Nmap Scans for Cyber Security and Penetration Testing
Nmap stands for Network Mapper is a free Open source command-line tool. Nmap is an information-gathering tool used for recon reconnaissance. Basically, it scans hosts and services on a computer network means it sends packets and analyzes the response. Listed below are the most useful Scans which you can run with the help of Nmap tools.
TCP Scan/TCP Connect Scan:
nmap -sT 192.168.1.12 --top-ports 50
- -sT is used for TCP Scan.
- –top-ports is used to give top ports which are used to give the number of ports. Here we give 50 which means the top 50 ports which are most used in TCP.
- 192.168.1.12 is the Destination IP. You can also give the Destination URL.
This scan is used to scan the TCP ports. It completes the 3-way handshake process which means the host keeps the record.
Using this command your system sends an SYN packet and the Destination response with SYN and ACK packets which means the port is listening and your system sends an ACK packet to complete the connection.
If the port is Closed then the Destination Respond with RST/ACK packets.
In the above image, you can see the result of the TCP scan you can see the port number and state of the ports and services on these ports.
SYN Scan/Stealth Scan/Half Open Scan:
nmap -sS 192.168.1.12 --top-ports 50
Here: -sS is used for SYN Scan.
SYN Scan is the same as TCP Scan because it does not complete the 3-way handshake process.
In this scan, Source sends the SYN packet and the destination responds with SYN/ACK packets but the source interrupts the 3-way handshake by sending the RST packet. Because of the interruption Destination or host does not keep a record of the Source system.
Difference between SYN Scan and TCP Scan:
|SYN SCAN||TCP SCAN|
|3-way handshake not completed.||3-way handshake completed.|
|The host Does not keep any record of the system by which this scan is done.||The host keeps any record of the system by which this scan is done.|
|This scan is done by the privileged users only means for Linux system the Root user and for Windows system Admin.||Privileged users are not required.|
nmap -sU 192.168.1.12 --top-ports 50
Here: -sU is used to activate the UDP Scan. It generally sends the empty UDP packets and it takes more time than TCP Scan.
Ping Scan/NO PORT Scan:
nmap -sn 192.168.1.0/24
Here: -sn and -sP both are used for Ping Scan.
Only print the available host that responds to the host Discovery probes within the network. The above command does not tell anything about the ports of the system. you can also use it to check for a single IP to check that the host is up or not.
Different States of the Port Scan Results and their Meaning:
There are mainly 4 types of State in the port scan results.
1. Open: A port is Open means that a service is listening to the port, for example, a MySQL service running at port 3306 as you can see in the TCP Scan result image.
2. Closed: This means the service is not listening at that port.
3. Filtered: Port is filtered by a security system like Firewall and port is open or closed is not determined. If the host sends an Unusual response then also the port is filtered. Like in the above image of the UDP Scan Result when the host sends a response like ICMP Unreachable then the port is considered as filtered.
4. Open | Filtered: No answer is given by the host so the port may be filtered by a firewall. But in some cases like the above result of the UDP Scan image, the host does not send an ACK packet like in TCP Scan so due to the lack of response this the port may be open.