Courses / Nmap Mastery: Dominate Network Scanning

Essential Nmap Scanning

Last Edit: 09-04-2025

Overview

Nmap provides various scanning techniques to map a network, discover hosts, and identify open ports. In this module, you will learn:

Basic Nmap commands and syntax
Common scan types (SYN, TCP Connect, UDP)
How to interpret scan results

Basic Nmap Commands and Syntax

Nmap follows a simple command structure:

nmap [options] [target]

[options] – Flags that modify the scan (e.g., sS, sT, sU).
[target] – The IP address, hostname, or subnet to scan.

Example:

Scan a single IP address:

nmap 192.168.1.1

Scan a range of IPs:

nmap 192.168.1.1-100

Scan an entire subnet:

nmap 192.168.1.0/24

Scan a specific domain:

nmap scanme.nmap.org

Common Scan Types

SYN Scan (-sS) [Stealth Scan]

A SYN scan is the most common and stealthy scan. It sends a TCP SYN packet to check if a port is open but doesn’t establish a full connection.

Example Command:

nmap -sS 192.168.1.1

Sample Output:

Starting Nmap 7.94 at 2025-02-28 12:00
Nmap scan report for 192.168.1.1
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https

Why use it?

Faster and stealthier than a full TCP connection.
Does not log as a full connection on most firewalls.

TCP Connect Scan (-sT) [Non-Stealthy]

A TCP Connect scan establishes a full three-way handshake with each scanned port.

Example Command:

nmap -sT 192.168.1.1

Sample Output:

Starting Nmap 7.94 at 2025-02-28 12:05
Nmap scan report for 192.168.1.1
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
80/tcp   open     http

When to use it?

When SYN scans are blocked (e.g., on Windows machines).
When you don’t need stealth.

UDP Scan (-sU) [For Non-TCP Services]

A UDP scan checks for open UDP ports, which are used for DNS, SNMP, DHCP, etc.

Example Command:

nmap -sU 192.168.1.1

Sample Output:

Starting Nmap 7.94 at 2025-02-28 12:10
Nmap scan report for 192.168.1.1
PORT     STATE    SERVICE
53/udp   open     domain
67/udp   open     dhcp
161/udp  open     snmp

Key Points:

UDP scans take longer than TCP scans.
Some firewalls and routers block UDP responses.

Interpreting Nmap Scan Results

Nmap scan results include port states:

State	Meaning
Open	The port is actively listening for connections.
Closed	The port is reachable but has no service running.
Filtered	A firewall is blocking access.

Example Command:

nmap -p 22,80,443 scanme.nmap.org

Sample Output:

Starting Nmap 7.94 at 2025-02-28 12:15
Nmap scan report for scanme.nmap.org
PORT     STATE    SERVICE
22/tcp   closed   ssh
80/tcp   open     http
443/tcp  filtered https

Interpretation:

SSH (22) is closed, meaning no service is running on this port.
HTTP (80) is open, meaning a web server is running.
HTTPS (443) is filtered, meaning a firewall is blocking it.

Summary of Scan Types

Scan Type	Command	Purpose	Stealth Level
SYN Scan	`-sS`	Fast & stealthy TCP scan	High
TCP Connect Scan	`-sT`	Full connection (non-stealthy)	Low
UDP Scan	`-sU`	Scans UDP services	Medium

Course Summary

Courses / Nmap Mastery: Dominate Network Scanning

Essential Nmap Scanning

Overview

Basic Nmap Commands and Syntax

Common Scan Types

SYN Scan (-sS) [Stealth Scan]

TCP Connect Scan (-sT) [Non-Stealthy]

UDP Scan (-sU) [For Non-TCP Services]

Interpreting Nmap Scan Results

Summary of Scan Types

Course Summary

Introduction to Nmap

Installing Nmap

Essential Nmap Scanning

Advanced Techniques