I. What is Nmap?
Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
II. Why Do We Use Nmap?
Nmap can be used for many different purposes such as system discovery, port scanning, service detection and even light weight vulnerability assessment engine.
However, in this blog, we’ll only focus on using Nmap in Penetration Testing, especially during foot printing and enumeration process.
III. TCP and UDP
Before getting into Nmap usage, let’s go over the different between TCP and UDP protocols. These protocols operate at layer 4 (Transport Layer) of the OSI model.
TCP (Transmission Control Protocol) or connection oriented protocol requires the 3-way handshake mechanism before establishing the connection.
As its name implies, it has the ability to re-transmit lost packages to make sure the target receives them in full.
On the contrary, UDP (User Datagram Protocol) or connectionless protocol does not go through the 3-way handshake mechanism as TCP. It does not care whether the target receives the packet or not which is unreliable. However, UDP is used when we care about speed over reliability such as video streaming, …
IV. Nmap TCP Connect Scan
With TCP Connect scan (-sT), nmap will go through the 3-way handshake to discover the opened ports in which Nmap will send out the SYN package and if it receives the SYN-ACK then it knows that the port which being scanned is opened, after that it will complete the handshake by sending back the ACK package to the target.
Syntax: nmap -sT -p 80 <Target-IP>
Based on the Wireshark package captured, we can see that Nmap indeed goes through the 3-way handshake mechanism to discover opened port, here it’s http port 80.
VI. Nmap SYN Scan
SYN scan or half-open/stealth scan which does not complete the 3-way handshake by sending out the RST packet as soon as it receives the SYN-ACK from the target.
However, in order for this scan to work, SYN scan requires the ability to create raw packet which can be done by Administrator (on Windows) or root (on Linux). If not run under admin/root privilege, Nmap will switch to TCP connect scan instead.
Syntax: sudo nmap -sS -p 80 <Target-IP>
Note: You don’t have to put -sS when executing the command under admin/root privilege.
VII. UDP Scan
As discussed earlier, unlike TCP, UDP does not have any mechanism to determine whether the port is opened based on the returned packages or not.
When scanning UDP ports, Nmap will usually mark those ports as opened|filtered which means those ports could be opened or being filtered by the firewall (which we’ll discuss in the next part :D)
Syntax: sudo nmap -sU -p 161 <Target-IP>Note: Since Nmap will send out raw packets when scanning UDP which requires admin/root privilege so that’s the reason why we must put sudo in the front, followed by the -sU switch.s
VIII. Conclusion
We’ve just gone through the basic usage of Nmap in penetration testing, in the next part, we’ll take a deep dive into Nmap such as AV evasion, performance tuning,….
Thank you for your time and I appreciate any feedback for improvement.
Source: https://nmap.org/
