General
This is just a little cheatsheet I created for myself about NMAP. It will be updated as I learn more about this tool.
1 Scan Types
1.1 TCP Connect Scans
Command: nmap -sN
- performs three-way handshake with each target port -> depending on response, determines if the port is open
- Responses are either
- RST: Port is closed
- SYN/ACK: Port is open (sends ACK back)
- No response: Port is filtered (firewall drops packets -> could be set to reject packets with tcp-reset, which makes a scan less effective)
1.2 TCP SYN Scans
Command: sudo nmap -sN
- Similar to TCP Scan, but sends a RST back instead of ACK
- aka. stealth scans
Advantages
- Can bypass older IDS’s that look for 3-way handhsake
- Often not logged by applications listening on open ports (they usually log only fully established connections)
- faster than TCP scans
Disadvantages
- require sudo
- might crash unstable services
1.3 UDP Scans
Command: nmap -sU
- stateless -> send packages and hope that it works
1.4 Firewall Evasion
- Windows systems drop ICMP packages per default -> Ping doesn’t work
- We can use
-Pn
flag to not bother pinging the host -> inefficient if host really is not alive -f
can be used to break up packets -> less likely to be detected by firewall or IDS--scan-delay <time>ms
to add a delay--badsum
generates an invalid Checksup for the packet -> Used to detect presence of firewall or IDS