NMAP (Network Mapper): Ping | SYN | TCP | UDP | Scripts | OS | Version

Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing.

What can be done with NMAP

  • Host Detection
  • Port Scanning 
  • Service and Version Detection
  • Operating System Detection
  • Firewall Detection
  • Vulnerability Assessment
  • Brute Force Attacks
  • Exploitation

Ping Scanning ( -sn )

Only print out the available hosts. No port scan after host discovery

The default behavior for a privileged user is,

  • ICMP echo request
  • TCP SYN Packet to port 443
  • TCP ACK Packet to port 80
  • ICMP Timestamp Request

When executed by an unprivileged user only send packets using a connect call to ports 80 and 443 on the target.

# nmap -sn

# nmap -sn -n | grep "Nmap scan" | cut -d" " -f5


  • -sn                                  -  Ping Scan
  • -n                                   -  to avoid host name (No DNS Resolution)
  • grep "Nmap scan"         - To filter line showing IP address
  • cut -d" " -f5                   - Cut the IP address onlt wit delimiter as space
  • -p-                                 - Scan all ports
  • -Pn                                - Avoid hostname discovery(Ping)
  • -p22,80                         - Specify ports
  • -sS -sU -pT:22,80,U:53,139-150       - Specify TCP and UDP ports
  • --top-ports 50                - Scans for top 50 ports
  • -p1-65535                     - Scan all ports

SYN Scan ( -sS )

It is relatively stealthy since it never completes TCP connections. This technique is often referred to as half-open scanning because you don't open a full TCP connection.

# nmap -sS --top-ports 50

First packet SYN sent by kali to start the three-way handshake. The second packet is an ACK sent by the destination system. The third packet is an RST sent by kali because it's is a SYN scan the three-way handshake is not completed and corrupted by RST.


  1. When we send a SYN packet the destination system replies a SYN-ACK packet to show that it's ready for a connection. And we send RST to corrupt the handshake and Nmap interprets this result as the port is open.
  2. If the destination system reply is a RST packet for our SYN packet that means the port is accessible but it's close.
  3. If the destination system doesn't respond to our send packet and Nmap thinks that the packet is dropped or filtered It's a common behavior of the firewalls.
  4. If the destination system replies to an ICMP unreachable packet for a SYN packet, it is interpreted as filtered.

TCP Scan ( sT )

Send a TCP SYN packet without completing a 3-way handshake and monitor the results

# nmap -sT -Pn --top-ports 10 

First packet SYN sent by kali to start the three-way handshake. The second packet is an ACK sent by the destination system. The third packet is an ACK sent by kali to complete the TCP three-way handshake. The fourth packet is a RST sent by kali again to end the conversation.

UDP Scan ( sU )

UDP scan works by sending a UDP packet to every targeted port. UDP scanning is generally slower and more difficult than TCP

Should run with version detection option for more accurate results.

# nmap -Pn -sU --top-ports 10 -sV --reason


-sV            - Version Detection 

--reason     - show the reason why the port is set as open, closed, or filter

Version and Operating System Detection

#nmap -sS -Pn --top-ports 10 -sV -O


-sV  Version Detection 

-O   Operating System Detection

Nmap Scripting Engine (NSE)

-sC     - Default Parameter

--script     - to specify custom scripts

/usr/share/nmap/scripts      -  Defalt place for nmap scripts

Tasks can be performed with NSE:

  • Network Discovery
  • More Sophisticated version Detection
  • Vulnerability Detection
  • Backdoor Detection
  • Vulnerability Exploitation


To identify script category, go to scripts under /usr/share/nmap/scripts direcory

# less script_name 

Search the keyword categories with / press n key to find next

# nmap --script-help script_name

# nmap --script-help ssh-hostkey

  • default:          -sC
  • auth:             Authorization bypass
  • brute: Brute force attack
  • dos: Denial of service
  • exploit: To exploit a known vulnerability
  • safe:  Safe to run
  • intrusive:      Scripts not in safe category
  • malware: To look for malware in destination hosts
  • version: Version detection scripts
  • vuln: Vulnerability scanning scripts

Update Script Database:

# nmap --script-updatedb

Search Script:

# locate *.nse | grep telnet

Running Scripts:

# nmap -sS -p23 --script telnet-brute

# nmap -sU -p53 --script "dns_*"

# nmap -sS -Pn -p23 -p22 -sC

# nmap -sS -Pn -p23 -p22 -sC -vvv

# nmap --script-help smb-brute

# nmap -p443 --script ssh* -sV

Some Handy Scripts

  • *-brute.nse Dictionary or brute force attack to the server
  • *-info.nse Information about service
  • dns-recursion         Tells if DNS allows recursion
  • dns-zone-transfer         Tells if DNS allows zone transfer
  • http-slowloris-check         Check if webserver is vulnerable by slowloris
  • ms-sql-info MSSQL instance version and configuration
  • ms-sql-dump-hashes Password hashes for MSSQL service
  • nbstat Netbios name and MAC address
  • smb-enum-users Users of windows host
  • smb-enum-shares Sharing of windows hosts

Some Dictionary or brute force attack scrips:

  • ftp-brute
  • ftp-anon
  • ms-sql-brute
  • oracle-sid-brute
  • snmp-brute
  • telnet-brute
  • vmauthd-brute
  • vnc-brute

No comments:

Powered by Blogger.