Before we begin understanding NMap scan types, let us start with the basics, including understanding the 3-way TCP handshake. TCP/IP is not a single protocol, but a suite comprising various protocols, some of which are detailed in Table 1.
|Table 1: Various TCP/IP protocols|
|1.||Application layer||FTP, HTTP, SNMP, BOOTP, DHCP|
|2.||Transport layer||TCP, UDP, ICMP, IGMP|
|3.||Network layer||ARP, IP, RARP|
|4.||Data link layer||SLIP, PPP|
UDP and TCP
UDP is a connection-less protocol that does not assure the delivery of packets at the other end. However, that does not mean it is an unreliable protocol; higher-level applications must take care to verify that data has been received at the other end. This practice has its own uses, like with live audio/video transfers, where real-time delivery is a must.
TCP is a connection-oriented protocol, which assures delivery of packets. ICMP packets are used to convey error messages, if any. The TCP three-way handshake is used to establish and reset connections, and this concept is key to understanding various NMap scan types. In the TCP three-way handshake:
- A “client” initiates communication with a SYN (Synchronise) packet with a randomly generated number, X.
- The server acknowledges with a SYN-ACK (Acknowledgement), X+1 and a randomly generated number, Y.
- The client again sends an ACK, followed by Y+1, thus completing the handshake. Now the client and server can start data transfer.
After the data transfer is complete, a FIN (Finish) packet is sent by the client, to end the connection.
Nmap uses/tweaks this handshake very effectively for various scan types. Before we proceed, let us be clear about two basic but important aspects of Nmap scans:
- By default, Nmap scans 1,000 most common ports for each protocol. The list of these ports can be modified in the
nmap-servicesfile, typically stored in
/etc/services. (I have never used this; the default ports are almost always sufficient!
- Root privileges are required to run any scan that modifies the standard TCP handshake.
Now, let us try to understand the detailed workings of various NMap scan types.
TCP SYN Scan -sS
This is the default Nmap scan, used to detect open TCP ports in the target range. At the start of a SYN Scan, NMap initiates a TCP handshake with a standard SYN packet, to the required TCP port of the device to be scanned (target). The target’s response, giving details of port status, differs depending on the status of the destination port (see Table 2).
|Table 2: SYN scan client responses|
|Port status||Client response||Inference|
|Open||Standard response SYN-ACK||Service running on the port|
|Closed||Standard response RST||Service not running on the port|
|Filtered||No response||Firewalled port|
If the device responds with a SYN-ACK, Nmap sends an RST instead of an ACK, resetting the session, rather than completing the handshake for data transfer. If ACK was sent instead of RST, the connection would be left open till session time-out, making the device prone to a denial of service type of situation.
To run a SYN scan, root privileges are required under Linux. A SYN scan is used to find the status of TCP ports on various devices on the network. Since the SYN scan works on TCP, it will work across all operating systems and other devices that implement TCP, such as controllers, PLCs, network printers, Ethernet switches, and mobile phones.
Since it does not open a valid TCP connection, it’s quiet, and difficult to detect. However, careful network monitoring will reveal too many RST frames in traffic, due to one RST frame per scanned port. Here’s a sample SYN scan that will return various open TCP ports:
nmap -sS 192.168.100.100
Ping Scan -sP
This scan is used to find active hosts in the range. Rather than using ports like a SYN scan, a ping scan starts by sending an ICMP echo request to the target range. Active devices on the network will respond with an ICMP echo reply, thus revealing their status.
A firewalled host with blocked ICMP will not respond to the ICMP echo request. The obvious basic use of this scan is to find all active hosts on the network. This set of two commands gives a list of all active IP addresses in the 192.168.100.0/24 range:
nmap -sP -n -oG hostlist 192.168.100.0/24 ## grep'able output file, hostlist cut -d " "-f2 hostlist > iplist ## list of all active IPs in the target range, iplist)
The ping scan uses only one packet for the request, and may get one packet in response, thus making it the fastest of all Nmap scan types, with the lowest footprint. The ping scan cannot be combined with other scan types.
UDP Scan -sU
This is used to find the status of UDP ports in the target range. At the start of the UDP scan, Nmap sends a 0-byte UDP packet directed towards a UDP port. The target’s response differs depending on the status of the scanned port:
- Open port: Data on the scanned UDP port.
- Closed port: ICMP error message indicating no service is running on this port.
- Open/Filtered port: No ICMP message; Nmap waits for the timeout, and can’t determine whether the port is open, or filtered by a firewall.
UDP can be used to detect malware/spyware effectively. The following sample UDP scan command will return open/closed/open/filtered UDP ports on the host:
nmap -sU 192.168.100.100
|Table 3: Summary of SYN, ping and UDP scans|
|SYN scan (
|Ping scan (
|UDP scan (
Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by NMap. And don’t forget to keep a watch on this series for further details!