Nmap is used to enumerate network host inventories, manage service escalation schedules, and monitor host or service health. Nmap can detect whether the target machine is online, the port is open, the service type and version information of the detection operation, the detection operating system and device type, etc.

Nmap mainly includes four aspects of scanning functions: host discovery, port scanning, application version detection, and operating system detection.

Basic Scan Method

Determin port status

If you want to scan a special computer or a domain name, then the command below can be used.

nmap targethost.

This method can determine the target host's online situation and port basic condition in a fast way.

Complete and comprehensive scan

If you want a complete and comprehensive scan against a host, you can use the Nmap -a option. Nmap will make a host discovery, port scanning, application version detection, operating system detection, and calling NSE script scans for target hosts by default with this parameter.

nmap -t4 -a -v targethost

The -a option is used for aggressive scanning; -T4 specifies the sequence(Timing) used by the scanning process with a total of levels(0-5). The higher the level, the faster the scan will be and will be more easily detected and masked by firewalls or IDS. -T4 is recommended in a good network environment; -V is for displaying redundant(verbosity) information, showing the scan's details during the scan so that the user can understand the current scan status.

Host Discovery

Host Discovery Principle

The host discovery is similar to the ping command. By sending probe packets to the target host, if received, the target host is turned on. Nmap supports more than 10 different host detection methods, such as sending ICMP Echo/timestamp/netmask messages, sending TCP syn/ack packets, sending SCTP Init/cookie-echo packets. Users can choose different ways to detect the target machine flexibly under different conditions.

Host Discovery Fundamentals: (for example, ICMP echo method)

Nmap users are located at the source, 192.168.0.5, and send ICMP Echo Request to the target host 192.168.0.3. If the request message is not blocked by the firewall, then the target replies the ICMP Echo packet back to determine if the target host is online.

By default, Nmap sends four different types of packets to detect whether the target host is online.

1. ICMP Echo Request
2. A TCP SYN packet to port 443
3. A TCP ACK packet to port 80
4. An ICMP timestamp request

Using four different packets is to avoid the error of judgment caused by firewalls or packet loss. We can determine the target machine is turned on, as we receive a reply from one of the packages.

Usage of Host Discovery

Typically, host discovery is not used alone but as the first step of the scan. In some special applications, such as determining the number of active hosts in a large local area network, the host Discovery feature may be used solely for the purpose of implementation.

Whether as an auxiliary use or a specialized purpose, users can use Nmap's options to customize the host discovery's detection.

-sl: list scan only scan the IP on the list
-sn: ping scan only detect the active host
-Pn: Treat all designated hosts as open, skipping the host discovery process
-PS/PA/PU/PY: found using Tcpsyn/ack or SCTP Init/echo method
-pe/pp/pm: Using ICMP echo, timestamp, and netmask request Package Discovery host. -po[protocollist]: Use IP protocol packets to detect if the other host is open.
-n/-r:-n means no DNS resolution;-R always means DNS resolution
--dns-servers <serv1[,serv2],...: Specify a DNS server.
--system-dns: Specifies the system's DNS server to use 
--TRACEROUTE: Tracking each routing node

demo

Probe scanme.nmap.org

nmap –sn –PE –PS80,135 –PU53 scanme.nmap.org.

Using the Wireshark grab the package, we can see that scanme.nmap.org's IP address 182.140.147.57 sent four types of packets: ICMP echo,80 and 135-port TCP SYN Packets, 53-port UDP packets (DNS domain). Received the reply of ICMP echo and 80-port reply. Thus the scanme.nmap.org host is determined to be normal online.

Port Scan

Port scanning is the most basic and core function of Nmap, which is used to determine the opening of the TCP/UDP port of the target host.

By default, NMAP scans 1000 TCP ports that are most likely to be open.

Nmap takes a port as six status:

1. open
2. closed
3. filtered
4. unfiltered
5. open|filtered
6. closed|filtered

Port Scan Principle

Nmap is mighty in port scanning and provides more than 10 ways to detect.

1. TCP SYN scanning

This is the default scanning method for Nmap, often referred to as a half-open(scanning). This method sends SYN to the target port, and if the syn/ack reply is received, it determines the port is open, and if the RST packet is received, that expresses the port is closed. If no reply is received, then the port is judged to be blocked(filtered). This way is relatively hidden and has high efficiency and a wide range of applications. This method only sends SYN packets to the target host's specific port and doesn't establish a complete TCP connection.

2. TCP connect scanning
   TCP connect using system network API, connect, make communication to the target host, if it can't establish communication, then expresses the port of target host are closed. Using this way, the scan will be slow. Since we need a complete TCP connection, we will leave footprints on the target host that will not be hidden enough. So TCP Connect should be used after TCP SYN doesn't work.

3. TCP ACK scanning
   After sending the ACK packet to the target hosts, if received RST packets, that expresses the port is not be marked by firewall. if not received the RST packet, then we can know the port is blocked by the firewall. This way can only be used to judge if the port is blocked by a firewall as an auxiliary tool for the TCP SYN method.

4. TCP FIN/Xmas/NULL scanning
   the three scan ways also are called Stealthy Scan, since they are relatively hidden. Xmas tree packet means Fin URG PUSH value = 1; NULL packet means all flags = 0

5. UDP scanning
   UDP scan is for determining the status of the UDP ports. If the reply is "ICMP port unreachable", that means the port is closed; Otherwise, it could be open or filtered.

6. other methods

Except for those common methods upon, Nmap is supportable for other detection methods. Such as IP protocol to detect the type of protocols on the target host; SCTP INIT/COOKIE-ECHO for SCTP port open condition; idle scan method scan target host to hidden itself; FTP bounce scan to proxy service.

Usage of port scan