Open In App

Nmap Scans for Cyber Security and Penetration Testing

Last Updated : 08 Sep, 2022
Like Article

Nmap stands for Network Mapper which is a free Open source command-line tool. Nmap is an information-gathering tool used for recon reconnaissance. Basically, it scans hosts and services on a computer network which means that it sends packets and analyzes the response. Listed below are the most useful Scans which you can run with the help of Nmap tools.

TCP Scan/TCP Connect Scan:

nmap -sT --top-ports 50


  • -sT is used for TCP Scan.
  • –top-ports is used to give top ports which are used to give the number of ports. Here we give 50 which means the top 50 ports which are most used in TCP.
  • is the Destination IP. You can also give the Destination URL.

 This scan is used to scan the TCP ports. It completes the 3-way handshake process which means the host tries to make a connection with the target before any communication happens between the systems.

3-way handshake process if the Destination port is Open.

3-way handshake process if the Destination port is Open.

Using this command your system sends a SYN packet and the Destination responds with SYN and ACK packets which means the port is listening and your system sends an ACK packet to complete the connection.

If the port is Closed then the Destination Respond with RST/ACK packets.

3-way handshake if the Destination port is close

3-way handshake if the Destination port is close

nmap tcp scan

In the above image, you can see the result of the TCP scan you can see the port number and state of the ports and services on these ports.

SYN Scan/Stealth Scan/Half Open Scan:

nmap -sS --top-ports 50

Here: -sS is used for SYN Scan.

SYN Scan is the same as TCP Scan but it does not complete the 3-way handshake process.

In this scan, Source sends the SYN packet and the destination responds with SYN/ACK packets but the source interrupts the 3-way handshake by sending the RST packet. Because of the interruption Destination or host does not keep a record of the Source system.

nmap in linux

Difference between SYN Scan and TCP Scan:

3-way handshake not completed. 3-way handshake completed.
The host Does not keep any record of the system by which this scan is done. The host keeps any record of the system by which this scan is done.
This scan is done by the privileged users only i.e for Linux system the Root user and for Windows system Admin. Privileged access is not required.

UDP Scan:-

nmap -sU --top-ports 50

Here: -sU is used to activate the UDP Scan. It generally sends the empty UDP packets and it takes more time than TCP Scan.

nmap in linux

Ping Scan/NO PORT Scan:

nmap -sn

Here: -sn and -sP both are used for Ping Scan.

Only print the available host that responds to the host Discovery probes within the network. The above command does not tell anything about the ports of the system. you can also use it to check for a single IP to check that the host is up or not.

Different States of the Port Scan Results and their Meaning:

There are mainly 4 types of State in the port scan results.

1. Open: A port is Open means that a service is listening to the port, for example, a MySQL service running at port 3306 as you can see in the TCP Scan result image.

2. Closed: This means the service is not listening at that port.

3. Filtered: Port is filtered by a security system like Firewall and whether the port is open or closed is not determined. If the host sends an Unusual response then also the port is filtered. Like in the above image of the UDP Scan Result when the host sends a response like ICMP Unreachable then the port is considered as filtered. 

4. Open | Filtered: No answer is given by the host so the port may be filtered by a firewall. But in some cases like the above result of the UDP Scan image, the host does not send an ACK packet like in TCP Scan so due to the lack of response means the port may be open.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads