Nmap (Network Mapper)
📝 Overview
What it is: The undisputed industry standard for network discovery and security auditing. It is a free, open-source CLI tool used to discover live hosts on a network, identify open ports, and determine what services and operating systems are running on those ports. Target Phase: Active Reconnaissance / Enumeration Operating System: Cross-Platform (Pre-installed on Kali/Parrot, available on Windows/macOS)
⚙️ Core Capabilities
- Host Discovery (Ping Sweep): Rapidly maps out exactly which IP addresses are actively online within a given subnet without fully scanning their ports.
- Port Scanning: Probes thousands of ports (TCP and UDP) to see if they are open, closed, or filtered by a firewall.
- Service & OS Fingerprinting: Doesn’t just find an open port; it actively interrogates the service to determine the exact software version (e.g., Apache 2.4.49) and guesses the underlying Operating System.
- Nmap Scripting Engine (NSE): Allows pentesters to write or use pre-existing Lua scripts to automate advanced enumeration and even execute vulnerability exploitation directly from Nmap.
💻 Common Commands & Flags
Nmap commands are built by combining a target with specific scan types (-s) and options.
| Command | Description |
|---|---|
nmap -sn 192.168.1.0/24 | Ping Sweep: Discovers live hosts on a subnet. Does not scan ports. |
nmap -sS [Target_IP] | TCP SYN Scan (Stealth): The default scan if run as sudo. It sends a SYN packet, waits for the SYN-ACK, but then sends an RST to tear down the connection before it fully opens. It is faster and slightly stealthier because it rarely logs on the target application. |
nmap -sT [Target_IP] | TCP Connect Scan: Completes the full 3-way handshake. It is highly reliable but extremely noisy and will be logged by the target system. |
nmap -sU [Target_IP] | UDP Scan: Scans for open UDP ports (like SNMP or DNS). It is notoriously slow and unreliable compared to TCP scanning. |
nmap -p- [Target_IP] | Scans all 65,535 ports instead of just the default top 1,000. |
nmap -sV [Target_IP] | Version Detection: Interrogates open ports to determine the service/software version. |
nmap -O [Target_IP] | OS Detection: Attempts to identify the target’s operating system based on TCP/IP stack fingerprinting. |
nmap -A [Target_IP] | Aggressive Scan: The “do everything” flag. Enables OS detection, version detection, script scanning, and traceroute simultaneously. Extremely loud. |
nmap --script vuln [Target_IP] | Runs all NSE scripts categorized as checking for known vulnerabilities. |
⚠️ Notes & Limitations
- Timing & Speed: You can adjust how fast Nmap scans using
-T0(Paranoid/Slowest) through-T5(Insane/Fastest).-T4is the standard for fast, reliable scanning on a decent network connection. - Firewall Evasion: If ports return as “filtered,” there is likely a firewall blocking your probes. Advanced flags like
-f(fragment packets) or-D(decoy scans) are used to try and bypass IDS/Firewall rules. - UDP Sluggishness: Because UDP is a connectionless protocol, scanning it is painful. If a port is open, it rarely replies. If it’s closed, it sends an ICMP unreachable error. Nmap often has to wait to see if a packet was simply dropped, making UDP scans take exponentially longer than TCP.
🔗 Links & Resources
🏷️ Tags
Tools clitool #Nmap #ActiveRecon #PortScanning #Enumeration #NetworkSecurity #PenTestPlus
A huge fundamental to lock down is the difference between the -sS (SYN Scan) and the -sT (Connect Scan).
Because you have an IT background, you likely already know the standard TCP 3-way handshake (SYN → SYN/ACK → ACK). The -sS scan is considered “stealthy” because it sends the initial SYN, receives the target’s SYN/ACK, but then abruptly sends an RST (Reset) packet to slam the door shut. Because the connection never officially completed, the target application (like an Apache web server) usually never writes the interaction into its logs.
Using Nmap Scripts
Nmap includes some scripts that can also be used to validate scan results. Many are found under the vuln script category. These scripts check for specific known vulnerabilities and will report results if the vulnerability is found.
For example, if OpenVAS reports that a server is vulnerable to the Slowloris DoS attack, the Nmap vuln script http-slowloris-check can be used to validate this result without having to run the Denial of Service, which most likely is beyond the scope of the PenTest.