Port Scanning with NMAP - Installation & Usage of NMAP

Port scanning is a technique used to determine the states of network ports on a host and to map out hosts on a network. In this article, I’ll go over the very basics of port scanning with the NMAP tool.

NMAP Overview

Port States NMAP will categorize ports as being in one of the following states:

  • Open – The port is accepting TCP connections and UDP packets. This means that an application is running that is using this port.
  • Closed – The port responds to NMAP probe requests but no application is using this port
  • Filtered – The port state cannot be determined because packet filters prevent NMAP probes from reaching the port
  • Unfiltered – The port is accessible but NMAP cannot determine if it is open or closed
  • Open | Filtered – NMAP cannot determine if the port is open or filtered
  • Closed | Filtered – NMAP cannot determine if the port is closed or filtered

Port Scanning Techniques

NMAP supports different methods of port scanning. These methods are called scan techniques. Each technique is tailored to solving a specific problem. Often times you will have to run several scans using different techniques in order to get a more complete picture of the host(s) you are scanning.

  • TCP SYN scan (-sS) – Can be performed on many thousands of hosts very quickly on a fast network with no firewalls. It starts to open a connection by sending a SYN packet, but it never finishes the connection. The response from this packet is used to determine the port status:
    1. A SYN’ACK response indicates that the port is open and listening
    2. A RST response indicates that the port is closed
    3. A no response or ICMP unreachable error will result in the port being marked as filtered

    TCP SYN scans are difficult to detect since a connection is never actually opened. This scan type uses RAW sockets and requires root access under UNIX. This is the default scan.  

  • TCP connect scan (-sT) – Uses the OS to establish a TCP connection to the host. This scan type is slower and has more overhead than a SYN scan. A TCP connect scan is the default when a SYN scan (RAW sockets) is not possible.  
  • UDP scan (-sU) – Sends a data less UDP header to every specified port. The response from this header is used to determine the UDP port status:
    1. An ICMP Unreachable error response indicates that the port is closed
    2. Other ICMP errors indicate that the port is filtered
    3. UDP bases services (DHCP, DNS and SNMP) may respond. This indicates that the port is open.
    4. If after several attempts of communication no response is received, the port will be marked as open|filtered. This could mean that packet filtering may be blocking communication with an otherwise open port. The version detection option (-sV) may be used in order to determine if ports marked as open|filter are actually open.

    UDP port scanning may be done at the same time as TCP port scanning in order to speed up the process.  

  • Custom TCP scan (–scanflags) – Custom scans allow advanced users to create a scan type tailored to specific needs. This is useful to create scans that will less likely be detected by intrusion detection systems.  
  • IP protocol scan (-sO) – This scan scans a host for the protocols it supports by cycling through the 8 bit protocol header of an IP packet.

NMAP offers the following additional scans. I list them here for completeness, but will not discuss them further.

  • TCP Null, FIN and Xmas scans – Uses a loophole in TCP RFC to determine if a port is open or closed.
  • TCP ACK scan – Used to map firewall rulesets. It cannot tell between open and closed ports.
  • TCP Window scan – Used to map firewall rulesets. It can tell between open and closed ports depending on the host being scanned.
  • TCP Maimon scan – Similar to the TCP Null, Fin and Xmas scans but exploits a slightly different TCP stack implementation detail specific to many BSD systems.
  • Idlescan – Scans hosts using packets with a “falsified” ip address such that the scan appears to originate from another host.
  • FTP bounce scan – Scans for ftp servers configured as ftp proxies.

Installing NMAP

NMAP is an open source application and may be downloaded for free from insecure.org. Installation is straight forward. To install on Windows using the executable package:

  1. Double click the installer file
  2. Click the ‘I Agree’ button to accept the licensing terms  
  3. Accept the defaults on the Choose Components dialog box. Click the ‘Next’ button.  
  4. Choose an installation directory (or accept the default). Click the ‘Install’ button.  
  5. Installation of NMAP will proceed.  
  6. Winpcap is required component of NMAP. Its installation will start during the install if NMAP. Read the license agreement and click the ‘I Agree’ button.  
  7. Select an installation directory (or accept the default). Click the ‘Install’ button.  
  8. The installation of Winpcap will now proceed. Click the ‘Close’ button on the Winpcap completed dialog box.  
  9. Click the ‘Close’ button on the NMAP completed dialog box.  

Running NMAP on Windows

Launching NMAP

NMAP does not have GUI under windows and must be run from the command line.

NMAP Example Scan 1

This is a scan of all port on my laptop (running Windows XP sp2) from a Windows Server 2003 sp1 machine. Each of the interfaces on my laptop are fire walled. NMAP is using a SYN scan, so it reports that all ports scanned are filtered.

Options used: -v for increased verbosity -A for os and software version detection -p1-65535 to set the range of ports to scan

Notice that this scan took almost an hour to scan all ports on one host. This scan would take considerably longer if a TCP connect scan were used.

Also notice that at least one open and one closed port are required in order for OS version detection to work reliably.

Finally, ‘–vv’ may be used for even more detailed output reporting.

NMAP Example Scan 2

This is a TCP connect scan of all ports on my laptop from a Windows 2003 Server SP1 machine. Again all ports are filtered. This scan took almost two hours to complete.

Options used: -v for increased verbosity -sT for a TCP connect scan -p1-65535 to specify the port rage from 1 to 65535 (all tcp ports)

NMAP Example Scan 3

This is a scan of select ports (all the ports defined in the Nmap-services file) on a host on my home network (running Windows 2000 sp4) from my laptop. No firewall is installed on the scanned host. More than a dozen open ports are found and the services associated with these ports are identified.

I must admit that I had forgotten I was running vnc and bittorrent on this host. This illustrates one of the uses of Nmap; finding out what services are being offered on your own hosts!

Note that Nmap will print a message containing a fingerprint code when a service or operating system either:

  1. Does not match a code in the Nmap internal database, or
  2. Multiple matches are found.

This fingerprint may be uploaded to the insecure.org website with a detailed description of the service or operating system (if it is known). This helps ensure the Nmap database is current and contains a large selection of operating system and service entries.

Options used: -v for increased verbosity -A for os and software version detection

NMAP Example Scan 4

This is a UDP scan of a Windows 2000 sp4 machine from the machine itself.

Options used: -v for increased verbosity -A for os and software version detection -sU for UDP scanning

NMAP Example Scan 5

This is a protocol scan of a Windows 2000 sp4 host. Nmap is running on the same host. Notice that this scan is very fast. It completes in just under two seconds.

Options used: -v for increased verbosity -sO for protocol scanning option

Where to Get More Information

I have not even scratched the surface on this topic. However, I hope that this introduction will pique the curiosity of anyone who has either never heard of port scanning or have never used the technique.

Use the following resources to learn more about NMAP and port scanning in general.

http://insecure.org/Nmap/man – Nmap documentation http://insecure.org/Nmap/install – Nmap install guide http://seclists.org – mail list for Nmap http://www.nabble.com/Nmap—Hackers-f394.html – Nmap forum

Books Secrets of Network Cartography by James Messer

Related Articles

Recent Security Forum threads

Got a question? Post it on our Security Forums!

Related Topics:

  • Networking

    Don't have a login but want to join the conversation? Sign up for a Petri Account