Introduction to nmap

NMAP Overview

Port States NMAP will categorize ports as being in one of the following states:

• Open – The port is accepting TCP connections and UDP packets. This means that an application is running that is using this port.
• Closed – The port responds to NMAP probe requests but no application is using this port
• Filtered – The port state cannot be determined because packet filters prevent NMAP probes from reaching the port
• Unfiltered – The port is accessible but NMAP cannot determine if it is open or closed
• Open | Filtered – NMAP cannot determine if the port is open or filtered
• Closed | Filtered – NMAP cannot determine if the port is closed or filtered

Port Scanning Techniques

NMAP supports different methods of port scanning. These methods are called scan techniques. Each technique is tailored to solving a specific problem. Often times you will have to run several scans using different techniques in order to get a more complete picture of the host(s) you are scanning.

• TCP SYN scan (-sS) – Can be performed on many thousands of hosts very quickly on a fast network with no firewalls. It starts to open a connection by sending a SYN packet, but it never finishes the connection. The response from this packet is used to determine the port status:
  1. A SYN'ACK response indicates that the port is open and listening
  2. A RST response indicates that the port is closed
  3. A no response or ICMP unreachable error will result in the port being marked as filtered
  TCP SYN scans are difficult to detect since a connection is never actually opened. This scan type uses RAW sockets and requires root access under UNIX. This is the default scan.  
• TCP connect scan (-sT) – Uses the OS to establish a TCP connection to the host. This scan type is slower and has more overhead than a SYN scan. A TCP connect scan is the default when a SYN scan (RAW sockets) is not possible.  
• UDP scan (-sU) – Sends a data less UDP header to every specified port. The response from this header is used to determine the UDP port status:
  1. An ICMP Unreachable error response indicates that the port is closed
  2. Other ICMP errors indicate that the port is filtered
  3. UDP bases services (DHCP, DNS and SNMP) may respond. This indicates that the port is open.
  4. If after several attempts of communication no response is received, the port will be marked as open|filtered. This could mean that packet filtering may be blocking communication with an otherwise open port. The version detection option (-sV) may be used in order to determine if ports marked as open|filter are actually open.
  UDP port scanning may be done at the same time as TCP port scanning in order to speed up the process.  
• Custom TCP scan (--scanflags) - Custom scans allow advanced users to create a scan type tailored to specific needs. This is useful to create scans that will less likely be detected by intrusion detection systems.  
• IP protocol scan (-sO) – This scan scans a host for the protocols it supports by cycling through the 8 bit protocol header of an IP packet.

NMAP offers the following additional scans. I list them here for completeness, but will not discuss them further.

• TCP Null, FIN and Xmas scans – Uses a loophole in TCP RFC to determine if a port is open or closed.
• TCP ACK scan – Used to map firewall rulesets. It cannot tell between open and closed ports.
• TCP Window scan – Used to map firewall rulesets. It can tell between open and closed ports depending on the host being scanned.
• TCP Maimon scan – Similar to the TCP Null, Fin and Xmas scans but exploits a slightly different TCP stack implementation detail specific to many BSD systems.
• Idlescan – Scans hosts using packets with a “falsified” ip address such that the scan appears to originate from another host.
• FTP bounce scan – Scans for ftp servers configured as ftp proxies.

Note: NMAP is an open source application and may be downloaded for free from insecure.org.