Nmap doesn’t just scan ports; it actively probes network services to reveal their secrets, often in ways that surprise even seasoned administrators.
Let’s see Nmap in action. Imagine you’ve got a target IP, 192.168.1.100, and you want to know what’s running on it.
nmap -sS -p 1-1000 -T4 192.168.1.100
Here, -sS is the SYN scan, the default for privileged users, which is fast and stealthy. -p 1-1000 tells Nmap to check ports 1 through 1000. -T4 sets a timing template for aggressive scanning, balancing speed and reliability.
Nmap’s power comes from its sheer variety of scan types, each designed to elicit specific information.
- TCP SYN Scan (
-sS): The workhorse. Sends a SYN packet. If it gets a SYN/ACK back, the port is open. If it gets an RST, it’s closed. If it gets nothing, it’s filtered. This is the default for root/administrator because it doesn’t complete TCP connections, making it harder to detect. - TCP Connect Scan (
-sT): For unprivileged users. Completes the three-way handshake. Less stealthy, more easily logged. - UDP Scan (
-sU): UDP is connectionless. Nmap sends a UDP packet. An ICMP "port unreachable" error means it’s closed. No response can mean open or filtered. This scan is slow by nature. - FIN Scan (
-sF), Xmas Scan (-sX), Null Scan (-sN): These leverage subtle TCP behavior. They send packets with unusual flag combinations. On Windows systems, closed ports typically respond with an RST, while open ports often ignore them. This is a way to probe ports behind firewalls that block SYN/ACK responses. - ACK Scan (
-sA): Used to map firewall rulesets. Sends ACK packets. If an RST comes back, the port is unfiltered. No response usually means filtered. It doesn’t determine if a port is open or closed, only if it’s reachable. - Window Scan (
-sW): Similar to ACK scan but attempts to detect specific vulnerabilities related to TCP window sizes, which can sometimes indicate an open port even with firewall filtering. - Maimon Scan (
-sM): An older scan type that sends a FIN/ACK. Closed ports respond with RST, open ports might respond with data.
Beyond port scanning, Nmap excels at service and OS detection.
- Service/Version Detection (
-sV): Nmap sends probes to open ports and analyzes the responses to guess the service and its version. This is invaluable for identifying vulnerabilities. - OS Detection (
-O): By analyzing TCP/IP stack characteristics (like IP ID sequencing, window sizes, and initial TTL), Nmap can often guess the operating system of the target.
When Nmap sends a probe for service version detection, it doesn’t just look for banner grabbing. It has a vast database of probes and expected responses. For example, if it sends a simple GET / HTTP/1.0\r\n\r\n to a web server port and receives HTTP/1.1 200 OK, it knows it’s likely a web server. But it goes deeper, sending more specific requests based on the initial response to fingerprint the exact software and version.
The real power is in combining these. A common advanced scan is:
nmap -sS -sV -O -p- -T4 --script vuln 192.168.1.100
Here, -p- scans all 65535 TCP ports. --script vuln runs Nmap’s vulnerability detection scripts against discovered services.
Many users overlook Nmap’s scripting engine (NSE). It’s not just for vulnerability scanning; it can automate a wide range of tasks, from brute-forcing logins to discovering web application details. You can write your own scripts or leverage the thousands already available.
When Nmap reports a port as "filtered," it means a firewall or network device is likely blocking Nmap’s probes. This doesn’t mean the port isn’t there, just that Nmap can’t definitively tell its state.
The next logical step after a comprehensive Nmap scan is to investigate the specific services and versions identified, looking for known exploits or misconfigurations.