Scanning using Nmap

In order to be a good penetration tester (pen tester), one should equip himself/herself with a good scanning ability. By scanning, we mean that we try to find “doors” to sneak in from our authorized targets. We can think about “doors” as ports here.

By knowing what ports are open, we can respectively know what kind of services are active in a system. Scanning can also reveal the running OS, giving us a general picture of our targets.

By scanning, we try to gather as much information as we can regarding the underlying system of our targets so that we can prepare ourselves. We can prepare exploitation tools to utilize as well as the time-line of our penetration strategy. Note that timing is very important here because, as professional pen testers, we want to maximize our time for our clients.

Nmap is one of the most popular tools for scanning. In this tutorial, I am going to show you some basic things you can do with Nmap.

– Ping Sweep

Ping sweep is a way to determine which computers are active in a network. It will send a ping (ICMP request) and a TCP SYN to each computer. An active computer will reply to the ping and from this reply we can see which computer is active.

The command to do this is:
nmap -sP ip_addrORdomainName

If you want to test only one host, then you can do it by issuing:
nmap -sP

You can also put the CIDR after the IP address in case you want to “sweep” a set of computers.

For example, the following command will scan all hosts under /24. That is,,,, and so on:
nmap -sP

And yes, you can put a domain name too. For example, if you want to scan, then the following command will do it:
nmap -sP

Note though, as an ethical hacker, we want to get a written authorization before we try to sneak into someone’s system.

– Save the result into a file

We can put the result of our scanning into a file by setting the -oA option. By using -oA option, we can submit our scan results to our clients.

nmap -sP -PA -oA my-scan-result

– Ping Sweep (Bypassing a stateful firewall)

Before we go, it is important to review how a TCP connection is established through a three-way handshake. First stage, the sender will send a TCP SYN to the receiver. Second stage, the receiver will reply with SYN + ACK. Last stage, the sender will send a TCP ACK, and a connection between the sender and the receiver is established.
There are many Nmap options to bypass a firewall or IDS that are based on this mechanism.

Let’s go first with a stateful firewall.

A stateful firewall? What is that? Here is a wikipedia definition:

“In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.


The stateful firewall depends on the famous three-way handshake of the TCP protocol. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.”

Thanks to Nmap-hackers, Nmap has a function that will send a ping along with TCP ACK packet. When a stateful firewall receives this packet, then it will think as if an established connection is coming. Therefore, the ping will pass the firewall and reach the targeted host and we will receive a reply if the host is up! Very neat!

To achieve this, we need to set the -PA option. For example the following command will scan all hosts under /24, and if a stateful firewall exists in between, (hopefuly) it will be bypassed:
nmap -sP -PA

– Port Scanning (Full connection)

By doing port scanning, we can determine ports in a system and know their status (up or down) and their respective services. This is important to know before we deepen the state of our attack. For example, if we know that port 23 is open (which is Telnet service), then we can plan our penetration strategy based on known vulnerabilities of Telnet.

Port scan can be achieved by specifying -sT for TCP services (well the “T” in -sT is for TCP, then could you tell me for UDP services? Exactly, it is -sU).

For example, the following command will list TCP ports that are open and their respective services:
nmap -sT localhost

However, with -sT option, we are trying to connect to ports that are open. If a connection to a specific port is established, then Nmap will list the port as open. This mechanism is a problem if an IDS is installed in a system. Usually, the IDS will detect a penetration attempt from the sign that we are trying to connect to multiple ports in a very short time. IDS can log our attempt and (maybe) track down our IP address which is not good.

What is the solution? Read on!

– Port Scanning (Stealth Scanning)

Nmap hackers create an option to handle the previous problem (yes, it is based on the three-way handshake). Instead of trying to fully connect to a port, why don’t we just send a TCP SYN only? If we receive a SYN + ACK, that means that specific port is open, and Nmap will disconnect? That is exactly what -sS is doing. Again the “S” in -sS if for SYN. Maximize your time by memorizing this so that we can give a great service to our clients.

Usually, either with -sT or -sS, the result will be the same.

– OS Fingerprinting

This is the last basic function that we’re going to cover. OS fingerprinting is achieved by specifying the -O option. Nmap will try to reveal the running OS of a system and list open ports in it (using a stealth scan, -sS).

We’re done! These are some of the most basic functions that a pen tester should equip himself/herself with. If you have any suggestion or advice (that I might forget or don’t even know about it), please leave some comments.

2 thoughts on “Scanning using Nmap

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s