Networking | Programming | Security | Linux | Computer Science | About

nmap: Port Scanner

Port scanners accept a target or a range as input, send a query to specified ports, and then create a list of the responses for each port. The most popular port scanner is nmap written by Fyodor, available from Fyodor's multipurpose tool has become a standard item among pen testers and network auditors. While it is not my intent to teach you all the ways to use nmap, I will focus on a few different scan types and options to make the best use of your scanning time and to return the best information.

Ping Sweep

Before scanning active targets, consider using the ping sweep functionality of nmap with the ,- sP option. This option will not port scan a target, but will simply report which targets are up. When invoked as root with nmap -sP ip_address, nmap will send both ICMP echo packets and TCP SYN packets to determine if a host is up. However, if you know that ICMP is blocked, and don't want to send those unnecessary ICMP packets, you can simply modify nmap's ping type with the -P option. For example, -PO -PS enables a TCP ping sweep, with -PO indicating "no ICMP ping" and -PS indicating "use TCP SYN method." By isolating the scanning method to just one variant, you increase the speed as well, which may not be a big issue when scanning a handful of systems, but when scanning multiple/24 networks, or even a /16, you may need this extra time for other testing.

ICMP Options

If nmap can't see the target, it won't scan it unless the -PO (do not ping) option is used. Using the -PO option can create problems since nmap will scan each of the target's ports, even if the target isn't up, which can waste time. To strike a good balance, consider using the -P option to select another type of ping behavior. For example, the -PP option will use ICMP timestamp requests, and the -PM option will use ICMP netmask requests. Before you perform a full sweep of a network range, it might be useful to do a few limited tests on known IP addresses, such as Web servers, DNS, and so on, so you can streamline your ping sweeps and reduce the number of total packets sent and the time taken for the scans.

Output Options

Capturing the results of the scan is extremely important, as you will be referring to this information later in the testing process.The easiest way to capture all the needed informa- tion is to use the -oA flag, which outputs scan results in three different formats simultaneously:

The gnmap format is especially important to note, because if you need to stop a scan and resume it later, nmap will require this file to continue by using the ~resume switch.

Stealth Scanning

For any scanning you perform, it is not a good idea to use a connect scan (-sT), which fully establishes a connection to a port. Excessive port connections can cause a DoS to older machines, and will definitely raise alarms on any IDS system. Therefore, you should use a stealthy port testing method with nmap, such as a SYN scan. To launch a SYN scan from nmap, you use the -sS flag, which produces a listing of the open ports on the target, and possibly open/filtered ports if the target is behind a firewall. The ports returned as open are listed with what service that port corresponds to, based on IANA port registrations, as well as any commonly used ports, such as 31337 for Back Orifice.

In addition to lowering your profile with half-open scans, you may also consider the ftp or "bounce" scan and idle scan options that can mask your IP from the target. The s scan takes advantage of a feature of some FTP servers, which allow anonymous users to proxy connections to other systems. If you find during your enumeration that an anonymous FTP server exists, or one to which you have login credentials, try using the -b option with user:pass@server:ftpport. If the server does not require authentication, you can skip the user:pass, and unless FTP is running on a nonstandard port, you can leave out the ftpport option as well. The idle scan, using -sI zombiehost:port, has a similar result, but a different method of scanning. This is detailed further at Fyodor's Web page, but the short version is that if you can identify a target with low traffic and predictable IPID values, you can send spoofed packets to your target, with the source set to the idle target. The result is that an IDS sees the idle scan target as the system performing the scanning, keeping your system hidden. If the idle target is a trusted IP address and can bypass host-based ~ccess control lists (ACLs), even better! Do not expect to be able to use a bounce or idle scan on every penetration test engagement, but keep looking around for potential targets. Older systems, which do not offer useful services, may be the best targets for some of these scan options.

OS Fingerprinting

You should be able to create a general idea of the remote target's operating system from the services running and the ports open. For example, ports 135,137, 139, or 445 often indicate a Windows-based target. However, if you want to get more specific, you can use nmap's -O flag, which invokes nmap's fingerprinting mode. Care needs to be taken here as well, as some older operating systems such as AIX prior to 4.1 and older SunOS versions have been known to die when presented with a malformed packet. Keep this in mind before blindly using -O across a Class B subnet. Figures 3.4 and 3.5 show the output from a fingerprint scan using nmap -0. Note that the fingerprint option without any scan types will invoke a SYN scan, the equivalent of-sS, so ports can be found for the fingerprinting process can occur.


When you specify your targets for scanning , nmap will accept specific IP addresses, address ranges in CIDR format, and ranges using style notation. If you have a host file, you can specify it as well, using the -iL flag.

Scripting can be a very powerful additive to any tool, but remember to check all the available output options before doing too much work, as some of the heavy lifting may have been done for you.

Speed Options

nmap allows the user to specify the "speed "of the scan, or the amount of time from probe sent to reply received , and therefore how fast packets are sent. On a fast LAN , you can optimise your scanning by setting the -T option to 4, or Aggressive, usually without dropping any packets during send. If you find that a normal scan is taking very long due to ingress filtering , or a firewall device, you may want to enable Aggressive scanning . If you know that an IDS sits between you and the target, and you want to be as stealthy as possible, then using -TO or Paranoid should do what you want; however, it will take a long time to finish a scan, perhaps several hours, depending on your scan parameters.

By default, nmap 3.75 with Auditor scans 1663 ports for common services, which will catch most open TCP ports out there. However, sneaky sysadmins may run ports on uncommon ports, practicing security through obscurity. Without scanning those uncommon ports, you may be missing these services. If you have time, or suspect that a system may be running other services, run nmap with the -p 1-65535 parameter, which will scan all 65k TCP ports. Even on a LAN with responsive systems, this will take anywhere from 30 min- utes to a few hours. Performing a test like this over the Internet may take even longer, which will also allow more time for the system owners, or watchers, to note the excessive traffic and shut you down.

Published on Mon 02 January 2012 by Anthony Norton in Security with tag(s): nmap port scanner