Port/Service/OS Enumeration
Port scanning helps identify which services are running and accessible on a network.
open: This indicates that the connection to the scanned port has been established. These connections can be TCP connections, UDP datagrams as well as SCTP associations.closed: When the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.filtered: Nmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.unfiltered: This state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.open|filtered: If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.closed|filtered: This state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.
Specifying ports (-p) narrows the scope of the scan, saving time and avoiding unnecessary noise. You can target multiple ports by separating them with a comma (80,443), or even port ranges with a hyphen (0-65535).
You can even target ALL ports when you supply just as hyphen as a parameter (-p-)
-Pn disables host discovery prior to executing a port scan - all targeted addresses are mark as up and scan time will be slower. This technique is good for targeting hosts that may be blocking pings, as nmap will not scan a host marked as down.
The --open option can be used to display only open ports in the scan results.
Port Scansβ
Default TCP Port Scanβ
nmap 192.168.1.1
- Use Case: Standard for most initial assessments, especially when the targetβs network topology and service configuration are unknown.
- Why: This is a basic SYN scan that targets the top 1000 most common ports (excluding
5985/TCP- WinRM), giving a quick overview of common services.
TCP Connect Scan (Full Connect)β
nmap -sT 192.168.1.1
- Use Case: Use when performing scans without root privileges or when a full TCP connection is required.
- Why:
-sTperforms a full TCP handshake, which is slower and more detectable but does not require elevated privileges, making it suitable for limited access environments.
TCP SYN Scanβ
nmap -sS 192.168.1.1
- Use Case: Ideal for stealthier scans, commonly used during penetration tests.
- Why:
-sSis a half-open scan where only a SYN packet is sent, and a reset is returned instead of completing the handshake, making it less likely to be logged by the target.
UDP Port Scanβ
nmap -sU 192.168.1.1
- Use Case: When you need to discover UDP services like DNS, SNMP, or DHCP.
- Why:
-sUprobes that targets the top 1000 most common UDP ports, which can be slower but necessary for a complete enumeration since many critical services use UDP.
Aggressive Port Scan (Service Version, OS Detection, etc.)β
nmap -A 192.168.1.1
- Use Case: Use when you need more detailed information about open ports, including OS and service versions.
- Why:
-Acombines several detection features, useful in situations where detail is critical and stealth is not a concern.
Fast Scan (Fewer Ports)β
nmap -F 192.168.1.1
- Use Case: Useful for a quick survey of potentially open services.
- Why:
-Fscans only the top 100 most common ports, allowing a rapid assessment.
TCP Null, FIN, and Xmas Scan (Firewall Evasion)β
nmap -sN -sF -sX 192.168.1.1
- Use Case: Effective when attempting to evade IDS/IPS, as some devices ignore these packets.
- Why: These scans (
-sN,-sF,-sX) work by sending unusual TCP flags and are sometimes able to bypass firewalls or network security devices configured to allow such packets through.
Service and OS Enumerationβ
Service enumeration helps determine the services running on open ports and gather further information about them.
Service Version Detectionβ
nmap -sV 192.168.1.1
- Use Case: Ideal for identifying versions of services to look for vulnerabilities.
- Why:
-sVqueries open ports with specific protocols, and helps identify specific version numbers for targeted vulnerability research.
Intense Version Detectionβ
nmap -sV --version-intensity 5 192.168.1.1
- Use Case: Use when preliminary scans fail to detect versions; higher intensity may be needed.
- Why:
--version-intensity(0-9scale) adjusts how aggressively Nmap interrogates ports, with5representing a thorough but still somewhat balanced scan.
Service Enumeration with OS Detectionβ
nmap -sV -O 192.168.1.1
- Use Case: Use for detailed reconnaissance when identifying running services as well as the operating system is necessary.
- Why:
-Oprovides OS detection while-sVdetects services, giving a comprehensive picture of the host.