Introduction

Nmap (Network Mapper) is a powerful and versatile network scanning and security assessment tool. Originally developed by Gordon Lyon, it has become a staple for security professionals and network administrators to identify open ports, services, and vulnerabilities on systems. By leveraging layer four of the OSI model (the transport layer) Nmap provides insights into how devices communicate allowing users to discover potential weak points in a network. This guide will give an overview of Nmap usage, from simple scans to advanced features like the Nmap Script Engine (NSE).

What is Nmap?

Nmap is an advanced port scanning tool that helps users analyze open ports on a computer. Ports act as entry and exit points for data, enabling programs to communicate over an IP network, for example, OpenSSH uses port 22 to accept data. By identifying which ports are open Nmap helps users map a network and detect running programs.

You can learn more about TCP and UDP protocols in the respective RFCs:

• RFC for TCP
• RFC for UDP

Example Target

For this guide, we’ll simulate scanning an example host with a known IP. In a real engagement you wouldn’t necessarily know a target’s IP. To resolve a target IP you may use any number of IP resolution tools such as: netdiscover, tracert, or online tools such as shodan.io however these are out of the scope of this guide.

Half Handshake and Full Handshake Scans

The TCP handshake is a process used to establish a connection between two computers, it has three steps:

1. The client sends a SYN (synchronize) packet to the server.
2. The server responds with a SYN/ACK (synchronize/acknowledge) packet.
3. The client sends an ACK packet, completing the handshake.

Nmap utilizes this handshake process to glean information about a host, such as in the following scans:

Stealth Scan (Half Handshake)

In a stealth scan Nmap sends only the SYN packet (or the first half of the TCP handshake) and reads the SYN/ACK response, closing the connection before the final ACK.

This approach is faster and less likely to be logged by firewalls or intrusion detection systems since a full connection isn’t established. Use the -sS flag to perform a stealth scan:

nmap -sS -Pn 192.168.0.47

Output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 16:31 EST
Nmap scan report for 192.168.0.47
Host is up (0.0042s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE
53/tcp open  domain

This shows that port 53 (DNS) is open, and the host blocks ICMP packets, which is disabled here by using the -Pn flag.

Full Handshake Scan

The full handshake (-sT flag) establishes a complete connection, providing more detailed information but at the cost of speed and the increased likelihood of detection by a firewall or IDS:

sudo nmap -sT -Pn 192.168.0.47

Output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 16:35 EST
Nmap scan report for 192.168.0.47
Host is up (0.0040s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE
53/tcp open  domain

Host Discovery

If you’ve just gained access to a network but are unsure which hosts are active, Nmap can discover them. Using CIDR notation you can scan an entire subnet:

nmap 192.168.0.0/24

Most networks use a /24 subnet, but larger ranges (e.g., /16 or /8) are also possible. You can read more about CIDR notation here. Be aware that scanning large subnets can take considerable time.

Port Scanning

To look for a specific service on a known host, you can scan for individual ports. For example, scanning for SSH on its common port 22:

sudo nmap -Pn -p 22 192.168.0.47

Output:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 16:41 EST
Nmap scan report for 192.168.0.47
Host is up.

PORT   STATE SERVICE
22/tcp filtered ssh

Here, port 22 is filtered, meaning the host actively blocks probes.

Operating System Detection

Nmap can estimate a system’s operating system by analyzing subtle network response behaviors, such as TCP/IP stack implementation and ICMP packet flag settings. Use the -O flag to perform operating system detection:

sudo nmap -Pn -O scanme.nmap.org

Output:

Aggressive OS guesses: Linux 2.6.32 (92%), Linux 2.6.32 or 3.10 (92%)

The results are probability-based and may not always be exact, but they provide a useful starting point.

Service Version Detection

By analyzing service banners, such as MOTDs, or responses, Nmap can identify the versions of running services. Use the -sV flag for this scan:

sudo nmap -sV scanme.nmap.org

Output:

22/tcp open  ssh OpenSSH 6.6.1p1 Ubuntu
53/tcp open  domain Unbound

This scan reveals the exact software versions, which can aid vulnerability research.

XMAS Scan

This scan sets the FIN, PSH and URG flag on a given packet thus lighting the sent packet up “like a christmas tree” to a properly configured IDS/IPS. It’s rarely practical but can be executed as follows:

sudo nmap -Pn -sX scanme.nmap.org

Output:

All 1000 scanned ports are in ignored states.

This method is very noisy and should only be used in specific contexts.

The Nmap Script Engine (NSE)

The NSE allows users to automate scans and perform advanced tasks using Lua scripts. For example, you can run a vulnerability scan with the vuln script which comes bundled with Nmap:

sudo nmap --script vuln scanme.nmap.org

Output:

|_http-csrf: Couldn't find any CSRF vulnerabilities.

The NSE is highly customizable, enabling users to write scripts for tasks like XSS detection or brute-forcing.

Conclusion

Nmap is an incredibly useful tool for network exploration and security analysis.

From simple port scans to advanced script-based automation, from OS detection to service fingerprinting,its versatility makes it a mainstay for IT and information security professionals.

For more information:

• Nmap command cheat sheet
• Nmap documentation