Time to tackle the third part of the Nmap Tutorial Series. After covering Nmap Basics and Nmap Host Discovery, we are going to look at some more advanced Nmap commands. Sometimes it is necessary to perform scans that will do something else than the TCP scan that Nmap is doing by default. Those more advanced commands are used to detect exotic services or to evade firewalls.
Almost all of those commands have to be run with the sudo prefix.
First, let’s have an overview of all the advanced Nmap commands.
Advanced Nmap Commands Overview
|-sS||TCP SYN Scan|
|-sT||TCP Connect Scan|
|-sN||TCP NULL Scan|
|-sF||TCP FIN Scan|
|-sA||TCP ACK Scan|
|-sO||IP Protocol Scan|
|-sZ||SCTP COOKIE ECHO Scan|
That’s a lot of Nmap commands to go through again, let’s get started.
TCP SYN Scan (-sS)
sudo nmap -sS 192.168.56.101
This scan scans for the 1000 most used TCP ports by sending SYN packages to a target and awaiting a response. This Nmap command is more on the stealthy side of things because it doesn’t try to connect to the target, you might be able to avoid being detected when using this command. I say might because it highly depends if the network has an IDS (Intrusion Detection System) in place or not.
TCP Connect Scan (-sT)
nmap -sT 192.168.56.101
The TCP Connect scan can be run without sudo, it attempts to establish a plain connection to the target host. This command is noisy, so use with caution.
UDP Scan (-sU)
sudo nmap -sU 192.168.56.101
The UDP Scan is a valuable asset for scanning services that use UDP like DNS and DHCP. I always run a UDP scan to find all the services that don’t use TCP.
TCP NULL Scan (-sN)
sudo nmap -sN 192.168.56.101
The TCP NULL Scan sends packets without TCP flags. This method is used to get the firewall to respond to the scan.
TCP FIN Scan (-sF)
sudo nmap -sF 192.168.56.101
The TCP FIN Scan is used to get a TCP ACK response from the target. This is just another way to get around a firewall and trigger a response from the target host.
Xmas Scan (-sX)
sudo nmap -sX 192.168.56.101
This funny sounding scan, a quote from Nmap’s official documentation, “Sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree.” describes this scan pretty well. This is used to provoke a response from a target host behind a firewall. It’s obvious that this is a noisy approach.
TCP ACK Scan (-sA)
sudo nmap -sA 192.168.56.101
The TCP ACK scan is used to check if a system is protected by a firewall or not. If no RST response is given from the target system, Nmap assumes that the target system is filtered. If the target system returns an RST response, it will be set as unfiltered. Ports being filtered is an indication that the system is behind a firewall. Unfiltered ports are most likely allowed through the firewall through specific rules.
IP protocol Scan (-sO)
sudo nmap -sO 192.168.56.101
The IP protocol scan shows all protocols that are supported by the target. This option is mostly used to determine what kind of scans you will run against the target system based on its protocols. You can find a list of all protocols here.
SCTP Cookie Echo Scan (-sZ)
sudo nmap -sZ 192.168.56.101
This scan is a more advanced SCTP scan. It’s a pretty silent way of scanning because it drops packets containing Cookie Echo chunks on open ports, but it does send an Abort response if the port is closed. This scan is pretty silent, although it still can be detected by a well-configured IDS.
Idle Scan (-sI)
sudo nmap -sI 192.168.56.103(<--Zombie Host) 192.168.56.101
This scanning method runs a completely blind TCP port scan against the target. There are no packets sent from your own IP address. This technique uses a so-called Zombie Host to gather information about the target. You basically specify a Zombie Host on the network that will send the packets for you, making it hard for IDS to detect your scan.
I really like this method and use it quite often as it is really stealthy. Note that this scan does not work all the time, as you can see in my example.
This should give you a good of some Advanced Nmap Commands. How often you use those Nmap Commands in the real world highly depends on the scenario. Sometimes simple Nmap scans are enough to detect open ports on most systems.