Nmap Scanning Techniques for Penetration Testers

Nmap (Network Mapper) is an indispensable open-source tool for network discovery and security auditing. As a penetration tester, mastering Nmap's scanning techniques is crucial for identifying live hosts, open ports, running services, operating systems, and potential vulnerabilities on a target network.

Core Nmap Scan Types

Nmap offers a variety of scan types, each with its own advantages and stealth capabilities. Understanding these allows you to tailor your approach based on the target environment and your objectives.

TCP SYN Scan (-sS) is the default and most popular scan type.

This scan is fast and relatively stealthy because it doesn't complete the full TCP handshake. It sends a SYN packet and waits for a SYN/ACK (port open) or RST (port closed).

The TCP SYN scan, also known as a 'half-open' scan, is the default scan type when run with root or administrator privileges. It works by sending a TCP SYN packet to a target port. If a SYN/ACK packet is received, the port is considered open, and Nmap sends an RST packet to tear down the connection before it's fully established. If an RST packet is received, the port is closed. If no response is received, the port is considered filtered. This method is efficient and less likely to be logged by applications compared to a full TCP connect scan.

What is the primary advantage of using a TCP SYN scan (-sS) over a full TCP connect scan?

It is faster and less likely to be logged by applications because it doesn't complete the full TCP handshake.

TCP Connect Scan (-sT) is reliable but more verbose.

This scan completes the full TCP handshake, making it easier to detect by firewalls and intrusion detection systems.

The TCP Connect scan is used when the user lacks the necessary privileges to craft raw packets (i.e., not running as root or administrator). It utilizes the operating system's connect() system call to establish a full TCP connection with the target port. If the connection is successful, the port is open. If it fails, the port is closed or filtered. While reliable, this method is noisier and more easily detected by network monitoring tools.

UDP Scan (-sU) is essential for discovering UDP services.

UDP is connectionless, making UDP scans slower and less reliable than TCP scans. Nmap sends UDP packets and looks for ICMP 'port unreachable' messages.

UDP ports are connectionless, meaning there's no handshake like in TCP. Nmap's UDP scan sends UDP packets to target ports. If an ICMP 'port unreachable' message is received, the port is closed. If a UDP response is received, the port is open. If no response is received, the port is considered open|filtered. Due to the nature of UDP, these scans can be slow and may require retransmissions.

Advanced Scanning Techniques

Beyond basic port scanning, Nmap offers sophisticated techniques for deeper network reconnaissance.

Version Detection (-sV) identifies service versions and application names.

This technique probes open ports to determine the specific software and version running, aiding in vulnerability identification.

Version detection (-sV) is a powerful feature that goes beyond simply identifying open ports. Nmap sends a series of probes to open ports and analyzes the responses to determine the application name, version number, and sometimes even the operating system and device type. This information is invaluable for identifying known vulnerabilities associated with specific software versions.

OS Detection (-O) fingerprints the target operating system.

Nmap analyzes TCP/IP stack characteristics to guess the target's OS, which can reveal potential OS-specific exploits.

OS detection (-O) attempts to identify the operating system of the target host. Nmap sends a variety of TCP, UDP, and ICMP probes and analyzes the responses, looking for subtle differences in how operating systems implement the TCP/IP stack. This fingerprinting technique can accurately identify the OS, which is crucial for tailoring exploits.

Aggressive Scan (-A) combines multiple advanced features.

This option enables OS detection, version detection, script scanning, and traceroute for a comprehensive scan.

The -A option is a convenient shortcut that enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). It provides a very comprehensive overview of the target but is also the noisiest and most easily detectable scan type.

Nmap's scan types can be visualized as different ways of interacting with a target's network ports. Imagine a port as a door. A SYN scan is like knocking on the door and listening for a response without opening it fully. A Connect scan is like fully opening the door, entering, and then immediately leaving. A UDP scan is like sending a postcard and waiting for a reply, but without a guaranteed delivery or response mechanism.

📚

Text-based content

Library pages focus on text content

Stealth and Evasion Techniques

For penetration testers, remaining undetected is often as important as gathering information. Nmap offers options to minimize its footprint.

FIN Scan (-sF), Xmas Scan (-sX), and Null Scan (-sN) exploit TCP flag behavior.

These scans send packets with unusual TCP flag combinations to elicit responses from closed ports, potentially bypassing stateless firewalls.

FIN, Xmas, and Null scans are stealthier alternatives to SYN scans. They send TCP packets with specific flag combinations (FIN, PSH+URG+FIN, or no flags, respectively). According to RFC 793, a closed port should respond with an RST packet, while an open port should ignore these packets. If an RST is received, the port is closed; if no response is received, the port is considered open|filtered. These scans are particularly effective against older or misconfigured firewalls.

Idle Scan (-sI) uses a zombie host to mask the source IP.

This advanced technique leverages a vulnerable, idle host to send probes, making the scan appear to originate from the zombie.

The Idle Scan (-sI) is a highly stealthy technique that uses a 'zombie' host (a host that is idle and predictable in its IP fragmentation ID increments) to perform the scan. Nmap sends probes to the target via the zombie. The zombie's response, containing its incrementing IP ID, is observed by Nmap. By analyzing these IP ID increments, Nmap can infer whether ports on the target are open or closed without directly interacting with the target from its own IP address.

Remember: Stealth scans are not foolproof and can be detected by sophisticated Intrusion Detection Systems (IDS) or firewalls that perform stateful packet inspection.

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) allows users to write and share scripts to automate a wide variety of networking tasks, including advanced vulnerability detection, discovery, and more.

NSE scripts extend Nmap's capabilities significantly.

Scripts can perform tasks like detecting specific vulnerabilities, brute-forcing credentials, or discovering web application details.

NSE scripts are written in the Lua programming language and can be used to automate complex tasks. They are categorized by their functionality, such as 'discovery', 'exploit', 'vuln', and 'auth'. Using scripts like -sC (default script scan) or --script <script-name> allows for targeted information gathering and vulnerability assessment.

What is the primary purpose of the Nmap Scripting Engine (NSE)?

To automate a wide variety of networking tasks, including advanced vulnerability detection and discovery, using scripts written in Lua.

Practical Nmap Commands

Here are some common and useful Nmap commands for penetration testing scenarios.

Command	Description
nmap -sS -sV -O <target>	SYN scan, version detection, OS detection
nmap -p 1-65535 -sU <target>	Scan all UDP ports
nmap -A -T4 <target>	Aggressive scan with timing template 4 (faster)
nmap --script vuln <target>	Run all vulnerability detection scripts
nmap -sF -T3 <target>	FIN scan with timing template 3
nmap -oN output.txt <target>	Save scan results to a normal file

Ethical Considerations

Always ensure you have explicit, written permission before scanning any network or system that you do not own or manage. Unauthorized scanning is illegal and unethical.

Learning Resources

Nmap Official Website(documentation)

The official source for Nmap, providing download links, documentation, and project news.

Nmap Network Scanning Techniques(documentation)

The comprehensive Nmap reference guide, detailing all scan types, options, and scripting capabilities.

Nmap Scripting Engine (NSE) Documentation(documentation)

In-depth documentation on how to use and write Nmap Scripting Engine scripts.

Learn Nmap: A Complete Guide(video)

A video course covering Nmap fundamentals and practical applications for cybersecurity professionals.

Nmap Cheat Sheet(blog)

A handy reference sheet with common Nmap commands and their explanations.

Understanding TCP/IP Ports and Protocols(blog)

Explains the fundamental concepts of TCP and UDP ports, crucial for understanding Nmap scans.

How Nmap Works: A Deep Dive(blog)

A detailed explanation of the underlying mechanisms behind Nmap's scanning techniques.

Nmap for Beginners(video)

An introductory video tutorial demonstrating basic Nmap usage and common scan types.

TCP SYN Scan Explained(blog)

A technical breakdown of how the TCP SYN scan operates and its implications.

Network Scanning and Reconnaissance(documentation)

An overview of network scanning techniques within the context of web application security.