Tuesday, September 27, 2016

Simple Guide to Network Scanning with Nmap

Nmap is a popular open source network exploration tool. It is a ton of features that are very useful to anyone trying to scan, even enumerate and look for vulnerabilities on a host or network.

Starting with the very basics; when scanning you are usually looking for the ports that are open on the live hosts and the services that are running on them.

There are 6 states a port can be but we will look only at the 2 main states: Open and Closed.

Open port: This means that an application is listening for connections on the is port. This is good, as it tells you that you can interact with it.

Closed port: This means that there is no application listening on this port. And you cannot talk to a closed port.

Let’s start looking at open ports on our victim machines.

From previous articles you learnt about a ICMP ping sweep scan with Nmap. Here we look at a TCP SYN ping scan.

TCP SYN Ping Scan


Input the command: nmap -PS <<target IP address>>

This command with the “-PS” flag tells nmap to send a SYN packet to the target and listen for a response. This command comes in handy for when your target system is configured to block ICMP ping sweeps.


Stealth Scan


Input the command: nmap -sS <<target IP address>>

This command with the “-sS” flag tells nmap to initiate a three-way handshake with the target but do not complete the hand shake.


This was useful in the past when firewalls dint used to log incomplete handshakes with the computer’s port. However with the latest firewalls, even an incomplete handshake is logged and thus not so stealth anymore.

Full Nmap Scan


Input the command: nmap -sV -O<<target IP address>>

With this command nmap scans the first 1000 ports on the target, with the “-sV” flag to find out the version of the services running on the open ports and with the “-O” flag to find out the operating system running on the target.

Look through the results and see if you can locate the OS details and the version numbers of any services discovered.


Now you must be wondering why put all different flags while you can just run a full scan and get the same results? The answer is noise. 

Running a full scan over the network makes too much noise and the network admins can get alerted and can even blacklist your attacker machine. So we resort to running specific scans to find out specific bits of information while make less noise. 


-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.