Network Mapper, usually just known as Nmap, is a powerful yet compact tool to have in your arsenal, giving you the power to explore a network and scan ports of various targets you find. Network and system administrators should know about this tool, its very helpful in debugging certain networking problems. It is however predominantly used by security personnel to conduct port scanning and target probing, both legally and illegally. Nmap can scan countless targets and every single port, but is just as easily used against a specific target. Network Mapper, as a port scanner, is highly configurable and gives you dozens of different modes to run in; each one can tell you something different about your target.
This article will assume you know the basics of IPv4 CIDR notation. If you’re unfamiliar with CIDR, it may be worth a quick readup
Lets start with a very simple example; scanning and identifying your own machine. Run this as root; or prefix with ‘sudo’
nmap -sV 22.214.171.124
Here we’re telling nmap to scan target 126.96.36.199, while also trying to detect what versions of the services its running. We immediately grab some vital data here from the target IP.
In my example you can see I’m running MySQL version 5.7.13. Its fairly obvious I’m also running Linux versions of both Apache and MySQL. Knowing version numbers of pieces of software or service enables you to target that with specific exploits etc. Contrary to this, you can also use it to see who on the network needs to apply security patches or system updates.
Nmap States – Filtered, Closed and Open
You’ll notice in my example above, certain ports have a state of OPEN. What does nmap mean by saying its OPEN, or the other values of FILTERED or CLOSED for that matter? Well they map quite nicely to the 3 different stages of the TCP’s three way handshake (not 100% of the time, but its good enough to get the point across).
TCPs 3 Way Handshake
I found this on Wikipedia and couldn’t express the three-way handshake any better; so will quote an abridged version here:
To establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to and listen at a port. To establish a connection, the three-way (or 3-step) handshake occurs:
SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment’s sequence number to a random value A.
SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.
At this point, both the client and server have received an acknowledgment of the connection. The steps 1, 2 establish the connection parameter (sequence number) for one direction and it is acknowledged. The steps 2, 3 establish the connection parameter (sequence number) for the other direction and it is acknowledged. With these, a full-duplex communication is established.
SYN blocked – Nmap Filtered
If a firewall sits between you and the target, then there is a possibility that its configured not to let you pass through on a given port. If this is true when you try to send a packet to server X on port A, the firewall may simply refuse the connection and drop the packet. When this happens you wont receive a response from the server and the port will appear as FILTERED.
RST-ACK – Nmap Closed
If you can pass through the firewall, or if one isn’t present, your SYN packet should be received at the server. If the server isn’t open for connections on the port you specified it’ll respond with a RESET, or RST-ACK. When nmap receives a RST-ACK it’ll report that port as CLOSED.
SYN-ACK – Nmap Open
If the firewall allows you through and the server is listening on your specified port, the server should respond with the 2nd part of the three-way handshake, the SYN-ACK. Nmap will then report this port is OPEN for business!
Note; this article is tackling nmap with a pretty high level explanation. For example firewalls can be configured to respond differently instead of just dropping packet (mentioned above). They can actually be told to respond with RST-ACKs, incorrectly reporting to nmap that the port on the server is CLOSED instead of FILTERED. This is why there’s so many different modes for nmap – to get around such configurations
Light Recon – Nmap List and Ping Scans
Its almost impossible to interact on a network without leaving some type of footprint, however the following two scans are incredible light. This doesnt mean they cant be detected or traced, however they’re so minor that they’re unlikely to stand out from the background noise.
Our first quick example is the ‘list scan’ option in nmap. This mode quickly discovers possible IPs on the network within the CIDR range you specify. Its output is a simple one liner per IP found. This scan allows you to generate IPs so that they can be piped/passed into other scripts or files, instead of hand writing out hundreds of IPs. It also does a reverse dns lookup for the IPs, so you can see in the example below the 254 IP is listed slightly differently to the rest.
nmap -sL 192.168.1.0/24
Its output is shown below:
A second very quick scan is the ‘no port’, or ping sweep scan. This mode runs by stopping nmap from trying ports once a host has been discovered.
nmap -sn 192.168.1.0/24
Its output is shown below:
Stealth Scanning with Nmap
The SYN scan, or using -sS, is known unofficially as a stealth scan or a half-open port scan. This works by nmap sending out SYN packets but never completing the TCP handshake, regardless of what it receives from the target server. As a TCP session is never created on the server, this scan wont appear in my logs. Its important to run these commands as root, otherwise this method of scanning isn’t available to you.
nmap -sS 192.168.1.68
The un-stealthy version of the SYN scan, which is also what you get if you run the SYN scan without root privileges, is the TCP Connect SYN scan. This scan, with the switch of -sT, continues on and performs the full TCP handshake when connecting to the host machine. For this reason, its a lot more likely to be reported… hence the non-stealthy nature of it. As you can see here I’ve actually told it to scan two seperate IPs on my network.
nmap -sT 192.168.1.68 192.168.1.69
UDP Port Scanning with Nmap
So far we’ve really only looked at using nmap for the TCP protocol. For this example we’ll jump ship and look at its counterpart, the User Datagram Protocol (UDP) protocol. UDP is used for services like Voice Over IP (VoIP), Domain Name Service (DNS), Real Time Streaming Protocol (RTSP) and Simple Network Protocol (SNP).
To scan for ports open to the UDP protocol, simply use -sU as the mode switch. It can take a lot longer than the more simplistic TCP SYN scans, but as you can see from the example below its found an additional 3 open|filtered ports
Update October 2016 – Although nmap hasn’t change for a while, I’ve recently updated this article with clearer screenshots. Enjoy 🙂