NMAP (Network Mapper)
-
Network discovery and security auditing tool that uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems they are running, and what type of packet filters/firewalls are in use
-
Primary function: Port scanning and network reconnaissance - sends specially crafted packets and analyzes responses to map network topology and identify open services
-
Works by sending various types of probe packets and examining the responses (or lack thereof) to determine port states and service information
Core Scanning Techniques
- TCP SYN Scan (-sS): Half-open scan that sends SYN packets without completing the three-way handshake (most common and stealthy method)
- TCP Connect Scan (-sT): Full TCP connection scan that completes the handshake (noisier but works when SYN scan privileges unavailable)
- UDP Scan (-sU): Scans UDP ports by sending UDP packets (slower due to UDP’s connectionless nature)
- TCP ACK Scan (-sA): Used for firewall rule mapping - determines if ports are filtered or unfiltered
Port States
| State | Description | Meaning |
|---|---|---|
| Open | Port is accepting connections | Service actively listening on port |
| Closed | Port is accessible but no service listening | TCP RST or ICMP unreachable received |
| Filtered | Cannot determine if port is open | Firewall/filter blocking probe packets |
| Unfiltered | Port accessible but cannot determine open/closed | Only seen in ACK scans |
| Open|Filtered | Cannot determine between open and filtered | Common with UDP scans |
Common Command Syntax
- Basic host discovery:
nmap -sn <target>(ping scan without port scanning) - Standard scan:
nmap <target>(scans top 1000 TCP ports by default) - Specific ports:
nmap -p 22,80,443 <target>ornmap -p 1-65535 <target> - Service detection:
nmap -sV <target>(determines service versions) - OS detection:
nmap -O <target>(fingerprints operating system) - Aggressive scan:
nmap -A <target>(combines -O, -sV, -sC, and traceroute)
Target Specification
- Single IP:
192.168.1.1 - IP range:
192.168.1.1-254or192.168.1.0/24 - Multiple targets:
192.168.1.1,5,10 - Hostname:
scanme.nmap.org - File input:
nmap -iL targets.txt - Exclude hosts:
nmap 192.168.1.0/24 --exclude 192.168.1.1
Timing and Performance
| Template | Description | Use Case |
|---|---|---|
| -T0 (Paranoid) | 5-minute delays between probes | IDS evasion |
| -T1 (Sneaky) | 15-second delays | Slow, stealthy scanning |
| -T2 (Polite) | 0.4-second delays | Reduces bandwidth usage |
| -T3 (Normal) | Default timing | Standard scanning |
| -T4 (Aggressive) | Faster scan | Assumes reliable network |
| -T5 (Insane) | Very fast scan | May miss results due to speed |
Firewall Evasion Techniques
- Fragment packets:
-f(splits probe into 8-byte fragments) - Decoy scanning:
-D <decoy1>,<decoy2>(makes scan appear from multiple sources) - Source port spoofing:
--source-port 53(uses common ports like DNS) - Idle scan:
-sI <zombie>(uses third-party host for scanning) - TCP sequence prediction required for idle scans to work effectively
Vocabulary
- Fingerprinting: Process of identifying operating system or service versions based on network response characteristics
- Half-open scan: SYN scan that doesn’t complete TCP handshake (sends SYN, receives SYN-ACK, sends RST instead of ACK)
- Zombie host: Third-party system used in idle scans that has predictable IP ID sequence numbers
- Service enumeration: Process of determining what applications are running on discovered open ports
- Banner grabbing: Technique to gather information about services by connecting and reading service banners
Notes
- NMAP requires root privileges for most scan types (SYN scans, OS detection) because it needs to craft raw packets
- Default scan only covers top 1000 most common ports - use
-p-for all 65535 ports (significantly slower) - UDP scanning is inherently slow because UDP is connectionless - many firewalls drop UDP packets silently
- Legal considerations: Only scan networks you own or have explicit permission to test - unauthorized scanning may violate laws
- Service version detection (-sV) increases scan time but provides valuable information about potential vulnerabilities
- Rate limiting awareness: Many modern firewalls implement rate limiting - slower scans (-T1, -T2) may be more accurate
- For CCNA context: Understanding NMAP helps with network troubleshooting and security assessment of your own infrastructure
- Always verify scan results - false positives/negatives can occur due to firewalls, load balancers, or network conditions