Nmap: The Basics -

Learn how to use Nmap to discover live hosts, find open ports, and detect
service versions.

Nmap is an open-source network scanner that was first published in 1997. Since then,
plenty of features and options have been added. It is a powerful and flexible network
scanner that can be adapted to various scenarios and setups.

Host Discovery: Who is Online

Nmap uses various sophisticated ways to discover live hosts.

Before we start, we should mention that Nmap uses multiple ways to specify its targets:

 IP range using -: If you want to scan all the IP addresses from 192.168.0.1 to
192.168.0.10, you can write 192.168.0.1-10
 IP subnet using /: If you want to scan a subnet, you can express it as
192.168.0.1/24, and this would be equivalent to 192.168.0.0-255
 Hostname: You can also specify your target by hostname, for example,
example.thm

Let’s say you want to discover the online hosts on a network. Nmap offers the -sn option.

Scanning a “Local” Network

In this context, we use the term “local” to refer to the network we are directly connected
to, such as an Ethernet or WiFi network.

Because we are scanning the local network, where we are connected via Ethernet or
WiFi, we can look up the MAC addresses of the devices. Consequently, we can figure out
the network card vendors, which is beneficial information as it can help us guess the
type of target device(s).

When scanning a directly connected network, Nmap starts by sending ARP requests.
When a device responds to the ARP request, Nmap labels it with “Host is up”.

Scanning a “Remote” Network

Consider the case of a “remote” network. In this context, “remote” means that at least
one router separates our system from this network. As a result, all our traffic to the
target systems must go through one or more routers. Unlike scanning a local network,
we cannot send an ARP request to the target.
It is worth noting that we can have more control over how Nmap discovers live hosts
such as -PS[portlist], -PA[portlist], -PU[portlist] for TCP SYN, TCP ACK, and UDP discovery
via the given ports.

As a final point, Nmap offers a list scan with the option -sL. This scan only lists the
targets to scan without actually scanning them. For example, nmap -sL 192.168.0.1/24
will list the 256 targets that will be scanned. This option helps confirm the targets before
running the actual scan.

As we mentioned earlier, -sn aims to discover live hosts without attempting to discover
the services running on them. This scan might be helpful if you want to discover the
devices on a network without causing much noise. However, this won’t tell us which
services are running. If we want to learn more about the network services running on the
live hosts, we need a more “noisy” type of scan.

Port Scanning: Who is Listening

Scanning TCP Ports
The easiest and most basic way to know whether a TCP port is open would be to attempt
to telnet to the port. If you are inclined to scan with a Telnet client, try to establish a TCP
connection with every target port. In other words, you attempt to complete the TCP
three-way handshake with every target port; however, only open TCP ports would
respond appropriately and allow a TCP connection to be established. This procedure is
not very different from Nmap’s connect scan.

Connect Scan
The connect scan can be triggered using -sT. It tries to complete the TCP three-way
handshake with every target TCP port. If the TCP port turns out to be open and Nmap
connects successfully, Nmap will tear down the established connection.

SYN Scan (Stealth)

Unlike the connect scan, which tries to connect to the target TCP port, i.e., complete a
three-way handshake, the SYN scan only executes the first step: it sends a TCP SYN
packet. Consequently, the TCP three-way handshake is never completed. The advantage
is that this is expected to lead to fewer logs as the connection is never established, and
hence, it is considered a relatively stealthy scan. You can select the SYN scan using the -
sS flag.

Scanning UDP Ports

Although most services use TCP for communication, many use UDP. Examples include
DNS, DHCP, NTP (Network Time Protocol), SNMP (Simple Network Management Protocol),
and VoIP (Voice over IP). UDP does not require establishing a connection and tearing it
down afterwards. Furthermore, it is very suitable for real-time communication, such as
live broadcasts. All these are reasons to consider scanning for and discovering services
listening on UDP ports.

Nmap offers the option -sU to scan for UDP services. Because UDP is simpler than TCP,
we expect the traffic to differ.

Limiting the Target Ports

Nmap scans the most common 1,000 ports by default. However, this might not be what
you are looking for. Therefore, Nmap offers you a few more options.

 -F is for Fast mode, which scans the 100 most common ports (instead of the
default 1000).

 -p[range] allows you to specify a range of ports to scan. For example, -p10-1024
scans from port 10 to port 1024, while -p-25 will scan all the ports between 1 and
25. Note that -p- scans all the ports and is equivalent to -p1-65535 and is the best
option if you want to be as thorough as possible.

Summary
Option Explanation
-sT TCP connect scan – complete three-way handshake
-sS TCP SYN – only first step of the three-way handshake
-sU UDP scan
-F Fast mode – scans the 100 most common ports
-p[range] Specifies a range of port numbers – -p- scans all the ports

Version Detection: Extract More Information

OS Detection
You can enable OS detection by adding the -O option. As the name implies, the OS
detection option triggers Nmap to rely on various indicators to make an educated guess
about the target OS. However, there is no perfectly accurate OS detector.

Service and Version Detection

You discovered several open ports and want to know what services are listening on
them. -sV enables version detection. This is very convenient for gathering more
information about your target with fewer keystrokes.

What if you can have both -O, -sV and some more in one option? That would be -A. This
option enables OS detection, version scanning, and traceroute, among other things.

Forcing the Scan

When we run our port scan, such as using -sS, there is a possibility that the target host
does not reply during the host discovery phase (e.g. a host doesn’t reply to ICMP
requests). Consequently, Nmap will mark this host as down and won’t launch a port scan
against it. We can ask Nmap to treat all hosts as online and port scan every host,
including those that didn’t respond during the host discovery phase. This choice can be
triggered by adding the -Pn option.

Summary
Option Explanation
-O OS detection
-sV Service and version detection
-A OS detection, version detection, and other additions
-Pn Scan hosts that appear to be down

Timing: How Fast is Fast

Nmap provides various options to control the scan speed and timing. Running your scan
at its normal speed might trigger an IDS or other security solutions. It is reasonable to
control how fast a scan should go. Nmap gives you six timing templates, and the names
say it all: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).
You can pick the timing template by its name or number. For example, you can add -T0
(or -T 0) or -T paranoid to opt for the slowest timing.

Timing Total Duration

T0 (paranoid) 9.8 hours
T1 (sneaky) 27.53 minutes
T2 (polite) 40.56 seconds
T3 (normal) 0.15 seconds
T4 (aggressive) 0.13 seconds

A second helpful option is the number of parallel service probes. The number of parallel
probes can be controlled with --min-parallelism <numprobes> and --max-parallelism
<numprobes>. These options can be used to set a minimum and maximum on the
number of TCP and UDP port probes active simultaneously for a host group. By default,
nmap will automatically control the number of parallel probes. If the network is
performing poorly, i.e., dropping packets, the number of parallel probes might fall to one;
furthermore, if the network performs flawlessly, the number of parallel probes can reach
several hundred.

A similar helpful option is the --min-rate <number> and --max-rate <number>. As the
names indicate, they can control the minimum and maximum rates at which nmap sends
packets. The rate is provided as the number of packets per second. It is worth
mentioning that the specified rate applies to the whole scan and not to a single host.

The last option we will cover in this task is --host-timeout <time>. This option specifies
the maximum time you are willing to wait, and it is suitable for slow hosts or hosts with
slow network connections.

Option Explanation
Timing template – paranoid (0), sneaky (1),
-T<0-5> polite (2), normal (3), aggressive (4), and insane
(5)
--min-parallelism <numprobes> and --max- Minimum and maximum number of parallel
parallelism <numprobes> probes
--min-rate <number> and --max-rate
Minimum and maximum rate (packets/second)
<number>
Maximum amount of time to wait for a target
--host-timeout
host

Output: Controlling What You See

This subtopic focuses on two main features:

 Showing additional information while a scan takes place

 Choosing the file format to save the scan report

Verbosity and Debugging

In some cases, the scan takes a very long time to finish or to produce any output that
will be displayed on the screen. Furthermore, sometimes you might be interested in
more real-time information about the scan progress. The best way to get more updates
about what’s happening is to enable verbose output by adding -v.

Most likely, the -v option is more than enough for verbose output; however, if you are
still unsatisfied, you can increase the verbosity level by adding another “v” such as -vv
or even -vvvv. You can also specify the verbosity level directly, for example, -v2 and -v4.
You can even increase the verbosity level by pressing “v” after the scan already started.

If all this verbosity does not satisfy your needs, you must consider the -d for debugging-
level output. Similarly, you can increase the debugging level by adding one or more “d”
or by specifying the debugging level directly. The maximum level is -d9.

Saving Scan Report

In many cases, we would need to save the scan results. Nmap gives us various formats.
The three most useful are normal (human-friendly) output, XML output, and grepable
output, in reference to the grep command. You can select the scan report format as
follows:

 -oN <filename> - Normal output

 -oX <filename> - XML output
 -oG <filename> - grep-able output (useful for grep and awk)
 -oA <basename> - Output in all major formats

Summary
Option Explanation
-sL List scan – list targets without scanning
Host Discovery
-sn Ping scan – host discovery only
Port Scanning
TCP connect scan – complete three-way
-sT
handshake
TCP SYN – only first step of the three-way
-sS
handshake
-sU UDP Scan
-F Fast mode – scans the 100 most common ports
Specifies a range of port numbers – -p- scans
-p[range]
all the ports
Treat all hosts as online – scan hosts that
-Pn
appear to be down
Service Detection
-O OS detection
-sV Service version detection
OS detection, version detection, and other
-A
additions
Timing
Timing template – paranoid (0), sneaky (1),
-T<0-5> polite (2), normal (3), aggressive (4), and insane
(5)
--min-parallelism <numprobes> and --max- Minimum and maximum number of parallel
parallelism <numprobes> probes
--min-rate <number> and --max-rate
Minimum and maximum rate (packets/second)
<number>
Maximum amount of time to wait for a target
--host-timeout
host
Real-time output
-v Verbosity level – for example, -vv and -v4
-d Debugging level – for example -d and -d9
Report
-oN <filename> Normal output
-oX <filename> XML output
-oG <filename> grep-able output
-oA <basename> Output in all major formats