PARLAR

OFFENSIVE SECURITY - PENETRATION TESTING - RED TEAMING - ETHICAL HACKING

NMAP - NETWORK MAPPER

The essential reconnaissance tool in every security professional's arsenal

What is NMAP?

Nmap (Network Mapper) is an open-source utility for network discovery and security auditing. Security professionals worldwide use it for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Key Features

  • 🔍 Host discovery - Identifying hosts on a network
  • 🔌 Port scanning - Enumerating open ports on target hosts
  • 🔧 Version detection - Determining application name and version
  • 🛡️ OS detection - Identifying the operating system and hardware
  • 📝 Scriptable interaction with the target - Using Nmap Scripting Engine (NSE)

Essential NMAP Commands

Basic Scan

nmap 192.168.1.1

Scans the 1000 most common ports on the target host

Network Scan

nmap 192.168.1.0/24

Scans an entire subnet to discover active hosts

Aggressive Scan

nmap -A 192.168.1.1

Enables OS detection, version detection, script scanning, and traceroute

Stealth Scan

nmap -sS 192.168.1.1

Performs a TCP SYN scan, often used to bypass firewall logging

Full Port Scan

nmap -p- 192.168.1.1

Scans all 65535 ports on the target system

Service Version Detection

nmap -sV 192.168.1.1

Probes open ports to determine service/version info

Advanced NMAP Techniques

Scan Types

NMAP offers various scan types to adapt to different network environments:

  • TCP SYN (-sS): Half-open scanningDoesn't complete the TCP handshake, making it stealthier
  • TCP Connect (-sT): Full connection scanningCompletes the TCP handshake, more reliable but less stealthy
  • UDP (-sU): UDP port scanningChecks for open UDP ports, often overlooked but crucial
  • FIN (-sF): FIN packet scanningSends FIN packet, which might bypass certain firewall rules

Understanding Port States

Open: Application is actively accepting connections

Closed: Port is accessible but no application is listening

Filtered: Firewall or filter prevents probes from reaching port

Firewall Evasion Techniques

nmap -f 192.168.1.1

Fragment packets to evade packet filtering

nmap --mtu 8 192.168.1.1

Use a specific MTU size to fragment packets

nmap -D RND:10 192.168.1.1

Use decoy addresses to mask the origin of the scan

nmap --data-length 200 192.168.1.1

Add random data to packets to avoid pattern detection

Analysing NMAP Scans with Wireshark

Wireshark provides deep visibility into NMAP's network interaction, revealing scan techniques and target responses.

TCP SYN Scan Visualisation

TCP SYN scan showing the characteristic half-open connections

Packet Analysis

Common NMAP Packet Signatures
  • SYN packets to multiple ports from same source
  • ICMP Echo requests (ping scan)
  • Unusual TCP flag combinations (FIN, XMAS scans)
  • UDP packets with empty or minimal payloads

Useful Wireshark Filters for NMAP Detection

tcp.flags.syn==1 && tcp.flags.ack==0

Detect SYN packets without ACK (possible SYN scan)

tcp.flags.fin==1 && tcp.flags.syn==0 && tcp.flags.ack==0

Detect FIN packets without SYN/ACK (possible FIN scan)

icmp.type==8

Detect ICMP Echo requests (ping scan)

Ready to elevate your security posture?

Request A Cyber Security Assessment