Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)
Section 4: Advanced Scanning Options
Overview
Nmap supports a number of user selectable scan types. By default, Nmap will perform a basic TCP scan on each target system. In some situations, it may be necessary to perform a more complex TCP (or even UDP) scan in an attempt to find uncommon services or evade a firewall. Nmap’s options for these advanced scan types are discussed in this section.
Summary of features covered in this section:
-sS
TCP SYN Scan
-sT
TCP Connect Scan
-sU
UDP Scan
-sN
TCP NULL Scan
-sF
TCP FIN Scan
-sX
Xmas Scan
-sA
TCP ACK Scan
--scanflags
Custom TCP Scan
-sO
IP Protocol Scan
Note: You must login with root privileges (or use the sudo command) to execute many of the scans discussed in this section.
TCP SYN Scan
The -sS option performs a TCP SYN scan.
Usage syntax: nmap -sS [target]
# nmap -sS 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 09:45 CST
Nmap scan report for 10.10.3.1
Host is up (0.14s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Performing a TCP SYN scan
The TCP SYN scan is the default option for privileged users (users running as root on Unix/Linux). The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents some systems from logging a connection attempt of your scan.
Note: Stealth operation is not guaranteed. Modern packet capture programs and advanced firewalls are now able to detect TCP SYN scans.
TCP Connect Scan
The -sT option performs a TCP connect scan.
Usage syntax: nmap -sT [target]
$ nmap -sT 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 09:52 CST
Nmap scan report for 10.10.3.1
Host is up (0.048s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds
Performing a TCP connect scan
The -sT scan is the default scan type for non-privileged users. The TCP connect scan is a simple probe that attempts to directly connect to the remote system without using any stealth options. The -sT option utilizes the local system’s TCP/IP stack rather than generating its own raw packets. This can be slower and less accurate. Thus, it is typically best to execute Nmap with root privileges whenever possible as it will perform a TCP SYN scan (-sS) which can provide a more accurate listing of port states (and is significantly faster).
UDP Scan
The -sU option performs a UDP (User Datagram Protocol) scan.
Usage syntax: nmap -sU [target]
# nmap -sU 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 09:53 CST
Nmap scan report for 10.10.3.1
Host is up (0.0023s latency).
Not shown: 998 open|filtered ports
PORT STATE SERVICE
161/udp open snmp
162/udp closed snmptrap
Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds
Performing a UDP scan
The example above displays the results of a UDP scan. While TCP is the most commonly used transport protocol, many network services like DNS, DHCP, and SNMP still utilize UDP. When performing a network audit, it’s always a good idea to check for both TCP and UDP services to get a more complete picture of the target systems. The next example shows the output of a combination TCP/UDP scan.
# nmap -sS -sU 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 11:27 CST
Nmap scan report for 10.10.3.1
Host is up (0.044s latency).
Not shown: 998 closed ports, 998 open|filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 6.04 seconds
Performing a TCP and UDP scan
By combining options for both TCP and UDP, you are able to see open ports that might otherwise go unnoticed if only scanning for one protocol.
Note: UDP scans are typically slower than TCP scans because UDP ports behave differently than TCP (by design). Additionally, many systems also utilize rate limiting for UDP responses, which greatly reduces UDP scan performance.
TCP NULL Scan
The -sN option performs a TCP NULL scan.
Usage syntax: nmap -sN [target]
# nmap -sN 10.10.4.85
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:05 CST
Nmap scan report for 10.10.4.85
Host is up (0.00052s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
443/tcp open|filtered https
17988/tcp open|filtered unknown
MAC Address: D8:9D:67:60:32:57 (Hewlett Packard)
Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds
Performing a TCP NULL scan
A TCP NULL scan causes Nmap to send packets with no TCP flags enabled. This is achieved by setting the header to 0. Sending NULL packets to a target is a method of tricking a firewalled system to generate a response, although Nmap may not be able to determine the port state (as shown in the above example). Additionally, not all systems will respond to probes of this type.
TCP FIN Scan
The -sF option performs a TCP FIN scan.
Usage syntax: nmap -sF [target]
# nmap -sF 10.10.4.85
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:43 CST
Nmap scan report for 10.10.4.85
Host is up (0.00052s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
443/tcp open|filtered https
17988/tcp open|filtered unknown
MAC Address: D8:9D:67:60:32:57 (Hewlett Packard)
Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds
Performing a TCP FIN scan
In a -sF scan, Nmap marks the TCP FIN bit active when sending packets in an attempt to solicit a response from the specified target system. This is another method of sending unexpected packets to a target in an attempt to produce results from a system protected by a firewall.
Note: Not all systems will respond to probes of this type.
Xmas Scan
The -sX flag performs a Xmas scan.
Usage syntax: nmap -sX [target]
# nmap -sX 10.10.4.85
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:46 CST
Nmap scan report for 10.10.4.85
Host is up (0.00053s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
443/tcp open|filtered https
17988/tcp open|filtered unknown
MAC Address: D8:9D:67:60:32:57 (Hewlett Packard)
Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds
Performing a “Christmas” scan
In the Xmas scan, Nmap sends TCP packets with URG, FIN, and PSH flags activated. This has the effect of “lighting the packet up like a Christmas tree” and can occasionally solicit a response from a firewalled system that might otherwise ignore a normal packet.
Note: Not all systems will respond to probes of this type.
Custom TCP Scan
The --scanflags option is used to perform a custom TCP scan by setting your own header flags.
Usage syntax: nmap --scanflags [flag(s)] [target]
# nmap --scanflags SYNURG 10.10.3.1
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 10:49 CST
Nmap scan report for 10.10.3.1
Host is up (0.046s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
Manually specifying TCP flags
The --scanflags option allows users to define a custom scan using one or more TCP header flags. This allows you to shape your own TCP headers in an attempt to get a response from a target system. Any combination of flags listed in the table below can be used with the --scanflags option. For example: nmap --scanflags FINACK (no space) would activate the FIN and ACK TCP flags.
TCP header flags:
SYN - Synchronize
ACK - Acknowledgment
PSH - Push
URG - Urgent
RST - Reset
FIN - Finished
TCP ACK Scan
The -sA option performs a TCP ACK scan.
Usage syntax: nmap -sA [target]
# nmap -sA 10.10.4.1 10.10.4.106
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 13:30 CST
Nmap scan report for 10.10.4.1
Host is up (0.0014s latency).
All 1000 scanned ports on 10.10.4.1 are unfiltered
MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)
Nmap scan report for 10.10.4.106
Host is up (0.0020s latency).
All 1000 scanned ports on 10.10.4.106 are filtered
MAC Address: 2C:27:D7:42:E7:25 (Hewlett-Packard Company)
Nmap done: 2 IP addresses (2 hosts up) scanned in 4.91 seconds
Performing a TCP ACK scan
The -sA option can be used to determine if the target system is protected by a firewall. When performing a TCP ACK scan, Nmap will probe a target and look for RST responses. If no response is received, the system is considered to be filtered. If the system does return an RST packet, then it is labeled as unfiltered. In the above example, two systems are scanned. One appears to be filtered and the other does not.
Note: The -sA option does not display whether or not the unfiltered ports are open or closed. Its only purpose is to determine whether or not the system is performing filtering.
IP Protocol Scan
The -sO option performs an IP protocol scan.
Usage syntax: nmap -sO [target]
# nmap -sO 10.10.4.49
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-16 13:34 CST
Nmap scan report for 10.10.4.49
Host is up (0.012s latency).
Not shown: 253 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
6 open tcp
17 open udp
MAC Address: EC:E1:A9:54:1B:80 (Cisco)
Nmap done: 1 IP address (1 host up) scanned in 7.30 seconds
Output of an IP protocol scan
The -sO scan displays the IP protocols that are supported on the target system. The most commonly found protocols on modern networks are ICMP, TCP, and UDP, as displayed in the above example. The IP protocol scan is helpful for quickly identifying what types of scans you want to perform on the selected target system based on its supported protocols.
Tip: A complete list of IP protocols can be found on the IANA website at iana.org/assignments/protocol-numbers/.