Advanced NMap: Some Scan Types

Advanced Nmap

A broad overview and the basic features of NMap have been covered in an earlier article in this series of articles on Nmap. In this article, we discuss in detail various NMap scan types, and the practical use of these commands to scan various devices and networks.

Before we begin understanding NMap scan types, let us start with the basics, including understanding the 3-way TCP handshake. TCP/IP is not a single protocol, but a suite comprising various protocols, some of which are detailed in Table 1.

Table 1: Various TCP/IP protocols
1. Application layer FTP, HTTP, SNMP, BOOTP, DHCP
2. Transport layer TCP, UDP, ICMP, IGMP
3. Network layer ARP, IP, RARP
4. Data link layer SLIP, PPP

UDP and TCP

UDP is a connection-less protocol that does not assure the delivery of packets at the other end. However, that does not mean it is an unreliable protocol; higher-level applications must take care to verify that data has been received at the other end. This practice has its own uses, like with live audio/video transfers, where real-time delivery is a must.

TCP is a connection-oriented protocol, which assures delivery of packets. ICMP packets are used to convey error messages, if any. The TCP three-way handshake is used to establish and reset connections, and this concept is key to understanding various NMap scan types. In the TCP three-way handshake:

  1. A “client” initiates communication with a SYN (Synchronise) packet with a randomly generated number, X.
  2. The server acknowledges with a SYN-ACK (Acknowledgement), X+1 and a randomly generated number, Y.
  3. The client again sends an ACK, followed by Y+1, thus completing the handshake. Now the client and server can start data transfer.

After the data transfer is complete, a FIN (Finish) packet is sent by the client, to end the connection.

Nmap uses/tweaks this handshake very effectively for various scan types. Before we proceed, let us be clear about two basic but important aspects of Nmap scans:

  1. By default, Nmap scans 1,000 most common ports for each protocol. The list of these ports can be modified in the nmap-services file, typically stored in /etc/services. (I have never used this; the default ports are almost always sufficient!
  2. Root privileges are required to run any scan that modifies the standard TCP handshake.

Now, let us try to understand the detailed workings of various NMap scan types.

TCP SYN Scan -sS

This is the default Nmap scan, used to detect open TCP ports in the target range. At the start of a SYN Scan, NMap initiates a TCP handshake with a standard SYN packet, to the required TCP port of the device to be scanned (target). The target’s response, giving details of port status, differs depending on the status of the destination port (see Table 2).

Table 2: SYN scan client responses
Port status Client response Inference
Open Standard response SYN-ACK Service running on the port
Closed Standard response RST Service not running on the port
Filtered No response Firewalled port

If the device responds with a SYN-ACK, Nmap sends an RST instead of an ACK, resetting the session, rather than completing the handshake for data transfer. If ACK was sent instead of RST, the connection would be left open till session time-out, making the device prone to a denial of service type of situation.

To run a SYN scan, root privileges are required under Linux. A SYN scan is used to find the status of TCP ports on various devices on the network. Since the SYN scan works on TCP, it will work across all operating systems and other devices that implement TCP, such as controllers, PLCs, network printers, Ethernet switches, and mobile phones.

Since it does not open a valid TCP connection, it’s quiet, and difficult to detect. However, careful network monitoring will reveal too many RST frames in traffic, due to one RST frame per scanned port. Here’s a sample SYN scan that will return various open TCP ports:

nmap -sS 192.168.100.100

Ping Scan -sP

This scan is used to find active hosts in the range. Rather than using ports like a SYN scan, a ping scan starts by sending an ICMP echo request to the target range. Active devices on the network will respond with an ICMP echo reply, thus revealing their status.

A firewalled host with blocked ICMP will not respond to the ICMP echo request. The obvious basic use of this scan is to find all active hosts on the network. This set of two commands gives a list of all active IP addresses in the 192.168.100.0/24 range:

nmap -sP -n -oG hostlist 192.168.100.0/24    ## grep'able output file, hostlist
cut -d " "-f2 hostlist > iplist    ## list of all active IPs in the target range, iplist)

The ping scan uses only one packet for the request, and may get one packet in response, thus making it the fastest of all Nmap scan types, with the lowest footprint. The ping scan cannot be combined with other scan types.

UDP Scan -sU

This is used to find the status of UDP ports in the target range. At the start of the UDP scan, Nmap sends a 0-byte UDP packet directed towards a UDP port. The target’s response differs depending on the status of the scanned port:

  1. Open port: Data on the scanned UDP port.
  2. Closed port: ICMP error message indicating no service is running on this port.
  3. Open/Filtered port: No ICMP message; Nmap waits for the timeout, and can’t determine whether the port is open, or filtered by a firewall.

UDP can be used to detect malware/spyware effectively. The following sample UDP scan command will return open/closed/open/filtered UDP ports on the host:

nmap -sU 192.168.100.100
Table 3: Summary of SYN, ping and UDP scans
Scan type Facets
SYN scan (-sS) — Scan TCP ports
  • Does not leave a log entry
  • Requires root access.
  • Traffic of RST frames increases with use of SYN scan.
  • Gives information about TCP ports.
Ping scan (-sP) — Identify active hosts
  • Very difficult to trace — only two standard ICMP frames, which are very common in network traffic, are required to complete the scan.
  • Root privilege not required to run the scan.
  • Yields a device inventory by identifying active devices on the network.
UDP scan (-sU) — Scan UDP ports
  • Uses 0 byte UDP data, causing low overhead on the network.
  • Requires root access.
  • Many operating systems put restrictions on UDP traffic, thus this scan can be very slow if run on devices running those operating systems
  • Works well on Microsoft operating systems, since Microsoft does not restrict UDP port traffic.
  • Best for scanning known UDP ports used by spyware/malware for communication.

Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by NMap. And don’t forget to keep a watch on this series for further details!

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.