In this NMAP tutorial, we are going to take a look at the 11 most used NMAP commands for advanced scanning, how and when to use them. I’ll be using Nmap on Kali Linux 2021. If you don’t have Kali installed you can follow this guide on virtually any other OS as long as you have NMAP installed on your system.
If you don’t have Nmap installed on your system yet, here is a step-by-step guide for installing Nmap on Windows, macOS, Linux, and FreeBSD. It takes less than 5 minutes.
You might also want to read:
10 Basic NMAP Commands And How To Use Them
NMAP Host Discovery Flags And How To Use Them
Without further ado, let’s get to work.
Quick Overview
NMAP offers a variety of scan types that we can customize further. NMAP performs a simple TCP search on each target device – by default.
However, more sophisticated TCP or UDP scans might be required to identify vulnerabilities in less common services or systems with circumvent firewall rules.
Here is a summary of Nmap flags that we will cover in this tutorial.
| NMAP Advanced Scan Method | NMAP Advanced Scan Flag |
| TCP SYN Scan | -sS |
| TCP Connect Scan | -sT |
| TCP FIN Scan | -sF |
| TCP NULL Scan | -sN |
| TCP ACK Scan | -sA |
| Custom TCP Scan | –scanflags |
| UDP Scan | -sU |
| Xmas Scan | -sX |
| IP Protocol Scan | -sO |
| Scan Using IP packets | –send-ip |
| Scan Using Raw Ethernet Packets | –send-eth |
TIP: Is highly recommended to running NMAP as root/Administrator as many Nmap commands are reserved for elevated use only or provide limited output details otherwise.
NMAP TCP SYN Scan
Flag: -sS
Syntax: nmap -sS [Target]
Description: Perform a stealthy scan for most 1000 used ports. This Nmap command flag requires root/Administrator privileges.
The Nmap TCP SYN scan will send a SYN packet to the 1000 most commonly used ports on a target machine and wait for a response.
Because the TCP SYN Scan method does not attempt to open a full-fledged connection with the target, it prevents the target system from logging the connection attempts; therefore, this scan method is supposed to be stealthy. However, keep in mind that scan stealth is not guaranteed in many cases as modern firewalls are capable of detecting it.
The command output for the -sS flag output for scanme.nmap.org is shown in Figure 1.1.
NMAP TCP Connect Scan
Flag: -sT
Syntax: nmap -sT [Target]
Description: Attempts to directly connect to a target without using stealth. This Nmap command flag does not require root/Administrator privileges, but it provides more accurate results if run with elevated privileges.
The TCP Connect Scan is usually used when TCP SYN scan is not possible due to the user not having system privileges over using raw packages or is intending to scan IPv6 targets.
The TCP Connection Scan is not using raw packages, instead is asking the target system to establish a connect system call. If running Nmap with elevated privileges is not an issue, a better option is the Nmap TCP SYN command explained above.
The command output for the -sT flag output for scanme.nmap.org is shown in Figure 1.2.
NMAP TCP FIN Scan
Flag: -sF
Syntax: nmap -sF [Target]
Description: Scan targets by marking TCP FIN bit active and request TCP ACK response from a target system. Some systems may not respond to this type of probe.
Nmap uses TCP FIN Scan to decide whether ports on the target machine are open or closed [out-of-state]. This scan method is carried out by submitting TCP packets with the FIN bit set in the header.
According to RFC 793, any TCP segment with an out-of-state Flag sent to an open port is discarded, while segments with out-of-state flags sent to closed ports should be managed with an RST.
TIP: An RST [TCP Reset] packet is used to indicate that a TCP sender will neither accept nor receive more data from a source.
The TCP FIN Scan method is useful when investigating targets protected by firewalls [Figure 1.3].
NMAP TCP NULL Scan
Flag: -sN
Syntax: nmap -sN [Target]
Description: Sets the TCP segment header to 0 [out-of-state flags] in an attempt to trick systems that are protected by firewalls to generate feedback. Some systems may not respond to this type of probe.
NMAP uses the TCP NULL Scan to find out which ports are closed on a target machine by setting the TCP segment header to 0 [out-of-state flags], which RFC 793 considered illegal for this kind of process.
The RFC 793 expected behavior is to discard any TCP segment with an out-of-state Flag sent to an open port, while segments with out-of-state flags sent to closed ports generate an RST response. This is how Nmap finds which ports are closed on a target by using this method.
The TCP NULL Scan method allows Nmap to detect close ports based on RST responses from a target machine. An example of a TCP NULL Scan is shown in Figure 1.5.
NMAP TCP ACK Scan
Flag: -sA
Syntax: nmap -sA [Target]
Description: This scan is looking for RST responses to map out firewall rulesets, find which ports are filtered, and if the ports are stateful or not. Useful to find out if a target is protected by a firewall.
You can enable TCP ACK probing by using the -sA flag. When scanning for unfiltered systems, both open and closed ports will return an RST response.
Though the scanned ports are reachable using ACK packets, the Nmap is unable to determine if the ports are open or closed. Ports that send back ICMP error messages or do not respond at all are labeled as filtered.
An example of a TCP ACK Scan where all the ports on the target machine are unfiltered is shown in Figure 1.5.
NMAP Custom TCP Scan
Flag: –scanflags
Syntax: nmap –scanflags [flag(s)] [Target]
Description: Allows Nmap users to define their own scans using multiple TCP header flags.
Instead of probing a target multiple times using a single flag option to find vulnerabilities, we can use our imagination to mix one or more flags and create Custom TCP Scans and save a great deal of time and frustration.
Table 1.2 below shows a list of flags supported by the –scanflags option, which can be used in any combination.
| Flag | Flag Description |
| ACK | Acknowledge |
| SYN | Synchronize |
| URG | Urgent |
| PSH | Push |
| RST | Reset |
| FIN | Finish |
For instance, nmap –scanflags PSHURGSYN will activate the PSH, URG, and SYN TCP header flags using one command line. The order in which the TCP header flags are used is irrelevant [Figure 1.6].
TIP: The SYN TCP header flags should be input without any spaces in between.
Nmap UDP Scan
Flag: -sU
Syntax: nmap -sU [Target]
Description: Nmap scans a target machine by sending a UDP package to every targeted port. This command requires root/ADministrator privileges.
Even though most popular services on the Internet run over the TCP protocol, some services such as DNS [port 53], DHCP [ports 161/162], SNMP [ports 67/68] still use the UTP protocol.
A common mistake is to forget to harden the UDP ports in a system/network, which makes them vulnerable to UDP exploits which are quite frequent.
The UDP Scan -sU can be used in tandem with the SYN Scan -sS to check both protocols in the same scan, as seen in Figure 1.7.
NMAP Xmas Scan
Flag: -sX
Syntax: nmap -sX [Target]
Description: Manipulate the PSH, URG, and FIN flags of the TCP header to determine which ports are closed on a target machine.
The Nmap Xmas Scan refers to a collection of flags that are activated inside a packet. The Xmas Scan is used to manipulate the TCP header’s PSH, URG, and FIN flags. The packets generated by this method are illegal based on RFC 793.
The RFC 793 expected behavior is to discard any TCP segment with an out-of-state Flag sent to an open port, while segments with out-of-state flags sent to closed ports generate an RST response. This is how Nmap finds which ports are closed on a target by using this method.
As displayed in Wireshark capture below [Figure 1.9], we can see the alternating bits are on [enabled], similar to how lights on a Christmas tree are blinking. Isn’t this the type of humor we techs love? 🙂
NMAP IP Protocol Scan
Flag: -sO
Syntax: nmap -sO [Target]
Description: List the IP protocols supported by a target machine.
It is always useful to identify which protocols are running on a target system first before performing more in-depth Nmap scans based on the supported protocols.
TCP, ICMP, and UDP are frequently found protocols on modern computers as seen in Figure 1.9 below.
NMAP Scan Using IP Packets
Flag: –send-ip
Syntax: nmap –send-ip [Target]
Description: Force Nmap to scan a target using the local IP stack instead of raw-generated Ethernet packets.
The Send IP Packets option is automatically invoked by Nmap so this argument is rarely invoked via command-line.
NMAP Scan Using Raw Ethernet Packets
Flag: –send-eth
Syntax: nmap –send-eth [Target]
Description: Sends raw ethernet packets via the data link layer and bypasses the IP layer on your system.
The Scan Using Raw Ethernet Packets is rarely invoked manually as a command-line argument as Nmap will automatically invoke the –send-eth where needed.
Before You Leave…
Congratulations on reaching the end of this Nmap tutorial! Take some time to read and practice the above Nmap commands for advance scanning in your own lab. If you don’t have a lab set up yet, you can practice scanning the scanme.nmap.org domain.
But most importantly, whatever you do, stay out of trouble!
Found this post useful?
Say thank you by sending some crypto to one of the addresses below:
[crypto-donation-box]
