Network Port Scanning with Nmap

Table of Contents

Introduction

Nmap (Network Mapper) is a powerful open-source network discovery and security auditing tool. Originally written by Gordon Lyon, Nmap has become the de facto standard for network reconnaissance and port scanning. It is designed to rapidly scan large networks, although it works fine against single hosts.

Nmap uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Key Features

| Feature | Description | |---------|-------------| | Host Discovery | Identify live hosts on networks | | Port Scanning | Determine open ports and services | | Service Detection | Identify service versions | | OS Detection | Fingerprint operating systems | | Scriptable Interaction | NSE (Nmap Scripting Engine) | | Output Flexibility | Multiple output formats | | IPv6 Support | Full IPv6 scanning capabilities | | Performance | Highly optimized scanning engine |

Installation

Linux (Ubuntu/Debian)

Linux (CentOS/RHEL/Fedora)

CentOS/RHEL

Fedora

macOS

Using Homebrew

Using MacPorts

Windows

Verification

Basic Concepts

Port States

Nmap categorizes ports into six states:

| State | Description | |-------|-------------| | Open | Application is actively accepting connections | | Closed | Port is accessible but no application is listening | | Filtered | Cannot determine if port is open due to packet filtering | | Unfiltered | Port is accessible but cannot determine if open or closed | | Open/Filtered | Cannot determine if port is open or filtered | | Closed/Filtered | Cannot determine if port is closed or filtered |

Protocol Types

| Protocol | Description | Common Ports | |----------|-------------|--------------| | TCP | Transmission Control Protocol | 80 (HTTP), 443 (HTTPS), 22 (SSH) | | UDP | User Datagram Protocol | 53 (DNS), 67/68 (DHCP), 161 (SNMP) | | SCTP | Stream Control Transmission Protocol | 2905, 3863, 4739 |

Command Structure

The basic Nmap command structure follows this pattern:

`bash nmap [Scan Type] [Options] [Target Specification] `

Essential Components

| Component | Purpose | Example | |-----------|---------|---------| | Scan Type | Defines how the scan is performed | -sS, -sT, -sU | | Options | Modify scan behavior | -p, -O, -A | | Target | Specifies what to scan | 192.168.1.1, google.com |

Scan Types

TCP Scans

#### SYN Scan (-sS) The default and most popular scan type, also known as "half-open" scanning.

`bash nmap -sS target `

Notes: - Sends SYN packet and waits for response - Does not complete TCP handshake - Stealthy and fast - Requires root privileges on Unix systems

#### TCP Connect Scan (-sT) Uses the system's connect() call to establish connections.

`bash nmap -sT target `

Notes: - Completes full TCP handshake - Does not require root privileges - More likely to be logged by target systems - Slower than SYN scan

#### ACK Scan (-sA) Used to map firewall rulesets and determine if ports are filtered.

`bash nmap -sA target `

Notes: - Sends ACK packets to ports - Cannot determine if ports are open - Useful for firewall analysis - Helps identify filtered vs unfiltered ports

UDP Scan (-sU)

`bash nmap -sU target `

Notes: - Much slower than TCP scans - Many UDP services don't respond to empty packets - Requires root privileges - Often combined with TCP scans

Specialized Scans

| Scan Type | Command | Purpose | |-----------|---------|---------| | NULL Scan | -sN | Sends packets with no flags set | | FIN Scan | -sF | Sends packets with FIN flag | | Xmas Scan | -sX | Sends packets with FIN, PSH, and URG flags | | Window Scan | -sW | Examines TCP window field | | Maimon Scan | -sM | Sends FIN/ACK packets |

Target Specification

Single Targets

IP address

Hostname

IPv6 address

Multiple Targets

Multiple IPs

IP range with dash

CIDR notation

Wildcard

Target Lists

From file

Exclude targets

Exclude from file

Advanced Target Specification

| Method | Syntax | Example | |--------|--------|---------| | Octet ranges | 192.168.1-3.1-50 | Scans multiple subnets | | Random targets | -iR [num] | nmap -iR 100 | | IPv6 targets | [IPv6] | nmap 2001:db8::/32 |

Port Specification

Default Behavior

Custom Port Ranges

Single port

Multiple ports

Port range

All ports

Named ports

Protocol-Specific Ports

TCP ports only

UDP ports only

Mixed protocols

Common Port Categories

| Category | Ports | Services | |----------|-------|----------| | System Ports | 1-1023 | Well-known services | | User Ports | 1024-49151 | Registered services | | Dynamic Ports | 49152-65535 | Ephemeral ports |

Timing and Performance

Timing Templates

Nmap provides timing templates to balance speed and stealth:

| Template | Speed | Stealth | Command | |----------|-------|---------|---------| | T0 (Paranoid) | Very Slow | Maximum | -T0 | | T1 (Sneaky) | Slow | High | -T1 | | T2 (Polite) | Slow | Medium | -T2 | | T3 (Normal) | Normal | Normal | -T3 | | T4 (Aggressive) | Fast | Low | -T4 | | T5 (Insane) | Very Fast | Minimum | -T5 |

Custom Timing Options

`bash

Minimum delay between probes

Maximum delay between probes

Minimum packet rate

Maximum packet rate

Parallelism Control

| Option | Description | Example | |--------|-------------|---------| | --min-hostgroup | Minimum parallel host scan groups | --min-hostgroup 10 | | --max-hostgroup | Maximum parallel host scan groups | --max-hostgroup 100 | | --min-parallelism | Minimum parallel probes | --min-parallelism 10 | | --max-parallelism | Maximum parallel probes | --max-parallelism 100 |

Output Formats

Standard Output Formats

| Format | Extension | Command | Description | |--------|-----------|---------|-------------| | Normal | .nmap | -oN | Human-readable format | | XML | .xml | -oX | Machine-parseable format | | Grepable | .gnmap | -oG | Grep-friendly format | | All formats | - | -oA | Saves in all three formats |

Output Examples

`bash

Normal output

XML output

Grepable output

All formats with basename

Verbosity Control

`bash

Increase verbosity

Debugging information

Quiet mode

Advanced Features

Service Version Detection

`bash

Basic version detection

Intensity levels (0-9)

Version detection with all ports

Operating System Detection

`bash

OS detection

Aggressive OS detection

OS detection without port scan

Script Scanning (NSE)

The Nmap Scripting Engine allows for advanced reconnaissance and vulnerability detection.

#### Script Categories

| Category | Purpose | Example Scripts | |----------|---------|-----------------| | auth | Authentication bypass | auth-owners, auth-spoof | | broadcast | Network broadcast discovery | broadcast-dhcp-discover | | brute | Brute force attacks | ssh-brute, ftp-brute | | default | Default safe scripts | http-title, ssl-cert | | discovery | Network discovery | dns-zone-transfer | | dos | Denial of service | http-slowloris | | exploit | Exploit vulnerabilities | ms17-010, eternal-blue | | external | External resources | whois-ip, geoip-geolocation | | fuzzer | Fuzzing attacks | http-form-fuzzer | | intrusive | Intrusive scripts | http-enum | | malware | Malware detection | http-malware-host | | safe | Safe scripts | banner, http-title | | version | Version detection | ssh-hostkey, ssl-cert | | vuln | Vulnerability detection | vuln, ssl-heartbleed |

#### Script Usage Examples

`bash

Run default scripts

Run specific script

Run script category

Multiple scripts

Script with arguments

Aggressive Scanning

`bash

Aggressive scan (combines -O -sV -sC --traceroute)

Custom aggressive combination

Practical Examples

Basic Network Discovery

`bash

Discover live hosts on network

Quick scan of common ports

Scan specific service ports

Web Server Analysis

`bash

Comprehensive web server scan

HTTP-specific scripts

SSL/TLS analysis

Database Server Scanning

`bash

Common database ports

Database-specific scripts

Mail Server Analysis

`bash

Mail server ports

SMTP enumeration

Mail server vulnerabilities

Comprehensive Security Audit

`bash

Full security scan

Vulnerability assessment

Network service discovery

Security Considerations

Legal and Ethical Guidelines

| Consideration | Description | |---------------|-------------| | Authorization | Only scan networks you own or have explicit permission to test | | Scope | Stay within the defined scope of authorized testing | | Impact | Consider the potential impact on target systems | | Documentation | Maintain detailed logs of all scanning activities | | Disclosure | Follow responsible disclosure practices for vulnerabilities |

Stealth Techniques

`bash

Slow scan to avoid detection

Fragment packets

Use decoys

Spoof source port

Random host order

Firewall Evasion

| Technique | Command | Description | |-----------|---------|-------------| | Fragment packets | -f | Split packets into fragments | | MTU specification | --mtu 16 | Specify custom MTU | | Decoy scanning | -D RND:10 | Use random decoys | | Idle zombie scan | -sI zombie_host | Use intermediate host | | Source port | --source-port 53 | Spoof source port | | Data length | --data-length 25 | Add random data to packets |

Troubleshooting

Common Issues and Solutions

| Issue | Cause | Solution | |-------|-------|---------| | Permission denied | Insufficient privileges | Run with sudo/administrator rights | | No response | Firewall blocking | Try different scan types or ports | | Slow scans | Conservative timing | Use faster timing template (-T4) | | Incomplete results | Rate limiting | Adjust timing and parallelism | | DNS resolution errors | DNS issues | Use IP addresses or --dns-servers |

Debugging Commands

`bash

Enable debugging

Packet trace

Show reason for port states

Interface and route information

Performance Optimization

`bash

Skip host discovery

Skip DNS resolution

Optimize for speed

Parallel host scanning

Network-Specific Considerations

| Network Type | Considerations | Recommended Approach | |--------------|----------------|----------------------| | Internal LAN | Less restrictive firewalls | Standard TCP SYN scans | | DMZ | Moderate filtering | Multiple scan types | | Internet | Heavy filtering | Stealth techniques | | Wireless | Variable connectivity | Conservative timing | | VPN | Encrypted tunnels | Standard scans with authentication |

Output Analysis Tips

`bash

Extract open ports from grepable output

Find hosts with specific services

Parse XML output with xmlstarlet

Conclusion

Nmap is an incredibly versatile and powerful tool for network discovery and security auditing. Its extensive feature set allows for everything from simple port scans to comprehensive security assessments. Understanding the various scan types, timing options, and advanced features enables security professionals to conduct thorough network reconnaissance while maintaining appropriate stealth and performance characteristics.

The key to effective Nmap usage lies in understanding the target environment, selecting appropriate scan techniques, and interpreting results correctly. Always ensure you have proper authorization before scanning networks, and consider the potential impact of your scanning activities on target systems.

Regular practice with different scan types and options will help develop proficiency with this essential security tool. The Nmap Scripting Engine provides additional capabilities for specialized testing scenarios, making Nmap suitable for both basic network discovery and advanced penetration testing engagements.