Nmap – network mapper tool to scan network device and get more information.

  • By default: Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request followed by probes and scan types.
  • Options:
    • -A, to enable OS and version detection, script scanning, and traceroute
    • -V – to detect version
    • -v – verbose output
    • -O : OS detection:
  • First Host discovery is performed and then port discovery on each discovered host.
  • Host discovery technique; by sending probes
    • -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
    • -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
    • -PO [protocol list]: IP Protocol Ping
  • Scan technique:
    • -sS : TCP SYN scan (Default mode)
    • -sF/sA/sW: TCP FIN/ACK/Window scans
    • -sU/-sO: UDP/IP protocol Scan
    • Window scan: open ports use a positive window size (even for RST packets) while closed ones have a zero window.

State of a port: (in the nmap output)

  • Open– port is open to accept connection
  • Closed – port is closed and cannot accept any connection
  • Filtered – firewall or any filter is blocking nmap to determine whether the port is open/closed.
  • Unfiltered – device response to nmap probe but nmap couldn’t determine whether the port is open/closed

Nmap works based on below concept:

  • If we send TCP ACK to a host without any SYN, the host will respond with RST.
  • If we send SYN to a port which is not open, the host will respond with RST [with ACK].
  • If we send SYN to a port which is open, the other end host will respond with SYN-ACK to establish connection.
  • If we send UDP packet to a port which is closed, the host will send ICMP port unreachable message.
  • If we send UDP packet to a port which is open, the host will accept it and never respond.

Eg: Scan Enable verbose mode, OS detection and disable DNS resolution of this host.

[root@server2 ~]# nmap -v -n -O
Starting Nmap 4.68 ( http://nmap.org ) at 2011-08-25 03:53 UTC
Initiating ARP Ping Scan at 03:53
Scanning [1 port]
Completed ARP Ping Scan at 03:53, 0.02s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 03:53
Scanning [1715 ports]
Discovered open port 21/tcp on
Discovered open port 22/tcp on
Discovered open port 23/tcp on
Discovered open port 514/tcp on
Discovered open port 680/tcp on
Discovered open port 691/tcp on
Discovered open port 798/tcp on
Discovered open port 6001/tcp on
Completed SYN Stealth Scan at 03:53, 0.04s elapsed (1715 total ports)
Initiating OS detection (try #1) against
Host appears to be up ... good.
Interesting ports on
Not shown: 1699 closed ports
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
32779/tcp open  sometimes-rpc21
MAC Address: 00:11:0A:30:21:06 (Hewlett Packard)
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.18 - 2.4.32 (likely embedded)
Uptime: 1.281 days (since Tue Aug 23 21:08:31 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.788 seconds
           Raw packets sent: 1735 (77.100KB) | Rcvd: 1748 (81.150KB)
[root@server2 ~]#
This entry was posted in Linux and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s