Nmap how does it work

Reading time 8 minutes. Reading Time: 8 minutes This article is a deep dive into how Nmap works, to understand its internal structure, and to master its functionality. In this article, we will describe how Nmap can help you to: Discover live hosts on a network Scan for open ports Discover services Test for vulnerabilities Port scanning alternatives Nmap is not the only port scanner available, and other tools in this category are suitable for particular needs.

Some of the more popular are: Unicornscan is useful for collecting network and OS information, and it comes with features like asynchronous TCP and UDP scanning , port scanning, and service and OS fingerprinting. Based on the live IPs detected, it can scan for ports and services, reveal MAC addresses, as well as resolve hostnames.

Masscan is widely known as the fastest port scanner. It has both a command line and a graphical interface, and the default transmission rate is packets per second. Onetwopunch is a powerful script that combines the features of unicornscan and Nmap tools for faster and more accurate results.

It uses unicornscan to scan all ports, and then feeds the results to Nmap for service fingerprinting. This way, the user gets a complete list of open ports and the services running on them. Nmap host discovery By default, Nmap uses requests to identify a live IP. Scan for open ports Nmap identifies the status of ports based on the response it receives for an SYN request. Its stealth comes from not performing a 3-way handshake to complete the connection and the packet exchange is as follows: The scanner sends an SYN packet.

The same goes for port and port 80 TCP Connect scan completes the 3-way handshake with the target machine and makes for a good alternative to the stealth scan. The process is as follows: The scanner sends an SYN packet. Discover services Nmap can identify services by listening to open communication ports for the welcome banner.

Test for vulnerabilities Nmap can find vulnerabilities in the network through the Nmap Script Engine NSE — a flexible feature activated with the -sC option that allows users to write scripts for task automation.

Pentest report writing in 5 minutes Defcamp talk. An enhanced version of our Website Vulnerability Scanner. Comments Cancel Reply Save my name, email, and website in this browser for the next time I comment. Are you vulnerable? Scan your Website. Scan your Network. Discover Attack Surface. The art of port scanning is similar. Experts understand the dozens of scan techniques and choose the appropriate one or combination for a given task.

Inexperienced users and script kiddies, on the other hand, try to solve every problem with the default SYN scan. Since Nmap is free, the only barrier to port scanning mastery is knowledge. That certainly beats the automotive world, where it may take great skill to determine that you need a strut spring compressor, then you still have to pay thousands of dollars for it.

Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when Npcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in , as many users only had access to shared shell accounts.

Now, the world is different. Computers are cheaper, far more people have always-on direct Internet access, and desktop Unix systems including Linux and Mac OS X are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible.

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or firewalls in front of them. Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. This section documents the dozen or so port scan techniques supported by Nmap.

The one exception to this is the deprecated FTP bounce scan -b. By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets requires root access on Unix. Of the scans listed in this section, unprivileged users can only execute connect and FTP bounce scans. SYN scan is the default and most popular scan option for good reasons.

It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. It also allows clear, reliable differentiation between the open , closed , and filtered states.

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error type 3, code 0, 1, 2, 3, 9, 10, or 13 is received. This is the case when a user does not have raw packet privileges.

Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection.

A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.

This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. UDP scan is activated with the -sU option. For some common ports such as 53 and , a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data , --data-string , or --data-length options are specified.

If an ICMP port unreachable error type 3, code 3 is returned, the port is closed. This returns information on every host, their latency, their MAC address, and also any description associated with this address. This can be a powerful way of spotting suspicious hosts connected to your network. If you see anything unusual in this list, you can then run a DNS query on a specific host, by using:.

This returns a list of names associated with the scanned IP. This description provides information on what the IP is actually for.

Using Nmap in Kali Linux can be done in an identical way to running the program on any other flavor of Linux. That said, there are advantages to using Kali when running Nmap scans. Most modern distros of Kali now come with a fully-features Nmap suite, which includes an advanced GUI and results viewer Zenmap , a flexible data transfer, redirection, and debugging tool Ncat , a utility for comparing scan results Ndiff , and a packet generation and response analysis tool Nping.

As mentioned above, a ping scan returns information on every active IP on your network. You can execute a ping scan using this command:. Here are the basic differences:. Host scanning returns more detailed information on a particular host or a range of IP addresses.

As mentioned above, you can perform a host scan using the following command:. OS scanning is one of the most powerful features of Nmap. It compares this response to a database of operating systems, and return information on the OS and version of a host. If you are running Nmap on a home server, this command is very useful. You can run this command using:. It returns a concise output that details the status of the most common ports, and this lets you quickly see whether you have any unnecessarily open ports.

If you want to output the results of your Nmap scans to a file, you can add an extension to your commands to do that. Simply add:. Finally, you can speed up your Nmap scans by using the -n parameter to disable reverse DNS resolution.

This can be extremely useful if you want to scan a large network. For example, to turn off DNS resolution for the basic ping scan mentioned above, add -n:. The commands above cover most of the basic functionality of Nmap. There are some alternatives to Nmap , but most of them are focused on providing specific, niche functionality that the average system administrator does need frequently.

Umit, by contrast, allows you to run several scans at once. In reality, however, Nmap provides all the functionality and speed that the average user requires, especially when used alongside other similarly popular tools like NetCat which can be used to manage and control network traffic and ZenMap which provides a GUI for Nmap.

Nmap builds on previous network auditing tools to provide quick, detailed scans of network traffic.