Skip to main content

Nmap : Basic overview on Scanning Techniques

Nmap. One of the top scanning tool used in Cyber/Networking. There are plenty of scanning techniques that can be used in Nmap. This post is intended to provide a the basic overview on NMap scanning techniques.
nmap scan

1) Ping Scan [-sP]

This types of scan is used to detect which computers or devices are online, rather than which ports are open.In this, NMap sends an ICMP ECHO REQUEST packet to the destination system. If an ICMP ECHO REPLY is received, the system is considered as up, and ICMP packets are not blocked.If there is no response to the ICMP ping request, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and hence it won't be responding to anything. When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods.Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established and thus it will result in a full TCP scan.
eg: #nmap -sP

2) Full Connect/TCP connect() Scan [-sT]

This type of scan will try to establish a full TCP connection and a 3-way handshake will happen. Hence the Full connect scan is noisy and the connection info will be logged by the IDS/Firewalls. If the scan result is open, then we can definitely able to connect to that particular port.
eg: #nmap -sT

3) Stealth Scan/ SYN scan [-sS]

This type of scan wont establish a TCP connection. It will scan by sending a SYN flag packet and if the port is open, then a SYN/ACK will be send back as a response by the target machine, thus result in a half embryo connection. Since a full connection wont establish, the connection info will not be logged by the Firewalls/IDSs and hence it is widely known as Stealth scan. If a RST pack is received as a response, then probably the post is closed.
eg: #nmap -sS

4)UDP scan [-sU]

Useful in very particular cases since most of the services uses TCP widely. UDP scan works by sending a UDP packet to the targeted port. If no response is received, then the port will be considered as Open | filtered. Filtered because some firewalls wont respond to the blocked UDP ports.If the port is closed, then an ICMP response(ICMP port unreachable error type 3, code 3) will be send by the target device.
eg: #nmap -sU

5) TCP NULL [-sN], FIN [-sF], and Xmas scans [-sX]

Null scan (-sN) - Does not set any bits (TCP flag header is 0)
FIN scan (-sF) - Sets just the TCP FIN bit.
Xmas scan (-sX) - Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.   
If a RST packet is received, the port is considered closed, while no response means it is open|filtered.
The port is marked filtered if an ICMP unreachable error is received.
eg: #nmap -sN
      #nmap -sF
      #nmap -sX

6)TCP ACK scan [-sA]

This type of scan uses the ACK flags. Unlike other scans, ACK scan is not used to determine whether the port is Open or Closed.It is used to map out firewall rule-sets, determining whether they are stateful or not and which ports are filtered.Stateful Firewalls, will respond with a RST packet as the sequence is not in order.
eg: #nmap -sA

7)Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be used in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection
eg: #nmap -sV

[Learn more and download the tool @ ]

Popular posts from this blog

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the ASA.     #ssl dh-group group24 An

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's ( 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. ( . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone         7) Once the installation is completed, ch

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works. ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address. We can see the ARP entries on our computers by entering the command arp -a . So, back to the topic on what is a Gratuitous reply, here is a better explanation. Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packe

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

Problem: Switch not booting AOS; Going to Mini-boot prompt. Model: Alcatel-Lucent OS6850 [Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ] Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt.  Work Around: [Note: This zmodem procedure consumes a lot to time to finish the process.] 1.) Power off your OS6850 2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break. 3.) You will have the following prompt " => " 4.) Enter " setenv baudrate 115200 ”. Increasing baudrate helps to increase the data transfer speed using zmodem. 5.) Enter " saveenv " 6.) Enter " boot " 7.) The switch should run now in baud rate 115200 (so you have to change your clients ter