Using “nmap”

author: Nathan Acks
date: 2022-05-10

Note that nmap accepts ranges in any octet of an IP address; for example, 10.10.0-255.1-255 will scan 10.10.0.1 - 10.10.255.255.

When dealing with firewalls, be aware that the default nmap SYN scan packet is 44 bytes = 20 bytes IP header + 24 bytes TCP header + 0 bytes data. Note that packet fragmentation only effects the TCP header + data - the 20 byte IP header will always be sent!

Most nmap scans will generate ~2x the number of packets as scanned ports, as unresponsive ports are sent a second packet to verify that they’re actually closed (and, in general, most ports will be closed).

Useful Flags

There’s more, but these are the big ones.

Long Flags

Nmap has a ton of flags. Be sure to check the man page and official documentation!

Scripting Engine

Script categories:

You can also run your own scripts.

Host Discovery Options

When called as the superuser, Nmap uses ARP for local host discovery and a combination of ICMP Echo, TCP SYN to 443, TCP ACK to 80, and ICMP Timestamp requests for remote host discovery.

When called as a normal user, Nmap has more limited options and uses TCP SYN packets sent for ports 80 and 443 for both local and remote host discovery.

Discovery methods:

Most of the time the default discovery options (or -Pn) is fine. The above options are mostly useful for unusual networks or if there’s a need to be extra-stealthy.

Scan Types

Note that nmap by default uses a TCP window of 1024 bytes and an MSS of 1460. This is actually an unusual combination, and makes most nmap TCP scans stick out in packet captures. The exception to this is a full TCP connect scan, which uses the system TCP stack and thus tends to have more sensible options.

Port States

Output