Fast Track Nmap Guide

Master network reconnaissance, stealth scanning, and firewall evasion techniques

Tool: Nmap (Network Mapper)

Category: Network Scanning & Enumeration

Difficulty: Beginner to Advanced

Website: https://nmap.org

Introduction to Nmap

Nmap (Network Mapper) is the industry standard for network discovery and security auditing. Created by Gordon "Fyodor" Lyon in 1997, it has evolved from a simple port scanner to a comprehensive network reconnaissance tool used by security professionals worldwide.

What makes Nmap indispensable for ethical hackers is its ability to provide detailed information about:

  • Live hosts on a network
  • Open ports and services
  • Service versions and operating systems
  • Network vulnerabilities and misconfigurations
πŸ’‘ Professional Insight: Nmap's true power lies in its scripting engine (NSE) which allows for automated vulnerability detection, advanced service enumeration, and network exploitation.

Installation

Nmap comes pre-installed on most penetration testing distributions. For other systems:

# Kali Linux (Pre-installed)
# Already available

# Ubuntu/Debian
sudo apt update && sudo apt install nmap

# CentOS/RHEL
sudo yum install nmap

# Windows
# Download installer from https://nmap.org/download.html

# macOS
brew install nmap
πŸ“ Note: Advanced scanning techniques like SYN scans require root/administrator privileges on most systems.

Basic Syntax & Structure

Understanding Nmap's command structure is fundamental to effective network reconnaissance.

nmap [Scan Type] [Options] [Target Specification]

Core Components:

  • Scan Type - Defines the scanning methodology (-sS, -sT, -sU, etc.)
  • Options - Modifies scan behavior (-A, -O, -sV, etc.)
  • Target - IP addresses, ranges, or hostnames to scan
# Basic examples
nmap 192.168.1.1
nmap 192.168.1.0/24
nmap -sS -A -T4 target.com
nmap -iL targets.txt

Comprehensive Scan Types

Nmap offers multiple scanning techniques, each with specific use cases and trade-offs.

TCP

TCP Connect Scan (-sT)

The TCP Connect Scan is the most basic and reliable scanning method. It performs a complete TCP three-way handshake with each target port.

nmap -sT 192.168.1.1

How It Works

This scan uses the operating system's connect() system call to establish a full connection:

Open Port:
Attacker: SYN β†’
Target: SYN-ACK ←
Attacker: ACK β†’
Attacker: RST β†’ (close connection)

Closed Port:
Attacker: SYN β†’
Target: RST ←

Technical Details:

  • Uses system's TCP stack - no raw socket privileges needed
  • Most accurate for determining actual service availability
  • Creates full connections that appear in application logs
  • Slower than SYN scans due to connection overhead

βœ… Advantages

  • No special privileges required
  • Highly reliable and accurate
  • Works through most firewalls
  • Easy to understand and troubleshoot

❌ Disadvantages

  • Easily detected by intrusion detection systems
  • Creates numerous log entries on target
  • Slower than stealth scanning methods
  • Can trigger rate limiting on services
πŸ“š Official TCP Connect Scan Documentation
SYN

SYN Stealth Scan (-sS)

The SYN scan, also known as "half-open scanning," is the default and preferred method for most security assessments due to its speed and stealth characteristics.

sudo nmap -sS 192.168.1.1

Stealth Mechanics

SYN scans never complete the TCP handshake, making them less likely to be logged:

Open Port:
Attacker: SYN β†’
Target: SYN-ACK ←
Attacker: RST β†’ (instead of ACK)

Closed Port:
Attacker: SYN β†’
Target: RST ←

Technical Details:

  • Requires raw socket privileges (root/administrator)
  • Bypasses many simple logging mechanisms
  • Much faster than TCP Connect scans
  • Default scan type when running with privileges

βœ… Advantages

  • Fast and efficient for large networks
  • Stealthy - avoids many logging systems
  • Less resource intensive on both ends
  • Industry standard for security professionals

❌ Disadvantages

  • Requires elevated privileges
  • Can be detected by modern IDS/IPS
  • May crash unstable services
  • Some firewalls specifically block SYN packets
πŸ“š Deep Dive: SYN Scan Mechanics
UDP

UDP Scan (-sU)

UDP scanning is essential for discovering services that operate over connectionless protocols, though it presents significant challenges due to UDP's stateless nature.

sudo nmap -sU 192.168.1.1

UDP Scanning Challenges

UDP's connectionless nature makes scanning fundamentally different from TCP:

Open Port:
Attacker: UDP Packet β†’
Target: (No response or application response)

Closed Port:
Attacker: UDP Packet β†’
Target: ICMP Port Unreachable ←

Critical UDP Services

  • DNS (53) - Domain Name System - critical for network mapping
  • SNMP (161) - Simple Network Management Protocol - often reveals extensive network information
  • DHCP (67/68) - Dynamic Host Configuration Protocol
  • TFTP (69) - Trivial File Transfer Protocol
  • NTP (123) - Network Time Protocol
# Efficient UDP scanning strategies
nmap -sU --top-ports 100 192.168.1.1
nmap -sU -p 53,161,162,69,123 192.168.1.1
nmap -sU --min-rate 1000 192.168.1.1
⚠️ Important: Full UDP scans (all 65,535 ports) can take days to complete. Always use --top-ports or specific port ranges for practical assessments.
πŸ“š Official UDP Scan Documentation
ACK

ACK Scan (-sA)

ACK scanning is used to map firewall rulesets and determine filtering policies rather than discover open ports.

sudo nmap -sA 192.168.1.1

Firewall Mapping

ACK scans help determine how firewalls handle established connections:

Unfiltered Port:
Attacker: ACK β†’
Target: RST ←

Filtered Port:
Attacker: ACK β†’
Target: (No response or ICMP error)

Use Cases:

  • Determine stateful vs stateless firewall configurations
  • Map firewall rule sets and filtering policies
  • Identify ports that are filtered but might be open
  • Bypass some stateless firewall rules
πŸ“š ACK Scan Technical Details
STL

Stealth Scans: FIN, NULL, XMAS (-sF, -sN, -sX)

These advanced scans manipulate TCP flags to bypass primitive firewall rules and intrusion detection systems.

# FIN Scan
sudo nmap -sF 192.168.1.1

# NULL Scan
sudo nmap -sN 192.168.1.1

# XMAS Scan
sudo nmap -sX 192.168.1.1

Stealth Scan Mechanics

  • FIN Scan (-sF): Sends packets with only FIN flag set
  • NULL Scan (-sN): Sends packets with no flags set
  • XMAS Scan (-sX): Sends packets with FIN, PSH, and URG flags set
⚠️ Effectiveness: These scans primarily work against older UNIX systems and specific network devices. Modern Windows systems and updated Linux kernels generally don't respond as expected.
πŸ“š Advanced Stealth Scan Documentation
IDLE

IDLE Scan (-sI) - Ultimate Stealth

The IDLE scan represents the pinnacle of stealth scanning, allowing you to scan targets without sending any packets from your real IP address.

sudo nmap -sI zombie_host target.com

Zombie Host Requirements

  • Predictable IP ID sequence (incremental)
  • Light network traffic
  • No firewall blocking spoofed packets

How IDLE Scanning Works

  1. Probe zombie's current IP ID
  2. Spoof SYN packet to target from zombie's IP
  3. Probe zombie again to check IP ID increment
  4. Analyze sequence changes to determine port state
# Find suitable zombie hosts
nmap -p80 --script ipidseq 192.168.1.0/24

# Perform IDLE scan
nmap -sI 192.168.1.50 192.168.1.100
πŸ“š Complete IDLE Scan Guide

Advanced Firewall Evasion Techniques

Modern networks employ sophisticated filtering mechanisms. These techniques help bypass common security controls.

Comprehensive Evasion Methods

Packet Fragmentation (-f, --mtu)

nmap -f 192.168.1.1
nmap --mtu 24 192.168.1.1

How it works: Splits TCP headers across multiple packets to evade simple packet inspection rules.

Decoy Scanning (-D)

nmap -D decoy1,decoy2,decoy3,ME 192.168.1.1
nmap -D RND:10 192.168.1.1

How it works: Uses spoofed source addresses to hide your real IP in log files.

Source Port Manipulation (--source-port, -g)

nmap --source-port 53 192.168.1.1
nmap -g 80 192.168.1.1

How it works: Spoofs source port to appear as legitimate traffic (DNS, HTTP, etc.).

Data Length Manipulation (--data-length)

nmap --data-length 100 192.168.1.1

How it works: Appends random data to packets to evade simple signature detection.

Timing and Performance Optimization (-T)

nmap -T0 192.168.1.1 # Paranoid (very slow)
nmap -T1 192.168.1.1 # Sneaky
nmap -T2 192.168.1.1 # Polite
nmap -T3 192.168.1.1 # Normal
nmap -T4 192.168.1.1 # Aggressive
nmap -T5 192.168.1.1 # Insane

Advanced Evasion Combinations

# Comprehensive stealth scan
nmap -sS -f -D RND:5 --data-length 200 -T2 192.168.1.1

# Firewall-friendly scan
nmap -sT --source-port 80 --max-parallelism 1 -T1 192.168.1.1
πŸ“š Official Firewall Evasion Guide

Nmap Scripting Engine (NSE)

The NSE transforms Nmap from a simple port scanner into a powerful vulnerability assessment and exploitation framework.

Script Categories

  • safe: Non-intrusive scripts for reconnaissance
  • intrusive: Potentially disruptive scripts
  • vuln: Vulnerability detection scripts
  • exploit: Attempts to exploit vulnerabilities
  • auth: Authentication bypass and brute-force
  • discovery: Additional service enumeration
# Script usage examples
nmap --script safe 192.168.1.1
nmap --script vuln 192.168.1.1
nmap --script "http-*" 192.168.1.1
nmap --script "smb-vuln-*" 192.168.1.1

Essential NSE Scripts

Reconnaissance Scripts

# HTTP enumeration
nmap --script http-enum 192.168.1.1

# SMB share enumeration
nmap --script smb-enum-shares 192.168.1.1

# SSL/TLS information
nmap --script ssl-enum-ciphers 192.168.1.1

Vulnerability Detection

# Common vulnerabilities
nmap --script vuln 192.168.1.1

# Specific service vulnerabilities
nmap --script smb-vuln-ms17-010 192.168.1.1
nmap --script http-vuln-cve2017-5638 192.168.1.1

Exploitation Scripts

# Brute force attacks
nmap --script http-brute 192.168.1.1
nmap --script ssh-brute 192.168.1.1

# Service exploitation
nmap --script ftp-anon 192.168.1.1
nmap --script smb-brute 192.168.1.1
⚠️ Responsible Usage: Always ensure you have proper authorization before running intrusive or exploitation scripts. These can disrupt services and trigger security alerts.
πŸ“š NSE Official Documentation
πŸ“š NSE Script Library

Practical Scanning Scenarios

Real-world examples for different assessment types and environments.

Quick Network Discovery

# Find live hosts
nmap -sn 192.168.1.0/24

# Fast port scan
nmap -F 192.168.1.1

# Top ports scan
nmap --top-ports 100 192.168.1.1

Comprehensive Assessment

# Full enumeration
nmap -A -T4 192.168.1.1

# Stealthy comprehensive scan
nmap -sS -sV -O -T4 192.168.1.1

# Full port range
nmap -p- -T4 192.168.1.1

Service-Specific Scans

# Web services
nmap -p 80,443,8080,8443 --script http* 192.168.1.1

# Database services
nmap -p 1433,1521,3306,5432 --script db* 192.168.1.1

# Windows services
nmap -p 135,139,445 --script smb* 192.168.1.1

Advanced Stealth Scans

# Maximum stealth
nmap -sS -f -D RND:10 --data-length 300 -T2 192.168.1.1

# IDLE scan with zombie
nmap -sI zombie_ip target_ip -Pn

Output Formats and Reporting

Nmap offers multiple output formats for different use cases and reporting requirements.

# Normal output
nmap -oN scan.txt 192.168.1.1

# XML output (for tools)
nmap -oX scan.xml 192.168.1.1

# Grepable output
nmap -oG scan.gnmap 192.168.1.1

# All formats
nmap -oA scan 192.168.1.1

Useful Output Options

# Verbose output
nmap -v 192.168.1.1

# Increased verbosity
nmap -vv 192.168.1.1

# Show open ports only
nmap --open 192.168.1.1

# Reason for port states
nmap --reason 192.168.1.1

Performance Tuning

Optimizing Nmap performance is crucial for large-scale assessments and time-sensitive operations.

Timing Templates

# Timing template overview
-T0: Paranoid (5 min between probes)
-T1: Sneaky (15 sec between probes)
-T2: Polite (0.4 sec between probes)
-T3: Normal (default, parallel probes)
-T4: Aggressive (parallel, reduced timeouts)
-T5: Insane (maximum speed, may lose data)

Advanced Performance Options

# Custom timing
nmap --min-hostgroup 256 --min-parallelism 10 192.168.1.0/24

# Rate limiting
nmap --min-rate 100 --max-rate 1000 192.168.1.1

# Host timeout
nmap --host-timeout 30m 192.168.1.1

Mastering Nmap: The Professional's Journey

Nmap is much more than a simple port scannerβ€”it's a comprehensive network reconnaissance platform that forms the foundation of professional security assessment. From basic network mapping to advanced firewall evasion and vulnerability detection, Nmap provides the tools needed for thorough, professional-grade security testing.

Key Professional Practices:

  • Always begin with proper authorization and scope definition
  • Start with non-intrusive techniques and escalate gradually
  • Understand the legal and ethical implications of each scan type
  • Document your methodology and findings thoroughly
  • Use appropriate output formats for reporting and analysis

Remember: The power of Nmap comes with significant responsibility. Use these skills to strengthen defenses, conduct authorized testing, and contribute to a more secure digital ecosystem.

🎯 Continue Learning: Official Nmap Book