Return to Base
2024-07-05 CPTS

Mastering Nmap: The Comprehensive Guide to Network Exploration

Host Discovery

The first step in network exploration is discovering live hosts. Below is a breakdown of key commands, options, and scenarios for identifying targets on a network.

Key Nmap Host Discovery Commands and Techniques

Nmap Option Description
10.10.10.0/24 Target network range.
-sn Disables port scanning.
-Pn Disables ICMP Echo Requests.
-n Disables DNS Resolution.
-PE Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace Shows all packets sent and received.
--reason Displays the reason for a specific result.
--disable-arp-ping Disables ARP Ping Requests.
--top-ports=<num> Scans the specified top ports that have been defined as most frequent.
-p- Scan all ports.
-p22-110 Scan all ports between 22 and 110.
-p22,25 Scans only the specified ports 22 and 25.
-F Scans top 100 ports.
-sS Performs an TCP SYN-Scan.
-sA Performs an TCP ACK-Scan.
-sU Performs an UDP Scan.
-sV Scans the discovered services for their versions.
-sC Perform a Script Scan with scripts that are categorized as “default”.
--script <script> Performs a Script Scan by using the specified scripts.
-O Performs an OS Detection Scan to determine the OS of the target.
-A Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5 Sets the number of random Decoys that will be used to scan the target.
-e Specifies the network interface that is used for the scan.
-S 10.10.10.200 Specifies the source IP address for the scan.
-g Specifies the source port for the scan.
--dns-server <ns> DNS resolution is performed by using a specified name server.
--stats-every=5s Define a specific time interval to receive progress updates.

1. Scan a Network Range

The simplest way to perform host discovery is to scan an entire network range. This method identifies live hosts within the range.

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

10.129.2.0/24: The network range being scanned.
-sn: Disables port scanning and limits Nmap to host discovery only.
-oA tnet: Saves results in all three formats (XML, Nmap, and Grepable), with the base filename tnet.
grep and cut are used to filter and display the list of discovered IPs.

This technique works if the hosts’ firewalls allow ICMP requests. If not, other methods are needed.

2. Scan IPs from a List

If you are provided with a specific list of IPs, you can scan these using a list file.

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

-iL hosts.lst: Specifies an input file (hosts.lst) containing the list of IP addresses to scan.

Only the active hosts from the list are displayed.

This example shows that out of 7 hosts, only 3 responded to the scan, possibly because of firewall settings that block ICMP.

3. Scan Multiple Specific IPs

Instead of scanning an entire network, you can scan specific IPs either individually or in ranges.

Example 1: Scan Multiple IPs

sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20 | grep for | cut -d" " -f5

Example 2: Scan an IP Range

sudo nmap -sn -oA tnet 10.129.2.18-20 | grep for | cut -d" " -f5

4. Scan a Single IP

To scan a specific host, you can use the following command to check if it is up.

sudo nmap 10.129.2.18 -sn -oA host

The output will show the host’s status, latency, and MAC address. Nmap automatically sends ARP pings before ICMP, unless disabled.

Advanced Host Discovery Options

1. ICMP Echo Requests (-PE)

To ensure that ICMP Echo Requests (ping requests) are sent explicitly, use the -PE option.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace

-PE: Ensures that ICMP Echo Requests are sent.

--packet-trace: Displays detailed packet-level information (helpful for troubleshooting and understanding scan behavior).

Output Explanation: Nmap sends an ARP request before the ICMP request. In this case, the ARP reply was enough to confirm the host was alive.

2. Displaying the Reason for Host Status (--reason)

Nmap allows you to see why it considers a host as “alive” using the --reason option.

sudo nmap 10.129.2.18 -sn -oA host -PE --reason

In this example, Nmap detects the host as alive because it received an ARP response.

3. Disabling ARP Ping

By default, Nmap sends ARP requests when scanning local networks. To force Nmap to skip ARP pings and only use ICMP echo requests, use the --disable-arp-ping option.

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

In this case, only ICMP Echo Requests are sent, and the response confirms the host is alive.

Storing Scan Results

It is important to store every scan’s output for comparison, documentation, and reporting purposes. The -oA option stores the scan results in multiple formats (Nmap, XML, and Grepable).

Example:

sudo nmap 10.129.2.0/24 -sn -oA tnet

The results are stored as tnet.nmap, tnet.xml, and tnet.gnmap for later analysis.

Output Options Table:

Nmap Option Description
-oA filename Stores the results in all available formats starting with the name of “filename”.
-oN filename Stores the results in normal format with the name “filename”.
-oG filename Stores the results in “grepable” format with the name of “filename”.
-oX filename Stores the results in XML format with the name of “filename”.

Common Nmap Scan Techniques

1. SYN Scan (-sS)

Usage: Default scan for root users.

Mechanism: Sends a SYN packet to the target port and waits for a response.

SYN-ACK response indicates the port is **open**.
    
RST response indicates the port is **closed**.

Advantage: Fast and stealthy, as it doesn’t complete the TCP handshake.

Disadvantage: May not work if firewalls or IDS/IPS block SYN packets.

2. TCP Connect Scan (-sT)

Usage: Default scan for non-root users or in environments where raw packets are not allowed.

Mechanism: Completes the full TCP three-way handshake.

SYN-ACK response indicates the port is **open**.
    
RST response indicates the port is **closed**.

Advantage: The most reliable and accurate scan method, as it establishes full connections.

Disadvantage: Slower and less stealthy than a SYN scan. Leaves a complete connection, which is more easily detected by firewalls or IDS.

3. Filtered Port Scanning

Mechanism: When a firewall or packet filter prevents Nmap from determining whether a port is open or closed.

If packets are dropped, the port is shown as **filtered** (no response).
    
If rejected with an ICMP unreachable message, the port may also be **filtered**.

4. UDP Scan (-sU)

Usage: Scans UDP ports, which don’t require a connection like TCP.

Mechanism: Sends UDP packets and waits for responses or errors.

Open ports respond based on the service (e.g., DNS replies).
    
If no response, the port is labeled **open|filtered**.
    
ICMP Port Unreachable responses indicate the port is **closed**.

Advantage: Can find services running over UDP, which can be overlooked.

Disadvantage: Slow due to lack of acknowledgments in UDP and longer timeouts.

UDP Scan Examples:

sudo nmap -sU --top-ports 50 -T4 -Pn --max-retries 2 --host-timeout 30s <target>

nmap -Pn -sU -sV -T3 --top-ports 25 -oN udp-nmap-scan.txt <target>

Capturing Packets

Capture packets between your machine and the target using tcpdump to analyze the connection flow.

sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
sudo tcpdump -n -w file.pcap

The output may show the sequence of packets involved in the connection, including the SYN, SYN-ACK, ACK, and PSH-ACK flags, indicating a completed TCP handshake and banner transfer.

Example Packet Flow:

  1. SYN packet sent from the client.

  2. SYN-ACK packet received from the target.

  3. ACK packet sent by the client.

  4. PSH-ACK (banner transfer) from the server.

  5. Final ACK from the client.

Using NSE Scripts in Nmap

Nmap provides flexibility in choosing which scripts to run during a scan. There are three main ways to specify scripts:

  1. Default Scripts: Run using the -sC option.

     sudo nmap <target> -sC

  2. Specific Script Categories: Specify an entire category.

     sudo nmap <target> --script <category>
 sudo nmap 10.129.2.28 -p 80 -sV --script vuln

  3. Defined Scripts: Choose individual scripts for targeted scans.

     sudo nmap <target> --script <script-name>,<script-name>,...
 sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Key NSE Scripts and Their Usage

Banner Grabbing (banner): Identifies the system’s service version by capturing service banners.

SMTP Commands (smtp-commands): Lists supported SMTP commands, useful for potential exploitation or service identification.

HTTP Enum (http-enum): Enumerates known paths in a web application (e.g., /wp-login.php).

Vulnerabilities (vuln): Checks for known vulnerabilities based on service versions, such as CVE listings.

Performance Options

Nmap Option Description
--max-retries <num> Sets the number of retries for scans of specific ports.
--stats-every=5s Displays scan’s status every 5 seconds.
-v/-vv Displays verbose output during the scan.
--initial-rtt-timeout 50ms Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms Sets the specified time value as maximum RTT timeout.
--min-rate 300 Sets the number of packets that will be sent simultaneously.
-T <0-5> Specifies the specific timing template.

Firewall and IDS Evasion

ACK Scan (-sA)

Use the ACK flag to send requests. Firewalls often don’t block this because they don’t know if the connection was established previously. If we receive an RST flag, the port is open.

sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n

Decoys (-D)

With this method, Nmap generates various random IP addresses inserted into the IP header to disguise the origin of the packet. We can generate random (RND) a specific number (e.g., 5) of IP addresses.

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n  -D RND:5

Source IP (-S)

Individual subnets might not have access to specific services. You can manually specify the source IP address (-S) to test access.

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

Source Port (-g / --source-port)

Many DNS requests are made via TCP port 53. Since firewalls often allow this, we can spoof the source port.

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --source-port 53

Connect To The Filtered Port

Using ncat to connect using a specific source port:

ncat -nv --source-port 53 10.129.2.28 50000

The Connect scan (-sT) is useful because it is the most accurate way to determine the state of a port and is also the most stealthy. It is less likely to be detected by IDS/IPS and can bypass firewalls without disturbing services.

Manual Port Scanning

Netcat Port Scan

TCP Scan:

-w: Specify connection timeout in seconds.

-z: Zero-I/O mode (scanning only, no data sent).

Uses the three-way handshake method.

nc -nvv -w 1 -z 192.168.50.152 3388-3390

UDP Scan:

-u: Indicates a UDP scan.

Sends an empty UDP packet. If the port is closed, the target should respond with an ICMP port unreachable.

nc -nv -u -z -w 1 192.168.50.149 120-123

With Windows Hosts

When conducting initial enumeration from a Windows laptop without Nmap (“living off the land”), use built-in PowerShell functions.

Test a single port:

Test-NetConnection -Port 445 192.168.50.151

PowerShell one-liner for port range:

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

END OF LOG

SYSTEM STATUS: ONLINE // COPYRIGHT 2026 LVB