Overview
Nmap provides various scanning techniques to map a network, discover hosts, and identify open ports. In this module, you will learn:
- Basic Nmap commands and syntax
- Common scan types (SYN, TCP Connect, UDP)
- How to interpret scan results
Basic Nmap Commands and Syntax
Nmap follows a simple command structure:
nmap [options] [target]
[options]– Flags that modify the scan (e.g.,sS,sT,sU).[target]– The IP address, hostname, or subnet to scan.
Example:
Scan a single IP address:
nmap 192.168.1.1
Scan a range of IPs:
nmap 192.168.1.1-100
Scan an entire subnet:
nmap 192.168.1.0/24
Scan a specific domain:
nmap scanme.nmap.org
Common Scan Types
SYN Scan (-sS) [Stealth Scan]
A SYN scan is the most common and stealthy scan. It sends a TCP SYN packet to check if a port is open but doesn’t establish a full connection.
Example Command:
nmap -sS 192.168.1.1
Sample Output:
Starting Nmap 7.94 at 2025-02-28 12:00
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Why use it?
- Faster and stealthier than a full TCP connection.
- Does not log as a full connection on most firewalls.
TCP Connect Scan (-sT) [Non-Stealthy]
A TCP Connect scan establishes a full three-way handshake with each scanned port.
Example Command:
nmap -sT 192.168.1.1
Sample Output:
Starting Nmap 7.94 at 2025-02-28 12:05
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
When to use it?
- When SYN scans are blocked (e.g., on Windows machines).
- When you don’t need stealth.
UDP Scan (-sU) [For Non-TCP Services]
A UDP scan checks for open UDP ports, which are used for DNS, SNMP, DHCP, etc.
Example Command:
nmap -sU 192.168.1.1
Sample Output:
Starting Nmap 7.94 at 2025-02-28 12:10
Nmap scan report for 192.168.1.1
PORT STATE SERVICE
53/udp open domain
67/udp open dhcp
161/udp open snmp
Key Points:
- UDP scans take longer than TCP scans.
- Some firewalls and routers block UDP responses.
Interpreting Nmap Scan Results
Nmap scan results include port states:
| State | Meaning |
|---|---|
| Open | The port is actively listening for connections. |
| Closed | The port is reachable but has no service running. |
| Filtered | A firewall is blocking access. |
Example Command:
nmap -p 22,80,443 scanme.nmap.org
Sample Output:
Starting Nmap 7.94 at 2025-02-28 12:15
Nmap scan report for scanme.nmap.org
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp filtered https
Interpretation:
- SSH (22) is closed, meaning no service is running on this port.
- HTTP (80) is open, meaning a web server is running.
- HTTPS (443) is filtered, meaning a firewall is blocking it.
Summary of Scan Types
| Scan Type | Command | Purpose | Stealth Level |
|---|---|---|---|
| SYN Scan | -sS |
Fast & stealthy TCP scan | High |
| TCP Connect Scan | -sT |
Full connection (non-stealthy) | Low |
| UDP Scan | -sU |
Scans UDP services | Medium |