Nmap Fundamentals

beginner35 minWriteup

Master the most essential network scanning tool

Learning Objectives

  • Understand Nmap scan types
  • Perform port scanning effectively
  • Use Nmap scripts (NSE)
  • Interpret Nmap output

If penetration testing tools were superheroes, Nmap would be Batman - no superpowers, just incredible utility and preparation. Short for "Network Mapper," Nmap is arguably the most important tool in any pentester's arsenal. It discovers hosts, scans ports, detects services, and even finds vulnerabilities.

Created in 1997 by Gordon Lyon (Fyodor), Nmap has appeared in countless movies (The Matrix Reloaded, anyone?) and is used by everyone from script kiddies to nation-state actors. Understanding Nmap isn't just useful - it's essential.

Nmap is Free

Nmap is open-source and completely free. It runs on Linux, Windows, macOS, and even BSD. There's no excuse not to master it.

Understanding TCP (The Foundation)

Before diving into Nmap, you need to understand TCP handshakes. When two computers establish a TCP connection, they perform a "three-way handshake":

  1. SYN: Client sends a synchronize packet
  2. SYN-ACK: Server responds with synchronize-acknowledge
  3. ACK: Client sends acknowledge, connection established
1Client                    Server
2  |                         |
3  |-------- SYN --------->  |  606070;">#a5d6ff;">"Hey, want to talk?"
4  |                         |
5  |<------ SYN-ACK -------  |  606070;">#a5d6ff;">"Sure, let's talk"
6  |                         |
7  |-------- ACK --------->  |  606070;">#a5d6ff;">"Great, connected!"
8  |                         |

Nmap exploits this handshake in various ways to determine port states without completing full connections.

Port States

Nmap reports ports in six possible states:

  • Open: Application is accepting connections
  • Closed: Port accessible but no application listening
  • Filtered: Firewall blocking - can't determine state
  • Unfiltered: Accessible but open/closed undetermined
  • Open|Filtered: Open or filtered, can't tell which
  • Closed|Filtered: Closed or filtered, can't tell which

Filtered is Interesting

"Filtered" often means there's a firewall protecting something valuable. Don't ignore filtered ports - they might be worth investigating with different techniques.

Scan Types

TCP SYN Scan (-sS) - The Default

The "stealth scan" sends SYN packets and analyzes responses without completing the handshake. Fast, reliable, and harder to detect.

bash
1606070;"># SYN scan (requires root)
2sudo nmap -sS 192.168.1.10
3 
4606070;"># What happens:
5606070;"># Open port:     SYN -> SYN-ACK (Nmap sends RST)
6606070;"># Closed port:   SYN -> RST
7606070;"># Filtered:      SYN -> (no response or ICMP unreachable)

TCP Connect Scan (-sT)

Completes the full TCP handshake. More detectable but doesn't require root. Use when you can't run as root or need full connections.

bash
1606070;"># Connect scan (no root needed)
2nmap -sT 192.168.1.10

UDP Scan (-sU)

UDP has no handshake - it's like shouting into a void and hoping someone answers. Much slower than TCP scanning but essential for services like DNS, SNMP, and DHCP.

bash
1606070;"># UDP scan (slow - be patient)
2sudo nmap -sU 192.168.1.10
3 
4606070;"># Combined TCP and UDP
5sudo nmap -sS -sU 192.168.1.10
6 
7606070;"># Common UDP ports only (faster)
8sudo nmap -sU --top-ports 20 192.168.1.10

UDP is Slow

UDP scanning is painfully slow because there's no reliable response for closed ports. A full 65535-port UDP scan can take hours. Target specific ports when possible.

Stealth Scans (FIN, NULL, Xmas)

These scans exploit TCP specification quirks to evade simple firewalls. They don't work against Windows (which doesn't follow spec) but can be useful against Unix systems.

bash
1606070;"># FIN scan - sends FIN flag
2sudo nmap -sF 192.168.1.10
3 
4606070;"># NULL scan - no flags set
5sudo nmap -sN 192.168.1.10
6 
7606070;"># Xmas scan - FIN, PSH, URG flags (lights up like a Christmas tree)
8sudo nmap -sX 192.168.1.10

Port Specification

bash
1606070;"># Scan specific ports
2nmap -p 22,80,443 192.168.1.10
3 
4606070;"># Scan port range
5nmap -p 1-1000 192.168.1.10
6 
7606070;"># Scan all 65535 ports
8nmap -p- 192.168.1.10
9 
10606070;"># Scan top N ports (by popularity)
11nmap --top-ports 100 192.168.1.10
12 
13606070;"># Fast scan (top 100)
14nmap -F 192.168.1.10
15 
16606070;"># Exclude ports
17nmap -p 1-1000 --exclude-ports 25,110 192.168.1.10

The Magic Numbers

The top 1000 ports cover about 93% of commonly used ports. Top 100 covers about 70%. For quick assessments, -F is your friend. For thorough testing, always scan all ports (-p-).

Service & Version Detection

bash
1606070;"># Service version detection
2nmap -sV 192.168.1.10
3 
4606070;"># Increase intensity (0-9, default 7)
5nmap -sV --version-intensity 9 192.168.1.10
6 
7606070;"># Light version detection (faster)
8nmap -sV --version-light 192.168.1.10
9 
10606070;"># OS detection
11sudo nmap -O 192.168.1.10
12 
13606070;"># Aggressive mode (OS, version, scripts, traceroute)
14nmap -A 192.168.1.10

Version Detection Takes Time

-sV probes open ports with various payloads to identify services. It's slower but provides crucial information for finding vulnerabilities.

Nmap Scripting Engine (NSE)

NSE transforms Nmap from a port scanner into a full vulnerability scanner. It comes with 600+ scripts for everything from banner grabbing to exploit checking.

bash
1606070;"># List all scripts
2ls /usr/share/nmap/scripts/
3 
4606070;"># Run default scripts (safe)
5nmap -sC 192.168.1.10
6 
7606070;"># Same as above
8nmap --script=default 192.168.1.10
9 
10606070;"># Run specific script
11nmap --script=http-title 192.168.1.10
12 
13606070;"># Run script category
14nmap --script=vuln 192.168.1.10
15 
16606070;"># Multiple scripts/categories
17nmap --script=http-*,ssh-* 192.168.1.10
18 
19606070;"># Script help
20nmap --script-help http-sql-injection

Useful Script Categories

  • auth: Authentication bypass and testing
  • broadcast: Network discovery via broadcast
  • brute: Brute force attacks
  • default: Safe, useful scripts
  • discovery: Service and host discovery
  • exploit: Active exploitation
  • safe: Won't crash services or use exploits
  • vuln: Vulnerability checking
bash
1606070;"># Common useful script combinations
2nmap -sV --script=banner 192.168.1.10
3nmap --script=smb-enum-shares,smb-enum-users 192.168.1.10
4nmap --script=http-enum 192.168.1.10
5nmap --script=vuln 192.168.1.10

Be Careful with Exploit Scripts

Scripts in the "exploit" category can actually compromise systems. Only run them with authorization and understanding of what they do.

Output Formats

bash
1606070;"># Normal output (human readable)
2nmap -oN scan.txt 192.168.1.10
3 
4606070;"># XML output (for parsing)
5nmap -oX scan.xml 192.168.1.10
6 
7606070;"># Grepable output
8nmap -oG scan.gnmap 192.168.1.10
9 
10606070;"># All formats at once
11nmap -oA scan_results 192.168.1.10
12 
13606070;"># Append to file
14nmap --append-output -oN scan.txt 192.168.1.10

Always Save Output

Always use -oA to save in all formats. You'll want human-readable for reports, XML for tools like Metasploit, and grepable for quick parsing.

Timing & Performance

bash
1606070;"># Timing templates (0=paranoid, 5=insane)
2nmap -T0 192.168.1.10  606070;"># IDS evasion (very slow)
3nmap -T1 192.168.1.10  606070;"># Sneaky
4nmap -T2 192.168.1.10  606070;"># Polite
5nmap -T3 192.168.1.10  606070;"># Normal (default)
6nmap -T4 192.168.1.10  606070;"># Aggressive (recommended)
7nmap -T5 192.168.1.10  606070;"># Insane (may miss ports)
8 
9606070;"># Fine-grained control
10nmap --min-rate 1000 192.168.1.10
11nmap --max-rate 100 192.168.1.10
12nmap --max-retries 2 192.168.1.10

T4 for CTFs, T3 for Real Life

On lab networks and CTFs, T4 is great. On production networks or over the internet, stick with T3 or lower to avoid overwhelming systems and missing results.

Common Command Combinations

bash
1606070;"># Quick network sweep
2nmap -sn 192.168.1.0/24
3 
4606070;"># Standard full scan
5nmap -sS -sV -sC -O -oA scan 192.168.1.10
6 
7606070;"># Quick TCP scan
8nmap -T4 -F 192.168.1.10
9 
10606070;"># Full port scan
11nmap -p- -T4 192.168.1.10
12 
13606070;"># Full comprehensive scan
14nmap -sS -sV -sC -O -p- -T4 -oA full_scan 192.168.1.10
15 
16606070;"># Vulnerability scan
17nmap --script=vuln -oA vuln_scan 192.168.1.10
18 
19606070;"># SMB enumeration
20nmap -p 445 --script=smb-* 192.168.1.10
21 
22606070;"># Web server enumeration
23nmap -p 80,443 --script=http-* 192.168.1.10

Scanning Methodology

Nmap Scanning Process

1
Host Discoverynmap -sn network/24 to find live hosts
2
Quick Port Scannmap -T4 -F targets to identify obvious services quickly
3
Full Port Scannmap -p- -T4 targets to find services on non-standard ports
4
Service Detectionnmap -sV -sC on discovered open ports
5
Vulnerability Scanningnmap --script=vuln on interesting services
6
DocumentReview output files, note potential attack vectors

Knowledge Check

Quick Quiz
Question 1 of 4

What is the default Nmap scan type when run as root?

Challenges

Basic Port Scanning

Challenge
🌱 beginner

Scan scanme.nmap.org (authorized test host) and identify: all open TCP ports, service versions, and OS.

Need a hint? (4 available)

NSE Script Exploration

Challenge
🔥 intermediate

Use NSE scripts to enumerate the HTTP service on scanme.nmap.org. Find: server type, interesting directories, and any security headers.

Need a hint? (4 available)

Key Takeaways

  • Nmap is THE essential network scanning tool - master it
  • SYN scan (-sS) is default and stealthiest for port scanning
  • Always scan all ports (-p-) for thorough assessments
  • Service detection (-sV) reveals versions for vulnerability research
  • NSE scripts (-sC or --script) extend Nmap into vulnerability scanning
  • Save output (-oA) in all formats for later analysis
  • T4 timing is good for labs, T3 for production