Nmap Scans

Nmap (Network Mapper) is an open-source tool for network discovery and security auditing. It allows cybersecurity professionals to scan hosts and services, identify active systems, open ports and potential vulnerabilities, making it essential for network reconnaissance and risk assessment.

• Maps network topology and identifies active devices
• Detects open, closed, filtered and unfiltered ports
• Supports TCP, SYN, UDP and Ping scans
• Helps find outdated or unpatched services for vulnerability management
• Provides detailed output with port numbers, services and response states

How to Use Nmap

Using Nmap is straightforward. Below are some basic steps and commands to get started with Nmap:

1. Install Nmap

• Linux: Install via your package manager

Command for (Debian/Ubuntu):

sudo apt install nmap

Command for (CentOS/Fedora):

sudo yum install nmap

• Windows & macOS: Download the installer from the official Nmap website and follow the installation instructions.

2. Verify Installation

Open a terminal or command prompt and type:

Command:

nmap --version

• This will display the installed Nmap version to confirm that the installation was successful.

Basic Syntax:

nmap [Scan Type] [Options] {Target}

• Scan Type: Specifies the type of scan (e.g., TCP, SYN).
• Options: Additional parameters like port ranges, timing or version detection.
• Target: IP address or domain name of the system to scan.

Nmap Scanning Techniques

1. TCP Scan / TCP Connect Scan

A full TCP scan that completes the standard 3-way handshake to determine if a port is open or closed. This is the most basic and reliable scan but can be easily detected by firewalls and logging systems.

Command:

nmap -sT 192.168.1.12 --top-ports 50

• -sT: TCP Connect scan (performs full 3-way handshake).
• 192.168.1.12: Target host IP address.
• --top-ports 50: Scans the 50 most common TCP ports.

This scan is used to scan the TCP ports. It completes the 3-way handshake process which means the host tries to make a connection with the target before any communication happens between the systems.

Using this command your system sends a SYN packet and the destination responds with a SYN-ACK packet which means the port is listening and your system sends an ACK packet to complete the connection.

• If the port is Closed then the Destination Respond with RST/ACK packets.

Output:

2. SYN Scan / Stealth / Half-Open Scan

A SYN scan (also called a stealth or half-open scan) is a TCP scan that sends a SYN packet but does not complete the full TCP handshake. This makes it faster and less likely to be fully logged by the target system.

• Uses partial TCP handshake (does not complete connection)
• Sends SYN and stops after receiving response
• Helps reduce detection compared to full connect scans

Command:

nmap -sS 192.168.1.12 --top-ports 50

• -sS: SYN scan (half-open scan).
• 192.168.1.12: Target host IP.
• --top-ports 50: Scans the 50 most common TCP ports.

A SYN scan mimics a normal TCP connection attempt but stops short of completing the handshake. In a standard TCP handshake, a SYN packet is sent, followed by SYN-ACK from the server and an ACK from the client to establish a full connection.

In a SYN scan, the scanner sends a SYN packet and receives SYN-ACK if the port is open, but instead of sending the final ACK, it responds with an RST packet to terminate the connection early. Because the connection is never fully established, it is less likely to be logged by the target system.

3. UDP Scan

Scans for open UDP ports by sending empty UDP packets. Since UDP is connectionless, open ports may not respond, making this scan slower and less reliable than TCP scans.

Command:

nmap -sU 192.168.1.12 --top-ports 50

• -sU: UDP scan.
• 192.168.1.12: Target host IP.
• --top-ports 50: Checks the 50 most common UDP ports.

It generally sends the empty UDP packets and it takes more time than TCP Scan.

4. Ping Scan / No-Port Scan

Checks which hosts are alive without scanning for ports. Useful for network discovery and quickly mapping active devices.

Command:

nmap -sn 192.168.1.0/24

• -sn: Ping scan only (no port scan).
• 192.168.1.0/24: Scans all hosts in the subnet (192.168.1.0 to 192.168.1.255).

Only print the available host that responds to the host Discovery probes within the network. The above command does not tell anything about the ports of the system. you can also use it to check for a single IP to check that the host is up or not.

Port States and Their Meaning

There are mainly 4 types of State in the port scan results.

• Open: The port is accepting connections; a service is listening (e.g., MySQL on port 3306).
• Closed: The port is reachable, but no service is listening.
• Filtered: A firewall or security system blocks probes, so it’s unclear if the port is open or closed. Unusual responses (like ICMP Unreachable) also indicate filtering.
• Unfiltered: The port responds to probes, but its exact state cannot be determined. Often occurs in ACK scans, where accessibility is confirmed but openness is unknown.
• Open | Filtered: No response is received, so the port may be open or filtered. Lack of ACK in some scans makes distinction impossible.
• Closed | Filtered: Conflicting responses suggest the port is sometimes closed and sometimes filtered, making its exact state unknown.

Best Practices for Network Vulnerability Discovery

• Use Multiple Scan Types: Combine TCP, SYN, UDP and Ping scans for comprehensive analysis.
• Timing and Performance: Adjust scan speed (-T0 to -T5) for stealth or speed.
• Regular Scanning: Periodically scan your network to detect new vulnerabilities or misconfigurations.
• Safe Scanning: Use version detection (-sV) without probing aggressively and always get consent for external networks.
• Save Results: Export scan output with -oN, -oX or -oG for future analysis.