Nmap 1. A Swiss army knife

Not for nothing is Nmap referred to as the »Swiss Army Knife« among the port scanners among administrators, security researchers, and IT geeks. The tool has been developed since 1997 and serves as a tool for finding open ports/network services of a system.

In addition to pure port scanning, the Open Source Tool ( GNU License ) can do even more. Among other things, Nmap can use OS fingerprinting to recognize the operating system used on the destination host or to identify all active hosts in a network via mapping.

In this article, I would like to give you a brief look at Nmap and show you how you can check your (server) system for open ports. However, the tool is very comprehensive and powerful, which is why I will only go into a few basic functions.

2. Nmap: Efficient and indispensable

Originally, Nmap was developed for GNU / Linux and is purely text-based. However, there is also a graphical version ( Zenmap ) for those who do not like working with the terminal.

2.1 Windows or Linux / macOS Nmap is not only available for GNU / Linux, but also for Windows and macOS. However, the use of Nmap under Windows is associated with a few limitations, which is why Nmap is preferably used on GNU / Linux / Unix systems. Become an expert with the ultimate Nmap Reference book 2.2 Installation

Depending on the system, the installation of Nmap is very easy. On the download page of the Nmap project, you can download the tool directly for Windows or macOS. On a Linux system, you should refer to the respective package manager and run the installation on it. On the other hand, if you need the brand new version of Nmap, Nmap will compile itself from the sources themselves. Here are a few examples of the installation via package manager.

Debian near systems: apt-get install nmap

Arch Linux:

pacman -S nmap

Red Hat / Fedora / Mandrake:

yum install nmap

3. Previous knowledge: Network technology

When you visit a web page on the Internet, your browser must first connect to the web server where the page is hosted. A web server usually offers its service on port 80 (HTTP) / 443 (HTTPS). Via this service or port (+ IP address), the web server can then be reached by clients and delivers the website via it.

That means quite abstractly: Through a service, systems provide functions that can subsequently be used by other systems. Some of the best-known services on a network / Internet include:

Secure Shell (SSH) over the port 22 / TCP

Domain Name System (DNS) via ports 53 / (TCP | UDP) or 853 / (TCP | UDP)

Hypertext Transfer Protocol (HTTP) over port 80 / TCP or 443 / TCP

A service is therefore usually assigned a unique port, via which it can then be reached via TCP or UDP protocol. Some services can even be controlled via both protocols. However, there are some differences between the two protocols (TCP / UDP), which should also be considered during the application of Nmap. The essentials in brief:

UDP : UDP is a connectionless transport protocol. This means that the sender basically does not know whether his sent data packet has arrived or not. Therefore it is jokingly often referred to as “Unreliable Data Protocol”.

: UDP is a connectionless transport protocol. This means that the sender basically does not know whether his sent data packet has arrived or not. Therefore it is jokingly often referred to as “Unreliable Data Protocol”. TCP : Unlike UDP, TCP is a connection-oriented transport protocol. Before the actual data transfer begins, a connection is established first. So a system receives a kind of acknowledgment that the data has arrived.

3.1 TCP handshake

Before the actual data transmission, a connection is first established in the TCP protocol. This process is referred to as a three-way handshake (three-way handshake). In simple terms, a client first sends a SYN packet to a server that provides a service on a port. If the port is reachable/open to the client, the server will acknowledge receipt and signal that a connection can be established. The receipt of the SYN packet is thus confirmed by the server sending back a SYN / ACK packet to the client. The receipt of this SYN / ACK packet is acknowledged by the client by sending an ACK packet. The connection between the two systems is now established.

4. Scan with Nmap

Anyone can do a fast scan with Nmap. However, your scans only become meaningful when you adapt Nmap to your target system using appropriate parameters and then correctly interpret the results. By this I mean: The application of Nmap after a little practice is basically not difficult, but the interpretation of the results and what conclusions one draws from it. In this post, I’ll just outline the operation of Nmap and draw your attention to a few peculiarities in the results. More background knowledge and details can be obtained, for example, via the official Nmap commands.

4.1 Simple Nmap scan

To introduce a simple scan without further parameters to an IP address:

nmap IP ADDRESS



Then you often receive the following message:

Host seems down. If it is really up, but blocking our ping probes, try -Pn

The scanned systems are actually online but block the nmap ping requests. So we add the parameter -Pn and disable the ping probe:

nmap IP ADDRESS -Pn

As a result, when I scan my web server I get the following output:

From this result, the following can now be deduced: nmap has identified three open TCP ports: 80, 443, and 7777

According to nmap, these are services for HTTP, HTTPS and CBT 4.2 Extended scan However, we would like to find out more details and information about the target system and in particular the ports. Therefore we add the following parameters: sV : Enables version detection to know more about what is actually running on a port.

: Enables version detection to know more about what is actually running on a port. version-all : During a version scan (-sV), nmap sends a series of test packets to identify the underlying service. With the parameter -version-all we perform all known tests.

: During a version scan (-sV), nmap sends a series of test packets to identify the underlying service. With the parameter -version-all we perform all known tests. reason : Specifies the reasons why a port has been set to a specific state.

: Specifies the reasons why a port has been set to a specific state. v : Increases verbosity. That means: Nmap outputs more information about the scan in progress. Also check Nmap commands For Network Administrator nmap -Pn -sV --version-all --reason -v IP ADDRESS

As a result, when I scan my web server I get the following output:

From this result, further findings can be derived: On port 80 and 443, an nginx web server is working. Behind the port 7777 obviously hides an OpenSSH server and no CBT service, as originally identified by nmap. 4.3 Even more parameters We add further parameters to get more information out of our target system: A : This option also enables advanced and aggressive options. These include operating system detection (-O), version detection (-sV), scanning with scripts (-sC) and traceroute (-traceroute).

: This option also enables advanced and aggressive options. These include operating system detection (-O), version detection (-sV), scanning with scripts (-sC) and traceroute (-traceroute). O : Activate operating system detection – You can also save the parameter, since this is covered by the -A parameter.

: Activate operating system detection – You can also save the parameter, since this is covered by the -A parameter. p0-65535 : This option specifies which ports we want to scan. By default, Nmap scans “only” the 1000 most used ports for each protocol (TCP / UDP). nmap -Pn -sS -sV -version-all --reason -v -A -O --osscan-guess -p0-65535 IP ADDRESS

As a result, when I scan my web server I get the following output:

From this result, further findings can be derived: Nmap identifies a self-issued TLS-Cert when testing the 443 (HTTPS) port, expiring in 2025. When calling my web server’s default web page, nmap gets a 400 error back because no domain was passed in the request. Whenever no domain is handed over, the server responds with the self-issued TLS-Cert.

It is now verified that the service on the port 7777 is an OpenSSH server – nmap outputs the host keys.

With a probability of 90%, the system was identified as a Linux machine.

From the Traceroute we can read that the server is hosted at Netcup and before the server apparently, still a Juniper device (probably firewall / IDS) is used. 4.4 nmap scanning methods (TCP) nmap supports different scanning methods . By default, the so-called TCP SYN scan is performed. This scanning method is relatively fast (unless an Intrusion Detection System (IDS) or similar slows down the process) and inconspicuous because the connection is not fully established. Together with a port number, nmap sends a SYN packet to the target system. A response from the target system with SYN / ACK indicates that the port is open while an RST response indicates that no one is listening. The connection is not fully established by the client side, but nmap sends back an RST packet and tells the target system to close the connection.

Depending on the destination, it may also be necessary to choose a different scanning method – a good dozen are offered . For example, Nmap itself will fall back on the TCP Connect scan if you do not have administration / sudo privileges – nmap will not be able to create “raw” packets. Compared to the SYN scan, the connect scan is noticeably slower and anything but inconspicuous, as a complete connection to the target system, is initiated. This increases the likelihood that an IDS will strike and artificially slow down the port scan or simply block the requesting IP address.

4.5 States of Ports

When nmap identifies a port during the scan, it attempts to classify the state of the port – this is then displayed in the “STATE” column. Overall, nmap knows six different states for ports:

Open : A service is ready to accept TCP connections or UDP packets on this port.

Closed : A closed port is reachable (it receives and responds to Nmap test packets), but there is no service listening on it.

Filtered : Nmap can not determine if the port is open because packet filtering (firewall) prevents its test packets from reaching the port.

Unfiltered : The unfiltered state means that a port is accessible, but Nmap can not determine if it is open or closed.

Open | Filtered : Nmap classifies a port into this state if it can not determine if the port is open or filtered.

Closed | Filtered : This state is used when Nmap can not determine if a port is closed or filtered.

In practice, you will usually find the states open, closed and filtered.

On the web server I have configured iptables so that requests for ports on which no service is offered are answered with a “reject-with tcp-reset”. This means: The web server sends back an RST packet – the remote station now knows that no service is listening on this port. For a nmap scan, it looks like this:

Of the 1000 scanned ports, 997 ports are closed – the reason: Nmap has received TCP RST packets. This would be the default setting for a system or what feedback looks like if no service is listening on a port.

If, on the other hand, a firewall is placed in front of it, the result looks a bit different:

Of the 1000 scanned ports, 997 ports are now filtered in the state – the reason: Nmap has received no TCP RST packets, but no response at all from these ports. The cause is that most firewalls simply discard the request (DROP) and do not send any feedback to the requesting system. If you want to send a reply, you can reject TCP packets under iptables properly:

[info title=”Info message” icon=”info-circle”]# Properly reject all packages

$ IPTABLES -INPUT -p tcp -j REJECT –reject-with tcp-reset

$ IPTABLES -A INPUT -j REJECT –reject-with icmp-port-unreachable[/info] 4.6 UDP scan

Most popular services on the Internet are accessible via the TCP protocol – and yet the UDP protocol should not be forgotten! I have already done some pentests that have resulted in more attack surfaces because my predecessors just did not do a UDP scan. Even services that can only be reached via UDP can be attacked or have a weak spot.

In this post, I will not go into more detail on UDP scans and their peculiarities. It takes a bit of practice and nmap parameters adapted to the target system to produce meaningful results. A short example of a UDP scan with nmap on the FRITZ! Box from outside:

nmap -Pn -sU -sV --version-all --reason -v IP ADDRESS

Nmap classifies all ports in the state open | Filtered – so it could not be clearly determined whether the port is open or closed. Open in this example are only ports 500 (IKE) and 4500 (IPSEC) for incoming VPN connections.

4.7 Other parameters and options

In addition to the parameters already presented, nmap offers additional switches and options to adapt the scan to the target system. The man page of nmap is a useful resource since it explains the possible parameters in great detail.

In addition, cheat sheets, as they offer the SANS or other websites are also quite useful.



5. Ports identified – And now?

Especially server systems are a popular attack target because of their constant accessibility. So you are well advised to configure your existing services as securely as possible and deactivate unneeded services. This step reduces the attack surface, which is to be kept as low as possible. Your approach should, therefore, be to only offer those services or ports that are actually needed.

But you always have to be careful when installing new software. In practice, installing software often opens a (network) service or network port on a system. Furthermore, it is also conceivable that the operating system makes such port openings by its standard configuration itself. Critical in this respect are in particular those services that are accessible from the network (and thus often from the Internet) such as, for example, the existing in Windows SMB service .

Whether your system offers a service / port you can check not only via nmap, but also with (in-house) system tools. For this purpose, the tool TCPView is suitable for Windows, for example . On Android you can use the Net Monitor . And on GNU / Linux like systems, the terminal will help you via netstat .

List of listening ports or offered network services via netstat:

netstat tulips

List of all active network connections via lsof :

lsof -i -P | grep ESTABLISHED

6. Conclusion

Nmap is an extremely powerful tool and it is hard to imagine the lives of many IT people. If you do a few scans with nmap, you will get useful results relatively quickly. So, if you host a service on the Internet – be it a web server, email server or XMPP server – then you should use nmap to check which services or ports the system offers to the outside.

Professionals work in practice with other parameters, for example, to influence the timing of nmap so that intrusion detection systems have difficulty detecting a portscan even. This always makes sense if, for example, you perform a pentest for a client and want to be as quiet as possible in the enumeration phase.

also Check

Nmap commands For Network Administrator