General

This is just a little cheatsheet I created for myself about NMAP. It will be updated as I learn more about this tool.

1 Scan Types

1.1 TCP Connect Scans

Command: nmap -sN

• performs three-way handshake with each target port -> depending on response, determines if the port is open
• Responses are either
  • RST: Port is closed
  • SYN/ACK: Port is open (sends ACK back)
  • No response: Port is filtered (firewall drops packets -> could be set to reject packets with tcp-reset, which makes a scan less effective)

1.2 TCP SYN Scans

Command: sudo nmap -sN

• Similar to TCP Scan, but sends a RST back instead of ACK
• aka. stealth scans

Advantages

• Can bypass older IDS’s that look for 3-way handhsake
• Often not logged by applications listening on open ports (they usually log only fully established connections)
• faster than TCP scans

Disadvantages

• require sudo
• might crash unstable services

1.3 UDP Scans

Command: nmap -sU

• stateless -> send packages and hope that it works

1.4 Firewall Evasion

• Windows systems drop ICMP packages per default -> Ping doesn’t work
• We can use -Pn flag to not bother pinging the host -> inefficient if host really is not alive
• -f can be used to break up packets -> less likely to be detected by firewall or IDS
• --scan-delay <time>ms to add a delay
• --badsum generates an invalid Checksup for the packet -> Used to detect presence of firewall or IDS