The Complete Magazine on Open Source

Advanced Nmap: Scanning Techniques Continued

, / 165 1

Nmap Scanning Techniques

The earlier articles on Nmap had covered the basic features, the working of the TCP 3-way handshake, and some important scan types, along with their practical use. The third article in this series continues with some more interesting scanning techniques.

One very important aspect of Nmap scanning is the Nmap ping process, sometimes also called the host discovery/ping scan process. As documented on, an Nmap scan of a subnet usually begins with discovering which hosts in the subnet are online. This host discovery is in operation every time any of the Nmap scan types is run. It is different from standard ICMP pings, and combines ARP requests and elaborate combinations of TCP, ICMP and other probes. The exact type of scan is decided based on whether the Nmap workstation is scanning its own (local) subnet, or an external subnet. Host discovery is followed by deeper investigation of the online hosts.

Typical Nmap host discovery

Local subnets

For scanning devices in a local subnet, Nmap uses an ARP scan, where an ARP request is sent to the local device. The device acknowledges this with an ARP reply, thus revealing its presence. Being at the OSI Layer 2, ARP requests are limited to only the local subnet.

Remote subnets

To scan remote subnets, Nmap sends an ICMP echo packet and a TCP ACK packet to the remote device. The remote device may send an ICMP reply and TCP RST respectively, thus revealing its presence.

Assume online switch

Now, consider a real-life scenario where all hosts on the local network have personal firewalls, and the default ping scan shows no active hosts. How do you probe this network further?

Nmap provides an excellent option -PN, which tells Nmap not to do a ping scan to discover active hosts, but to assume that all hosts in the range being scanned are online.

The implications of disabling host discovery for even a Class C subnet with 254 IP addresses is that all the 254 IP addresses will be probed, including non-existent hosts, thus increasing scan time to a great extent. Exercise care in using this option. For example, nmap -v -PN will scan all hosts from to by disabling host discovery. (The -v option will increase the verbosity of the output.)

A TCP Connect scan

As discussed in the earlier article, any Nmap scan type requiring modification/tweaking of the standard TCP 3-way handshake requires administrative privileges. Since the default Nmap scan is a TCP SYN scan that requires administrator access, for non-privileged users, Nmap uses a TCP Connect scan as the default scan instead.

Nmap starts a TCP connect scan by initiating a TCP handshake with a standard SYN packet to the required TCP port of the target device. The target’s response to the TCP Connect scan is the same as that in the case of a TCP SYN Scan — it varies, depending on the state of the destination port (see the following table).

TCP Connect Scan client responses
Port status Client response Inference
Open Standard response: SYN ACK Service running on the port / port is open
Closed Standard response: RST Service not running on the port / port is closed
Filtered No response Firewalled port

For a port that is open, Nmap sends an ACK packet to complete the TCP handshake, thus opening the connection. It then sends an RST packet to reset the connection, closing the open connection. In this way, the host is scanned without modifying the standard TCP handshake. Do you see the downside of this scan type? Since it completes the full handshake, it leaves a log entry on the target device.

Like the TCP SYN scan, the TCP Connect scan also works across all operating systems and other devices that implement TCP, such as PLCs, network printers, Ethernet switches, mobile phones, etc. An example scan would be nmap -sT The disadvantage of this scan type is that it uses more resources than the TCP SYN scan, since it opens a full TCP connection, and then resets it. It also leaves a log entry on the target device.

Version scan

The more you study Nmap, the more astonished you will be at its functionality. Nmap uses simple TCP, UDP and ICMP scans in very interesting ways — to detect various devices, operating systems, services running on various ports, and even the versions of these services.

The Nmap version scan, -sV, is used to find the versions of services running on open ports. A simple command like nmap -v -sV will find open ports on the host, and find and display versions of all the services running on these ports.

OS fingerprinting

Nmap can detect the operating system of the scanned host. If, for example, you use nmap -v -O, it can detect a variety of operating systems like the versions of Microsoft Windows, Linux (including kernel version), etc.

If there is an unrecognised service or operating system, Nmap will show the service’s fingerprint, and request the user to send the fingerprint and the version of the service/operating system to the Nmap developers at, for inclusion in future Nmap versions.

Please try out these scanning techniques, hands-on, before further exploring various other scan options provided by Nmap. And don’t forget to keep a watch on this series for further details!

  • Neeraj


    I’m trying to execute this command (nmap -sV -sC –allports –version-all –script=ssl-cert.nse,ssl-enum-ciphers) via command line. Sometimes it gives me the desired output such as ssl certificates and ssl ciphers but not every time. What am i missing in this command? how do i ensure that this command will return ssl information each time?

    Please reply.