Thursday, February 2, 2023
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory
  • Login
  • Register
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
No Result
View All Result
Cloud7 News
No Result
View All Result

Home > Article > What is NMap? Definition and Cheat Sheet

What is NMap? Definition and Cheat Sheet

Nmap takes its name from Network Mapper and it is an open-source tool for network scanning and vulnerability detection.


Atalay Kelestemur Atalay Kelestemur
April 2, 2022
9 min read
Nmap open-source network mapping tool

The penetration test is a process that white hat hackers and/or penetration test specialists apply within the boundaries of a specific methodology. The owner of the target system must sign a few agreements such as Scope of Work, Rules of Engagement, Non-Disclosure Agreement, and more before the penetration test (pentest) process.

Table of Contents

  • Knowledge is power
  • Standard ports
  • An industry standard: Nmap
  • TCP Connect Scanning
  • SYN scanning
  • UDP scanning
  • Nmap Cheat Sheet
    • Defining the target
    • Scanning techniques
    • Target discovery
    • Port Specification
    • OS detection with Nmap
    • Service and version detection with Nmap
    • Time and performance settings
    • File output settings

Knowledge is power

It is necessary to gather as much information about the target system as it’s possible. Having more information about the target system means more enumeration; which translates into more exploitation possibilities.

Nmap, one of the most important tools that are being used for gathering information, enables scanning a target IP range to get the data of open/closed ports, the operation systems, and the services running on them. Additionally, it is possible to map the target network by using Nmap.

Standard ports

All of the devices that are connected to the network have 65536 ports in total. Some of those ports are dedicated standard ports. For example, the standard port for HTTP protocol is 80. For HTTPS connections, it is 443. Windows NETBIOS’ dedicated port is 139, and for SMB, it is 445. System administrators can change the standard ports, but it is not common.

The working principle of the Nmap network mapping tool is pretty simple. It connects to every port and maps them as open, closed, or filtered.

The open ports found on the system mean that there is an application, service, or protocol running and using that port. After identifying the open ports, admins can get the details of the running services and their versions via the enumeration process.

An industry standard: Nmap

It is not impossible to manually check and identify all of the ports. However, it will take too much time on a large network; negatively affecting effort/cost balance. That’s why using the tools that automize such processes is crucial for quickness and reducing the margin of error.

So what makes Nmap special among all of those tools? The answer is pretty simple: Nmap is an acknowledged standard by the whole cybersecurity industry. On the other hand, Nmap can deliver better results more quickly compared to its alternatives. Nmap’s functionality is not limited to gathering information; it can also serve for vulnerability detection, thanks to its scripting support.

Like many other penetration test tools, Nmap can be installed and launched by using Linux Terminal. You can use the following command to install Nmap:

sudo apt install nmap

In order to run Nmap properly, you should use parameters with the nmap command. You can see the list of possible parameters by using the help parameter:

nmap -h

For port scanning, Nmap provides three basic scanning type options. Those are:

  • TCP Connect scanning ( -sT )
  • SYN Half-open scanning ( -sS )
  • UDP scanning ( -sU )

Other than those three, there are also additional scanning types that will less likely be needed in penetration tests:

  • TCP Null scanning ( -sN )
  • TCP FIN scanning ( -sF )
  • TCP Xmas scanning ( -sX )

Before talking about the scanning process with Nmap, let’s have a look at TCP and UDP connection structures.

TCP Connect Scanning

For TCP Connect scanning, it is essential to be familiar with the three-way handshake process. As its name reveals, three-way handshaking consists of three stages. In the first stage, the client sends the SYN package to the target. Then, the server sends back the SYN/ACK package to the client. Finally, the client ends the three-way handshaking process by sending back the ACK package.

Nmap sends an SYN flagged TCP packet to the target. If the target sends back an RST flagged package, the software will identify that the port is closed. If the target sends back an SYN/ACK flagged package, Nmap will identify that the port is open. If the target has a firewall the packages will be dropped and Nmap will show them as “filtered”.

SYN scanning

SYN scans ( -sS ) are often called “Half-open” or “Stealth” as well. As we mentioned before, TCP scans make a complete three-way handshaking protocol. In SYN scans, the procedure is a little different; it ends with the RST package, instead of an ACK package. As the client sends back the RST package, it terminates the connection.

Utilizing SYN scanning has advantages for performing penetration tests. This scanning type, which can be used for stealth scanning, is used for bypassing IDS and IPS systems. It delivers the results faster than TCP connect scans because it does not make a complete three-way handshaking protocol.

To make an SYN scan, users need to have administrator rights. That’s why it should be used with the sudo command in Linux operating systems. Otherwise, Nmap won’t work properly. In addition, SYN scan might break the systems in unstable network structures because of its ability to bypass security applications on the target.

Nmap behaves similar to TCP Connect scans during SYN scans. Once it gets back an RST package from the target system, it identifies the target port as closed. In the same way; if the TCP SYN package drops, it means there is firewall protection on the target.

UDP scanning

UDP connections are stateless, unlike TCP connections. The packages are sent directly to the target port without any handshake procedure in UDP connections. UDP connections are often preferred when connection speed really matters. For example, video streaming applications prefer UDP connections.

UDP connections generally are not preferred during penetration tests because of lacking proper connection steps, unlike TCP and SYN. Still, it is possible to use Nmap’s UDP scan ability during penetration tests by using the ( -sU ) parameter for analyzing the results.

If the target does not send back any packages during the UDP scan, it means the port is open. In this case, the port might be secured by a firewall solution as well. If the port is closed, the target sends back an ICMP package.

Nmap Cheat Sheet

Defining the target

Definition Parameter Example
Scanning a single IP nmap 192.168.1.1
Scanning multiple IP’s nmap 192.168.1.1 192.168.2.1
Scanning IP range nmap 192.168.1.1-254
Scanning with CIDR notation nmap 192.168.1.0/24
Scanning a domain nmap scanme.nmap.org
Scanning targets in a file -iL nmap -iL targets.txt
Scanning random 100 hosts -iR nmap -iR 100
Scanning with excluding an IP --exclude nmap --exclude 192.168.1.1

Scanning techniques

Definition Parameter Example
TCP SYN port scanning -sS nmap 192.168.1.1 -sS
TCP connection port scanning -sT nmap 192.168.1.1 -sT
UDP port scanning -sU nmap 192.168.1.1 -sU
TCP ACK port scanning -sA nmap 192.168.1.1 -sA
TCP Window port scanning -sW nmap 192.168.1.1 -sW
TCP Maimon port scanning -sM nmap 192.168.1.1 -sM

Target discovery

Definition Parameter Example
Lists the target without scanning -sL nmap 192.168.1.1-3 -sL
Disables port scanning. Only discovers the target -sn nmap 192.168.1.1/24 -sn
Disables host discovery. Only scans ports -Pn nmap 192.168.1.1-5 -Pn
Discovers TCP SYN on port X. Default port is 80 -PS nmap 192.168.1.1-5 -PS22-25,80
Discovers TCP ACK on port X. Default port is 80 -PA nmap 192.168.1.1-5 -PA22-25,80
Discovers UDP on port X. Default port is 40125 -PU nmap 192.168.1.1-5 -PU53
ARP discovery on local network -PR nmap 192.168.1.1-1/24 -PR
No DNS resolution -n nmap 192.168.1.1 -n

Port Specification

Definition Parameter Example
Scans port X -p nmap 192.168.1.1 -p 21
Scans port range -p nmap 192.168.1.1 -p 21-100
Scans TCP and UDP ports -p nmap 192.168.1.1 -p U:53,T:21-25,80
Scans all ports -p nmap 192.168.1.1 -p-
Scans ports by its service -p nmap 192.168.1.1 -p http,https
Quick port scanning (100 ports) -F nmap 192.168.1.1 -F
Scans X most important ports --top-ports nmap 192.168.1.1 --top-ports 2000
Scans between port 1 and port X -p-65536 nmap 192.168.1.1 -p-65535

OS detection with Nmap

Definition Parameter Example
Tries to detect OS on target -O nmap 192.168.1.1 -O
Does not try detecting OS if it can’t find at least 1 open or closed TCP port -O --osscan-limit nmap 192.168.1.1 -O --osscan-limit
Tries to guess OS more aggresively -O --osscan-guess nmap 192.168.1.1 -O --osscan-guess
Tries X times to detect OS of the target -O --max-os-tries nmap 192.168.1.1 -O --max-os-tries 1
Performs OS, version, and script detections -A nmap 192.168.1.1 -A

Service and version detection with Nmap

Definition Parameter Example
Tries to detect running services’ versions on target -sV nmap 192.168.1.1 -sV
Sets intensity between 0 and 9 -sV --version-intensity nmap 192.168.1.1 -sV --version-intensity 8
Activates the light mode -sV --version-light nmap 192.168.1.1 -sV --version-light
Sets intensity to 9 -sV --version-all nmap 192.168.1.1 -sV --version-all
Performs OS, version, and script detections -A nmap 192.168.1.1 -A

Time and performance settings

Definition Parameter Example
Paranoid IDS bypass -T0 nmap 192.168.1.1 -T0
IDS bypass -T1 nmap 192.168.1.1 -T1
Slow scanning -T2 nmap 192.168.1.1 -T2
Normal scanning (default) -T3 nmap 192.168.1.1 -T3
Aggresive scanning -T4 nmap 192.168.1.1 -T4
Very aggresive scanning -T5 nmap 192.168.1.1 -T5

File output settings

Definition Parameter Example
Normal output -oN nmap 192.168.1.1 -oN normal.file
XML output -oX nmap 192.168.1.1 -oX xml.file
Grep file output -oG nmap 192.168.1.1 -oG grep.file
All-at-once output -oA nmap 192.168.1.1 -oA results
Atalay Kelestemur

Atalay Kelestemur

Atalay Kelestemur is the Editor-in-Chief of Cloud7 News. Also, he is the Program Manager of AlmaLinux OS, an open-source, community-driven Linux operating system. He was most recently the chief editor of T3. Prior to that, he was the managing editor of BYTE. He also served as a software editor in PC World. Atalay Kelestemur has covered the technology industry since 1996, publishing articles in PC Net, IT Pro, Computer World, PC Life, CyberMag, and CIO magazines. Atalay Kelestemur is an information system security professional and his area of expertise includes Linux security, penetration testing, secure software development, malware removal, and computer forensics. Atalay Kelestemur is the author of Pardus 2011, Ubuntu, Windows 8, and Siber Istihbarat (Cyber Intelligence). Atalay graduated with a Bachelor's Degree in Maritime from Istanbul Technical University. He earned a master's degree in political science from Gedik University, where he wrote his thesis on The Importance of Cyber Intelligence on Public Security. Now he is working on his Ph.D. thesis on international trade, covering the cybersecurity threats and countermeasures on the maritime industry.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Next Post
Weekly round-up 28 Mar - 1 Apr

Weekly round-up: 28 Mar - 1 Apr

Related News

Weekly round-up 23 – 27 January

Weekly round-up: 23 – 27 January

January 28, 2023 10:30 pm
What is ChatGPT Everything you need to know

What is ChatGPT? Everything you need to know

January 28, 2023 7:00 pm
What is cloud orchestration

What is Cloud Orchestration?

January 28, 2023 5:09 pm
Microsoft continues to invest in OpenAI

Microsoft continues to invest in OpenAI

January 25, 2023 1:45 pm
Get free daily newsletters from Cloud7 News Get the Cloud7 Newsletter
Select list(s):

Check your inbox or spam folder to confirm your subscription.

By subscribing, you agree to our
Copyright Policy and Privacy Policy

Get the free newsletter

Subscribe to receive the latest IT business updates straight to your inbox.

Select list(s):

Check your inbox or spam folder to confirm your subscription.

Editor's Choice

What’s new in Linux kernel 6.2 rc6?

10 Best Web Hosting Services of 2023

Ubuntu 22.04 LTS is available for download. What is new?

CERN and Fermilab recommend AlmaLinux

7 best hosting control panels of 2023

How to update Linux Kernel without rebooting?

7 best Linux mail servers of 2023

7 best cPanel alternatives for 2023

7 best Linux web browsers for 2023

7 best CentOS alternatives

7 best Linux server distros of 2023

Interview with Igor Seletskiy on AlmaLinux

How to create a VM on VMware Workstation

Recent News

  • Gcore introduces per-minute billing for video streaming
  • APTs are looking for developers to hire with hefty paychecks
  • F5 reports first quarter financial results
  • US extradites ShinyHunters hacker
  • Hacker steals code signing certificates for GitHub Desktop and Atom

Cloud7 News
Cloud7 is a news source that publishes the latest news, reviews, comparisons, opinions, and exclusive interviews to help tech users of high-experience levels in the IT industry.

EXPLORE

  • Web Hosting
  • Cloud Computing
  • Data Center
  • Cybersecurity
  • Linux
  • Network/Internet
  • Software
  • Hardware
  • How-Tos
  • Troubleshooting

RESOURCES

  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

Get the Cloud7 Newsletter

Get FREE daily newsletters from Cloud7 delivering the latest news and reviews.

  • About
  • Privacy & Policy
  • Copyright Policy
  • Contact

© 2023, Cloud7 News. All rights reserved.

No Result
View All Result
  • Cloud Computing
  • Web Hosting
  • Data Center
  • Linux
  • Cybersecurity
  • More
    • Network/Internet
    • Windows
    • Software
    • Hardware
    • Blockchain
    • Policy/Legislation
    • How-Tos
    • Troubleshooting
  • Events
  • Interviews
  • Jobs
  • Opinion
  • Whitepapers
  • Glossary
  • Community Forum
  • Web Hosting Directory

© 2023, Cloud7 News. All rights reserved.

Welcome Back!

Sign In with Facebook
Sign In with Google
Sign In with Linked In
OR

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Sign Up with Facebook
Sign Up with Google
Sign Up with Linked In
OR

Fill the forms below to register

*By registering into our website, you agree to the Terms & Conditions and Privacy Policy.
All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.