Nmap exploration
Introduction
Nmap (Network Mapper) is one of the most popular and powerful network scanning tools available today. I first encountered it during my college studies and later explored its capabilities more deeply through C-Academy courses and TryHackMe information security rooms and challenges.
Nmap is free, open source, and incredibly versatile. Its primary capabilities include:
- Discover active hosts on a network.
- Scan ports and detect which services are running.
- Identify operating systems (OS detection).
- Run scripts for vulnerability detection.
For comprehensive documentation, visit the official Nmap Documentation.
Common Scan Types
Nmap supports numerous scan types, each with specific use cases and characteristics. Here are the most commonly used scanning methods:
TCP Connect Scans (-sT)
This is the most basic type of TCP scan. When Nmap sends a TCP request with the SYN flag set to a closed port, the target server will respond with a TCP packet with the RST (Reset) flag set. By this response, Nmap can establish that the port is closed.
However, when the request is sent to an open port, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks this port as being open (and completes the handshake by sending back a TCP packet with ACK set).
There’s also a third scenario: if the port is open but protected by a firewall, Nmap sends the TCP SYN request but receives no response at all.
Example:
1
nmap -sT <target>
❌ Disadvantages
🔹This scan is slower and more visible to intrusion detection systems (IDS).
🔹Creates full TCP connections, leaving more traces in system logs.
Source: Nmap - TryHackMe
SYN “Half-open” Scans (-sS)
Also known as “Half-Open” or “Stealth Scans,” this method is more sophisticated than TCP Connect scans. It sends a SYN packet, and if the target responds with SYN/ACK, Nmap immediately sends a RST packet instead of completing the handshake.
Port Status Interpretation:
- Open port: responds with
SYN/ACK→ Nmap sendsRST. - Closed port: responds with
RST. - Filtered port: no response or ICMP unreachable.
Example:
1
sudo nmap -sS <target>
✅ Advantages
🔹 Faster and more stealthy than -sT.
🔹 Often bypasses basic firewalls or logging systems.
❌ Disadvantages
🔹 Requires sudo/root privileges.
🔹 May crash unstable services (e.g., IoT devices).
Source: Nmap - Switches and Scan Types in Nmap
UDP Scans (-sU)
UDP scans work by sending packets without expecting acknowledgment, which reflects the “stateless” nature of UDP connections. This makes UDP scanning inherently more challenging than TCP scanning.
Port Status Interpretation:
- Open/Filtered port: no response.
- Closed port: ICMP unreachable.
Example:
1
sudo nmap -sU <target>
✅ Advantages
🔹 Useful for detecting less obvious services.
❌ Disadvantages
🔹 Slower and less reliable than TCP scans.
Source: Port Scanning Techniques By Using Nmap
Specialized Scan Types
These advanced scanning techniques are used in more specialized penetration testing scenarios:
TCP Null Scans (-sN)
Null scans send TCP packets with no flags set. The target’s response behavior is governed by TCP RFC 793 standards, making this technique useful for both port scanning and OS fingerprinting.
Port Status Interpretation:
- Closed port: If a closed port receives a NULL scan packet, the target responds with a
RST(Reset) packet. - Open port: If an open port receives a NULL scan packet, there is no response (this is due to how certain OS implementations follow the
RSTstandard). - Filtered port: If a firewall or packet filtering device is in place, the packet may be dropped, resulting in no response as well.
Since different operating systems may handle NULL scan packets differently, this scan is particularly useful for OS fingerprinting and reconnaissance.
Example:
1
nmap -sN <target>
✅ Advantages
🔹 Stealthy Reconnaissance - No SYN, ACK, or FIN flags—making detection less likely on basic IDS/firewalls.
🔹 Bypasses Basic Filtering - Can evade stateless packet filters that rely on flag detection.
🔹 Effective on Unix-based Systems - RFC-compliant systems treat no-flag packets correctly.
❌ Disadvantages
🔹 Ineffective on Windows Systems - Windows always replies with a RST, whether the port is open or closed.
🔹 Easily Detected by Modern Firewalls - Stateful firewalls and IDS tools recognize and block these anomalies.
🔹 Unclear Results - No response could mean the port is open or filtered.
🔹 Loggable - While stealthier than SYN scans, modern security solutions can log and alert on this behavior.
Source: NULL Scan (-sN) with Nmap
TCP FIN Scans (-sF)
FIN scans set only the TCP FIN (finish) bit, simulating the end of a connection that was never established.
Port Status Interpretation:
- Closed port: If a closed port receives a FIN scan packet, respond with a
RST(Reset) packet. - Open port: If an open port receives a FIN scan packet, the target does not responds.
Example:
1
nmap -sF <target>
✅ Advantages
🔹 Stealthier than SYN Scans - Does not complete a handshake, so may go unnoticed.
🔹 Useful for Firewall Evasion - May pass through basic packet filters unnoticed.
🔹 Effective on Unix-like Targets - Works if the host doesn’t filter incoming FIN packets at the firewall level.
❌ Disadvantages
🔹 Ineffective Against Certain Systems - Returns RST for all ports—cannot determine open/closed.
🔹 Easily Filtered - Modern IDS and firewall systems drop or alert on suspicious FIN packets.
🔹 No Feedback for Filtered Ports - If the host has a stateful firewall, it may block or drop unsolicited FIN packets, rendering the scan inconclusive.
Sources: FIN Scan (-sF) with Nmap Network Vulnerability and Scanning: Other NMAP Scans (NULL,FIN,XMAS,ACK,IDLE)
TCP Xmas Scans (-sX)
Xmas scans set the FIN, PSH (Push), and URG (Urgent) flags simultaneously, creating a packet that “lights up like a Christmas tree” with multiple flags activated.
Port Status Interpretation:
- Closed port: If a closed port receives a Xmas scan packet, respond with a
RST(Reset) packet. - Open/Filtered port: If an open port receives a Xmas scan packet, the target does not responds.
- Filtered port: ICMP unreachable message.
Example:
1
nmap -sX <target>
✅ Advantages
🔹 Low Signature Footprint - Less likely to be blocked by simplistic firewall rules.
🔹 Effective Against Older Targets - Especially on legacy *nix systems with basic stack behavior.
❌ Disadvantages
🔹 Ineffective Against Certain Systems - Returns RST for all ports—cannot determine open/closed.
🔹 Detectable - Advanced network monitoring tools can detect these unusual flags.
Source: Xmas Tree Scan (-sX) with Nmap
ICMP (Ping) Scan
ICMP scans are primarily used for host discovery rather than port scanning. This technique helps identify which systems are online before conducting more intensive port scanning operations.
Example:
1
nmap -sn 10.10.0.0/24
This command performs a ping sweep of the entire /24 subnet without conducting port scans on discovered hosts.
Conclusion
While most of these scanning techniques serve similar fundamental purposes, their underlying mechanisms and effectiveness vary significantly across different scenarios.
Although SYN, TCP Connect, and UDP scans are typically the go-to choices for most penetration testing situations, understanding the full spectrum of available scan types is crucial for comprehensive network reconnaissance. Each scan type has its place in the security professional’s toolkit, and the choice often depends on factors such as:
- Target operating system characteristics.
- Network security implementations.
- Stealth requirements.
- Time constraints.
- Specific service discovery needs.
For comprehensive information about all available scanning techniques, consult the official Nmap Port Scanning Techniques documentation.