Pentest-Tools Blog

Articles, news, tips and tricks from pentesting and infosec

Inside Nmap, the world’s most famous port scanner

Jan 8, 2019 • Satyam Singh

This article is a deep dive into how nmap works, in order to understand its internal structure and to master its functionality.

Network administrators and penetration testers use port scanning to discover open communication channels on computer systems. For an attacker, this is the first step to get info about the target’s network and identify a potential way in, since services running on an open port could be vulnerable to attacks.

There are multiple tools that can produce good results, but some port scanners are better for a particular task than others. Our focus is on Nmap (Network Mapper), by far the most popular tool for network discovery and port scanning. Some of its features include Host Discovery, Port Scan, Service and OS fingerprinting, and Basic Vulnerability detection. There is also a graphical version known as Zenmap, which offers easy access to scanning options and network mapping diagrams.

In this article we will describe how nmap can help you to:

  1. Discover live hosts on a network
  2. Scan for open ports
  3. Discover services
  4. Test for vulnerabilities

Port scanning alternatives

Nmap is not the only port scanner available, and other tools in this category are suitable for particular needs. Some of the more popular are:

  • Unicornscan is useful for collecting network and OS information, and it comes with features like asynchronous TCP and UDP scanning, port scanning, and service and OS fingerprinting.
  • Angry IP Scanner is a GUI-based tool for high-speed scanning, allowing users to run ping sweeps of the network. Based on the live IPs detected, it can scan for ports and services, reveal MAC addresses, as well as resolve hostnames.
  • Masscan is widely known as the fastest port scanner. It has both a command line and a graphical interface, and the default transmission rate is 100 packets per second.
  • Onetwopunch is a powerful script that combines the features of unicornscan and nmap tools for faster and more accurate results. It uses unicornscan to scan all 65535 ports, and then feeds the results to nmap for service fingerprinting. This way, the user gets a complete list of open ports and the services running on them.

1. Nmap host discovery

By default, nmap uses requests to identify a live IP. In the older version of the tool, the option for ping sweep was -sP; in the newer version, it is -sn. To discover available hosts, the following packets are sent (as seen in the below screen capture below from Wireshark packet analyzer):

  • ICMP echo request
  • A TCP SYN packet to port 443
  • A TCP ACK packet to port 80
  • An ICMP timestamp request

If the target is unknown and large, the recommendation is to identify hosts first. Scanning the ports at this stage would generate too much traffic, take time and resources, and is likely to trigger security alerts.

Below are some methods to identify live IPs:

ARP scanning can be used to stealthily discover the hosts in the local LAN. Getting an ARP reply means that the hosts exists and since this ARP is needed for routing packets, a firewall won’t interfere in the exchange.

nmap -n -sn -PR --send-eth

Above, you can see an ARP request and reply captured by Wireshark.

ICMP scan can also identify live hosts by sending an ICMP Echo request. A live host will send back a reply, signalling its presence on the network.

nmap -sP -PE

Using the -PP option, nmap will send ICMP timestamp requests (type 13), expecting ICMP timestamp replies (type 14) in return. If a type 14 ICMP packet is received, then nmap assumes the host is alive.

nmap -sP -PP

The -PM option sends ICMP address mask (netmask) requests (type 17), expecting an ICMP address mask reply (type 18) in return. Once again, if a type 18 packet is received, the host is alive.

nmap -sP -PM

Keep in mind that ICMP messages may be blocked by some firewalls, so this technique may not always work.

TCP scans represent another way to discover hosts, using commands to send out TCP SYN or TCP ACK ping messages:

With a TCP SYN scan, nmap sends a SYN packet to a given port on the target. If the machine replies with a SYN/ACK or RST packet for the specified port, nmap knows the host is up. Lack of a response for a certain period leads to marking the host as down.

nmap -sP -PS 21 IP

During a TCP ACK scan, nmap sends an empty TCP packet with the ACK flag set to port 80. If the host is up, it will answer with an RST packet since the connection doesn’t exist. If the host is down, there will be no response. The port can be defined by the user.

nmap -sP -PA IP

If a list of live IP addresses already exists, host discovery is not necessary and you can move to the next step, finding open ports.

nmap -Pn IP

2. Scan for open ports

Nmap identifies the status of ports based on the response it receives for a SYN request.

  • Open Port: nmap receives “syn-ack” as the probe response
  • Closed Port: nmap receives a “RST” as the probe response
  • Filtered: nmap marks the port as open | filtered when it does not receive any response, which could be due to firewall filtering

There are multiple techniques you can use for port scanning:

Stealth Scan, also known SYN scan or half open scan, is the default and most popular technique. Its stealth comes from not performing a 3-way handshake to complete the connection and the packet exchange is as follows:

  1. The scanner sends a SYN packet.
  2. If the port is open, the machine replies with SYN/ACK;
  3. If the port is closed the machine sends RST;
  4. If no response is received after several retries, the port is marked as filtered.
  5. Once the scanner receives SYN/ACK from the machine, it sends the RST packet and marks it as an open port.

nmap -sS IP

The images below show the packet exchange during the scanning procedure, as captured by Wireshark:

  • Packet 526 sends a SYN packet from source IP to on TCP port 135
  • Packet 545 sends a SYN-ACK packet from IP on TCP port 135
  • Packet 546 sends an RST packet from source IP to on TCP port 135 to close the connection. The same goes for port 445 and port 80

TCP Connect scan completes the 3-way handshake with the target machine and makes for a good alternative to the stealth scan. The process is as follows:

  • The scanner sends a SYN packet.
  • If the port is open, the machine will send SYN/ACK;
  • If the port is closed, the machine will send RST;
  • If no response is received after several retries, the port is marked as filtered.
  • Once the scanner receives SYN/ACK, it sends the ACK packet to complete the connection.

nmap -sT IP

For a peek behind the scenes, we have captured the traffic to better understand the packet exchange process.You can see that the connection starts with a SYN packet visible in line 121 and the handshake is complete when the ACK packet is delivered.

Unlike the SYN scan, the results from TCP connect are slow and the completion of the connection may create a log entry that could reveal the intrusion attempt; it works when the source IP is whitelisted by firewals, IDS or IPS security gear.

UDP Scans are slower than the TCP pot scan and, because of this, often ignored by security auditors.

Nmap runs the check by sending an UDP packet to the ports. For most of them, the packet is empty and for the common ports the packet contains the protocol-related payload.

Getting an “ICMP port unreachable error (type 3, code 3)” message means that the port is closed, lack of a response signifies that the port is open or filtered, which makes it slow and inaccurate; if the response contains any data, it means that the port is open.

nmap -sU IP

In the traffic capture below, packets 78349 and 78350 contain the UDP response for the probe performed on port 2049. For many of the closed ports, the response is shown as “port unreachable.”

3. Discover services

Nmap can identify services by listening on open communication ports for the welcome banner. Many common services (SSH, Telnet, FTP, SMTP) identify themselves this way.

If a banner is not advertised, nmap sends a probe and waits for a reply. The data received using the service scan (-sV) command is compared to thousands of signatures nmap keeps in its database file, specifically for service fingerprinting purposes.

nmap -sV IP