap Handles Each Response for A SYN Scan
| Nmap’s Initial Request | Response Nmap Received | How Nmap Handles the Response |
|---|---|---|
| SYN | SYN-ACK | Nmap resets the connection and marks the port as open. |
| SYN | RST | Nmap marks the port as closed. |
| SYN | (No response) | Nmap marks the port as filtered |
The Version Scan
The version basically attempts to get the version of the service running on scanned ports.
$ nmap [target_ip] -sV
Nmap Scripting Engine (NSE)
NSE is basically scripts that Nmap uses against services to try to get more information about them such as versions, vulnerability’s or even exploit the service. You can run the scripts by the default scan, or by using the (—script) flag and then a script name or category. You can learn more about script names and categories here.
| Script | What the Script Does |
|---|---|
| nmap [target_ip] -sC | Runs Nmap’s default Scripts |
| nmap [target_ip] —script <category> | Runs a specific script by name or a number of scripts based on category. |
| nmap [target_ip] -A | Basically, combines version detection, default script, Os detection and traceroute. example command: nmap <target ip> |
Detecting Firewalls with the ACK-Scan
The ACK scan works by sending ACK flags to the target ports. When the ports receive the ACK flag, whether they’re open or closed, they will respond with a reset flag. A response with the reset flag would mark the port as unfiltered. No response would mark it as filtered. In simple terms, a response means unfiltered, and no response means filtered. By running this scan, you can get an idea of firewall rules and what ports are blocked or not. You can run this scan with the -sA flag.
$ nmap [target_ip] -sA
Firewall Evasion DNS Spoofing
A lot of firewalls ignore DNS traffic because DNS is essential for most services. Since DNS is a trusted protocol using port 53 (the DNS port) as the source port can help evade firewall detection. You can set the source port with the -g flag.
$ nmap [target_ip] -sS -g 53
Firewall Evasion IP Spoofing
Sometimes certain subnets don’t have access to resources on another subnet or other parts of the network. By using Nmap, we can spoof our IP address to appear as if we’re on another subnet, allowing us to test if we can bypass the firewall and access restricted resources. We can use the -S flag to spoof our ip.
$ nmap [target_ip] -S [ip_on_another_subnet]
Firewall Evasion Using Decoys
You can use Decoys when running an Nmap scan making it harder for the firewall determine where the traffic is coming from. You can have up to 5 decoys at once. The flag for this is the -D RND:<1-5> Nmap will create 5 different dummy Ip addresses to run the scan.
$ nmap [target_ip] -sS -D RND:5
Things I Didn’t Cover
There are a few things I didn’t get into Performance and UDP scanning which are fairly easy to understand. Nmap is such an amazing tool and can be used for many different purposes but in the world of cyber security it’s a valuable tool especially when information is everything