THM – NMAP The Network Mapper – Part 2


When a computer runs a network service, it opens a networking construct called a “port” to receive the connection. Ports are necessary for making multiple requests or having multiple services available. 

For example, when you load several webpages at once in a web browser, the program must have some way of determining which tab is loading which web page. This is done by establishing connections to the remote webservers using different ports on your local machine.  

If you want a server to be able to run more than one service (HTTP and HTTPS at the same time with different versions of the site), then you need some way to direct the traffic to the appropriate service. Ports are the solution to this. Network connections are made between two ports – an open port listening on the server and a randomly selected port on your own computer. For example, when you connect to a web page, your computer may open port 49534 to connect to the server’s port 443.  

Every computer has a total of 65535 available ports; however, many of these are registered as standard port. For example, a HTTPS webservice can always be found on port 80 of the server. A HTTPS webservice can be found on port 443. Windows NETBIOS can be found on port 139 and SMB can be found on port 445.  

Important to note: especially in CTF setting, it is not unusual for even these standard ports to be altered, making it even more imperative that we perform appropriate enumeration on the target.  

Nmap is currently the industry standard for network scanning tool. It’s an extremely powerful tool – made even more powerful by its scripting engine which can be used to scan for vulnerabilities, and in some cases perform the exploit directly.  

Questions Answers
What networking constructs are used to direct traffic to the right application on a server?Ports
How many of these are available on any network-enabled computer?65535
How many of these are considereds well-known? (Standard numbers) 1024

Nmap switches

Nmap can be accessed by typing nmap into a terminal command line, followed by switches.

What is the first switch listed in the help menu for SYN Scan?-sS
Which switch for UDP ports?-sU
Detect which operating system the target is running on?-O
Detecting which version of the services running on the target?-sV
Increase verbosity?-v
High verbosity?-vv
Output results in three major format-oA
Save Nmap results in normalt format-oN
Save Nmap results in grepable format-oG
Enable aggressive mode. This switch activates service detection, operating system detection, a traceroute and common script scanning.-A
Nmap offers five levels of timing templates. Used to increase the speed your scans runs at. Higher speed is nosier and can incur errors! -T1 to T5
How to set timing template to level 5?-T5
How to scan port 80?-p 80
Scan ports 1000-1500-p 1000-1500
Scan all ports-p-
Activate scripting library–script
Activate all the scripts in VULN category–script=vuln


When port scanning with Nmap, there are three basic scan types. These are:  

  • TCP Connect scans (–sT) 
  • SYN Half-open scans (–sS) 
  • UDP Scans (–sU) 

There are less common port scan types.  

  • TCP null scans (-sN) 
  • TCP FIN Scans (-sF) 
  • TCP Xmas scans (-sX) 

Most of these, with the execption of UDP scans, are used for very similar purposes, however the way that they work differs between each scan.  

TCP connect Scans 

To understand TCP connect scan (-sT), we have to understand TCP three way handshake.  

A three-way handshake consist of three stages. First the connecting terminal (our machine) sends a TCP request to the target server with the SYN flag set. The server then acknowledges this packet with a TCP response containing the SYN flag, as well as the ACK flag. Finally, our terminal completes the handshake by sending a TCP request with the ACK flag set.  

Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives.  

For example, if a port is closed RFC 793 states that:  

“… If the connection does not exist (CLOSED) then a reset is sent in response to any incoming segment except another reset. In particular, SYNs addressed to a non-existent connection are rejected by this means.” 

In other words, if Nmap sends a TCP request with the SYN flag set to a closed port, the target server will respond with a TCP packet with the RST(Reset) flag set. By this response, Nmap can establish that the port is closed.  

However, if the request is sent to an open port, the target will respond with a TCP packet with the SYN/ACK flags set. Nmap then marks this port as being open. (Completes the handshake by sending back a TCP packet with ACK set).  

Third option, what if the port is open but hidden behind a firewall? 

Many firewalls are configured to simply drop incoming packets. Nmap sends a TCP SYN request, and receives nothing back. This indicates that the port is being protected by a firewall and thus port is considered to be filtered.  

If a port is closed, which flag should the server send back to indicate this? RST flag 

SYN scans 

As with TCP scans, SYN scans (-sS) are used to scan the tCP port-range of a target or targets; however, the two scan types work slightly differently. SYN scans are sometimes referred to as half open scans or stealth scans.  

Where a TCP scans perform full three-way handshake with the target, SYN scans send back a RST TCP packet after receiving a SYN/ACK from the server. Sequence for scanning an open port looks like this.  

This has advantages for hackers:  

  • It can be used to bypass older IDS as they are looking for full three-way handshakes. No longer the case with modern IDS solutions.  
  • SYN scans are often not logged by applications listening open ports, as standard practice is to log connections once it’s been fully established.  
  • Significantly faster than standard TCP connect scan because no need to complete three-way handshake.  

Disadvantages for SYN scan: 

  • They require sudo permissions in order to work correctly in Linux. This is because SYN scans require the ability to create raw packets (as opposed to the full TCP handshake), which is a privilege only the root user has by default.  
  • Unstable services are sometimes brought down by SYN scans, which could prove problematic if a client has provided a production environment for the test.  

SYN scans are default scans used by Nmap IF RUN WITH SUDO PERMISSIONS. If run without sudo permission, Nmap defaults to the TCP connect scan.  

When using a SYN scan to identify closed and filtered ports, the exact same rules as with TCP connect scan apply.  

If a port is closed, then the server responds with a RST TCP packet. If the port is filered by a firewall then the TCP SYN packet is either dropped or spoofed with a TCP reset.  

There are two other names for SYN scan, what? Stealth scan and half open.  

Can nmap use a SYN scan without sudo permissions? NO!! 

UDP scans  

Unlike TCP, UDP connections are stateless. This means, rather than initiating a connection with a back-and-forth “handshake”, UDP connections rely on sending packets to a target port and hoping that they make it. This makes UDP good for connections which rely on speed over quality (Video sharing), but lack of acknowledgement makes UDP significantly more difficult (and slower) to scan.  

Nmap switch for UDP scans (-sU). 

When a packet is sent to an open UDP port, there should be no response. When this happens, Nmap refers to the port as being open|filtered. In other words, it suspects that the port is open, but it could be firewalled. If it gets a UDP response, which is very unusual, then the port is marked as open.  

More commonly there is no response, in which case the request is sent a second time as a double-check. If there is still no response, the port is marked as open|filtered and nmap moves on. 

Due to difficulty in identifying whether a UDP port is open, UDP scans tend to be incredibly slow in comparison to the various TCP scans. (20 min to scan for the first 1000 ports, with good connection). It is therefore a good practice to run Nmap scan with

--top-ports <number>

enabled. For example, scanning with

nmap -sU –top-ports 20 <target>

will scan the top 20 most commonly used UDP ports, resulting in a faster scan time.  

When scanning UDP ports, nmap usually sends completely empty requests – just raw UDP packets. For ports wihch are usually occupied by well-known services, it will instead send a protocol-specific payload which is more likely to elicit a response from which a more accurate result can be drawn. 

If a UDP port doesn’t respond to an Nmap scan, what will it be marked as? Open|filtered 

When a UDP port is closed, the target should send back a port unreachable message. Which protocol would it use to do so? ICMP 

NULL, FIN and Xmas 

Null, FIN and Xmas TCP port scans are less commonly used than any of the others we`ve covered already. All three are interlinked and are used primarily as they tend to be even stealthier, than SYN “Stealth” scan.  

NULL Scans: 

  • NULL scans (-sN) are when the TCP request is sent with no flags set at all. As per the RFC, the target host should respond with a RST if the port is closed.  

FIN Scans: 

  • FIN scans (-sF) work in an almost indentical fashion; however, instead of sending a completly empty packet, a request is sent with the FIN flag (usually used to gracefully close an active conneciton). Nmap expects a RST if the port is closed. 

Xmas scans: 

  • Xmas scans (-sX) sends a malformed TCP packet and expects a RST response for closed ports. Its referred to as an xmas scan as the flags that it sets (PSH, URG and FIN) give it the appearance of blinking Christmas tree when viewed as packet capture in WireShark. 

The expected response for open ports with these scans is also identical, and very similar to that of a UDP scan. If the port is open, then there is no response to the malformed packet. As with open UDP ports, that is also an expected behavior if the port is protected by a firewall, so NULL, FIN and Xmas scans will only ever identify ports as being open|filtered, closed or filtered. If a port is identified as filtered with one of these scans then it is usually because the target has responded with an ICMP unreachable packet.  

RFC 793 mandates that network hosts respond to malformed packets with a RST TCP packet for closed ports, and don’t respond at all for open ports; this is not always the case in practice. Microsoft Windows (and a lot of cisco network devices) are known to respond with a RST to any malformed TCP packet – regardless of whether the port is open or not. This results in all ports showing up as being closed.  

The goal is firewall evasion. Many firewalls are configured to drop incoming TCP packets to blocked port which have the SYN flag set. (blocking new connections initiation request). By sending a request which do not contain the SYN flag, we effectively bypass this kind of firewall. Most modern IDS solutions are savvy to these scan types.  

Why are NULL, FIN and Xmas scans generally used? Firewall evasion 

Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port? Microsoft WIndows.  

ICMP Network Scanning 

One way to map the network structure or in other words see which IP addresses contain active hosts, and which not, is by performing a ping sweep. Nmap sends an ICMP packet to each possible IP address for the specified network. When response, marks the IP address that responded as being alive. Not always accurate but can provide a baseline.  

To perform a ping sweep, use the (-sn) switch.  

Nmap –sn 
Nmap –sn 

-sn tells Nmap no to scan any ports, forcing it to rely only on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. The –sn switch also cause nmap to send a TCP syn packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as sudo) packet to port 80 of the target.  

Nmap NSE Scripts overview 

The nmap scripting engine (NSE) is very powerful addition to Nmap. NSE scripts are written in Lua (same as snort3 config) and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is very powerful for reconnaissance.  

There are many categories available. Some useful categories:  

  • Safe: won’t affect the target 
  • Intrusive: not safe, likely to affect target 
  • Vuln: scan for vulnerabilities 
  • Exploit: Attempt to exploit a vulnerability 
  • Auth: Attempt to bypass authentication for running services (e.g log into an FTP server anonymously).  
  • Brute: Attempt to brute force credentials for running services.  
  • Discovery: Attempt to query running services for further information about the network (e.g query an SNMP server).

NSE scripts – Working with the NSE 

To run a specific script, we would use 

--script=<script-name>”, e.g “--script=http-fileupload-exploiter

Multiple scripts can be run simultaneously in this fashion by separating them by a comma. E.g 


Some script requres arguments. These can be given with the “–script-args” nmap switch.  


nmap -p 80 –script http-put –script-args http-put.-url=’/dav/shell.php’,http-put.file=’./shell.php’ 

NSE scripts – searching for scripts 

You can either find the scripts by searching the Nmap website, or in the local storage on your attacking machine. Nmap stores scripts on Linux at


Using the /usr/share/nmap/scripts/script.db file. This is more a formatted tet file, rather than a database.  

Two ways to search for installed scripts. 

  • Grep through to look for scripts. For example: grep “ftp” /usr/share/nmap/scripts/script.db
  •  ls command.  ls –l /usr/share/nmap/scripts/*ftp* 

Install new scripts 

Possible to install the scripts manually by downloading the script from nmap 

sudo wget –O /usr/share/nmap/scripts/<script –name>.nse<script-name>.nse 

This command must be followed by “nmap –script-updatedb“, which updated the script.db file containg the newly downloaded script.  

Firewall evasion 

We already know some techniques for bypassing firewalls (stealth scans, along with NULL, FIN and xmas scans). However, another very common firewall configuration which is imperative we know how to bypass.  

Windows host will, with its default firewall, block all ICMP packets. This means nmap will register a host with this firewall configuration as dead and not bother scanning at all.  

We need a way to get around this configuration. Nmap provides an option for this “-Pn” which tells Nmap not to bother pinging the host before scanning it. This means that nmap will always treat the target hosts as being alive, bypassing the ICMP block. Can potentially take very long time to complete the scan. If the host is dead, then nmap will still be checking and double checking every specified port.  

Worth noting; if directly on the local network, nmap can also use ARP requests to determine host activity.  

Variety of other switches which nmap considers useful for firewall evasion. All can be found here. 

Note these switches:  

  • -f : used to fragmant the packets (split into smaller pieces) making it less likely that the packet will be detected by a firewall or IDS.  
  • Alternative to –f, but providing more control over the size of the packets: “–mtu <number>”. Accepts a maximum transmission unit size to use for the packets sent. This must be a multiple of 8.  
  • –scan-delay <time>ms: used to add a delay between packet sent. This is useful if the network is unstable, but also for evading any time-based firewall/IDS triggers which may be in place.  
  • –badsum: this is used to generate invalid checksum for packets. Any real TCP/IP stack would drop this packet, however, firewalls may potentially respond automatically, without botherin to check the checksum of the packet. Used to determine the presence of a firewall/IDS.  

Similar Posts