NMAP - A Stealth Port Scanner

Andrew J. Bennieston
http://www.nmap-tutorial.com
 

Contents
1 Intro duction 4

2 Disclaimer 4

3 Basic Scan Types [-sT, -sS] 4

3.1 TCP connect() Scan [-sT] . . . . . . . . . . . . . . . . . . . . . . 4
3.2 SYN Stealth Scan [-sS] . . . . . . . . . . . . . . . . . . . . . . . . 5

4 FI
FIN, Null and Xmas Tree Scans [-sF, -sN, -sX] 6

5 Ping Scan [-sP] 7

6 UDP Scan [-sU] 8

7 IP Proto col Scans [-sO] 8

8 Idle Scanning [-sI] 9

9 Version Detection [-sV] 10

10 ACK Scan [-sA] 10

11 Window Scan, RPC Scan, List Scan [-sW, -sR, -sL] 11

12 Timing and Hiding Scans 11

12.1 T
Tiiming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
12.2 D
Deecoys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
12.3 F TTPP Bounce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
12.4 T
Tuurning Off Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
12.5 F
Frragmenting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
12.6 I d
dlle Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

13 OS Fingerprinting 13

14 Outputting Logs 13

15 Other Nmap Options 13

15.1 IIP
Pv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
15.2 V
Veerbose Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
15.3 RReesuming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
15.4 Reading Targets From A File . . . . . . . . . . . . . . . . . . . . 14
15.5 F
Faast Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
15.6 T iim
me-To-Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2
 

16 Typical Scanning Session 14

17 Frequently Asked Questions 18

17.11 I tried a sca
17. scann and it appeare
appeared d in firew
firewallall log
logss or ale
alerts.
rts. What els elsee
can I do to help hide my scan? . . . . . . . . . . . . . . . . . . . . 18
17.22 NMA
17. NMAP P seem
seemss to hav
havee stop
stopped,
ped, or my scan is taking a ve very
ry long
while. WWh hy is this? . . . . . . . . . . . . . . . . . . . . . . . . . . 19
17.3 Will -s-sN
N -sX and -sF w work
ork agains
againstt any host, or jus justt Windo
Windows ws hosts? 20
17
17.4
.4 Ho
Howwd doo I fin
findd a du
dumm
mmy yhhos
ostt ffor
or th
thee IIdl
dlee S
Sca
cann ((-s
-sI)
I)?? . . . . . . . . 20
17.55 What does ”Ho
17. ”Hostst seems do
down.
wn. If it is really up, but bloc blockin
kingg our
ping probebess, try -P0” mean? . . . . . . . . . . . . . . . . . . . . . 20
17.6 Where can I find NmapFE? . . . . . . . . . . . . . . . . . . . . . 20

18 Ab out This Do cument 20

3
 

1 In
Intr
trod
oduc
ucti
tio
on
Nmap is a free, open-source port scanner available for both UNIX and Windows.
It has an optional graphical front-end, NmapFE, and supports a wide variety of 
scan types, each one with different benefits and drawbacks.
This article describes some of these scan types, explaining their relative ben-
efits and just how they actually
actually wo
work.
rk. It also offers tips about whic
which
h ty
types
pes of 
scan would be best against which types of host.
The article assumes you have Nmap installed (or that you know how to install
it. Instructions are available on the Nmap website,   http://www.ins
http://www.insecure.org/
ecure.org/
nmap/install/inst-source.html ), and that you have the required privileges
to run the scans detailed (many scans require root or Administrator privileges).
A frequently asked questions section has been added since the first version of 
this article, and this is included as the last section in this version. This is a fully
revised and updated version of this tutorial, re-typed and converted to a TeX
format, allowing more output formats to be utilised. At the time of writing, the
latest Nmap version was 4.11.

2 Disclaimer
This information is provided to assist users of Nmap in scanning their own net-
works, or networks for which they have been given permission to scan, in order
to determine the security of such networks. it is not intended to assist with scan-
ning remote sites with the intention of breaking into or exploiting services on
those sites, or for imformation gathering purposes beyond those allowed by law.
I hereby disclaim any responsibility for actions taken based upon the information
in this article, and urge all who seek information towards a destructive end to
reconsider their life, and do something constructive instead.

3 Ba
Basi
sicc S
Sca
can
n Type
Typess [-s
[-sT,
T, -s
-sS]
S]
The two basic scan types used most in Nmap are TCP connect() scanning [-sT]
and SYN scanning (also known as half-open, or stealth scanning) [-sS].
These two types are explained in detail below.

3.1
3.1 TCP
TCP con
conne
nect
ct()
() Scan
Scan [-sT
[-sT]]
These scans are so called because UNIX sockets programming uses a system call
named  connect()   to begin
begin a TC
TCPP con
connec
necti
tion
on to a rem
remote
ote sit
site.
e. If   connect()
succeeds
succeeds,, a conn
connecti
ection
on was made. If it fai
fails,
ls, the connect
connection
ion could not be made
(the remote system is offline, the port is closed, or some other error occurred
along the way). This allows a basic type of port scan, which attempts to connect

4
 

to every port in turn, and note

notess whet
whether
her or not the conn
connecti
ection
on succeed
succeeded.
ed. Once
the scan is completed, ports to which a connection could be established are listed
as  open , the rest are said to be closed.
This method of scanning is very effective, and provides a clear picture of the
portss you
port you can
can and
and can
cannot
not acce
access
ss.. If a con
connec
nect()
t() sca
scan
n lists
lists a por
portt as open, you
can definitely connect to it - that is what the scanning computer just did! There
is, however, a major drawback to this kind of scan; it is very easy to detect on
the system being scanned.
scanned. If a firew
firewall
all or in
intrus
trusion
ion detect
detection
ion syste
system m is runnin
runningg
on the victim, attempts to connect() to every port on the system will almost
always
alwa ys trigger a warning. Indeed, with modern firewallfirewalls,
s, an attempt to connect
to a single port which has been blocked or has not been specifically ”opened” will
usually
usuall y result in the connection attempt being logged. AdditiAdditionally
onally,, most serve
servers
rs
will log connections and their source IP, so it would be easy to detect the source
of a TCP connect() scan.
For this reason, the TCP Stealth Scan was developed.

3.2
3.2 SYN
SYN Ste
Steal
alth
th Scan
Scan [-sS
[-sS]]
I’ll
I’ll begin this secti
section
on with an over
overvie
view
w of the TCP connec
connection
tion proces
process.
s. Thos
Thosee
familiar with TCP/IP can skip the first few paragraphs.
When a TCP connection is made between two systems, a process known as a
”three way handshake” occurs. This involves the exchange of three packets, and
synchronises the systems with each other (necessary for the error correction built
into TCP. Refer to a good TCP/IP book for more details.
The system initiating the connection sends a packet to the system it wants
to connect
connect to. TCP pac packe
kets
ts hav
havee a hea
header
der secti
section
on with a  flags   field.
field. Fla
Flags
gs tell
the receiving end something about the type of packet, and thus what the correct
response is.
Here,, I wil
Here willl talk about only four of the possi
possible
ble flags
flags.. Thes
Thesee are SYN (Syn
(Syn--
chronise),
chron ise), ACK (Ackno
(Acknowledge),
wledge), FIN (Finished
(Finished)) and RST (Reset). SYN packe packets
ts
include a TCP sequence number, which lets the remote system know what se-
quence numbers to expect in subsequent communication. ACK acknowledges re-
ceipt of a packet or set of packets, FIN is sent when a communication is finished,
requesting that the connection be closed, and RST is sent when the connection
is to be reset (closed immediately).
To initiate a TCP connection, the initiating system sends a SYN packet to
the destination, whichwhich will respond with a SYN of its own, and an ACKACK,, acknow
acknowl-l-
edging the receipt of the first packet (these are combined into a single SYN/ACK
packe
pac ket).
t). The first sys system
tem then send
sendss an AC
ACK K pac
packe
kett to ac
ackno
knowle
wledge
dge receip
receiptt of 
the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet
and looking at the response. If SYN/ACK is sent back, the port is open and the
remote end is trying to open a TCP connection. The scanner then sends an RST

5
 

to tear down the connection before it can be established fully; often preventing
the connectio
connection
n atte
attempt
mpt appeari
appearing
ng in appl
applica
ication
tion logs
logs.. If the port is clos
closed,
ed, an
RST will be sent. If it is filter
filtered,
ed, the SYN pack
packetet will hav
havee been drop
dropped
ped and
no response will be sent. In this way, Nmap can detect three port states - open,
closed
closed and filtere
filtered.
d. Fil
Filtere
tered
d ports may requir
requiree further
further probin
probingg sin
since
ce they could
be subject to firewall rules which render them open to some IPs or conditions,
and closed to others.
Modern firewalls and Intrusion Detection Systems can detect SYN scans, but
in combination with other features of Nmap, it is possible to create a virtually
undetectable SYN scan by altering timing and other options (explained later).

4 FIN
FIN,, Null
Null and Xm
Xmas
as Tree Scans
Scans [-sF,
[-sF, -sN
-sN,, --sX]
sX]
With the multitude of modern firewalls and IDS’ now looking out for SYN scans,
thesee thre
thes threee scan type
typess ma
may
y be use
useful
ful to varyi
arying
ng degrees
degrees.. Eac
Eachh scan type refers
to the flags set in the TCP header. The idea behi behind
nd these ty
type
pe of scan
scanss is that
a closed port should respond with an RST upon receiving packets, whereas an
open port shoshould
uld just drop them (it’
(it’ss lis
listeni
tening
ng for pac
packe
kets
ts with SYN set). Thi
Thiss
way, you never make even part of a connection, and never send a SYN packet;
which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan
sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details)
and the Null scan sends a packet with no flags switched on.
These scan types will work against any system where the TCP/IP implemen-
tation
tation fol
follo
lows
ws RF
RFC C 793
793.. Micr
Microsof
osoftt Win
Windo dows
ws does not follo
follow
w the RFC, and wilwilll
ignore these packets even on closed ports. This technicality allows you to detect
an MS WinWindodows
ws syste
system
m by runn
running
ing SYN alon alongg wit
with
h one of these scans
scans.. If the
SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are
you’re looking at a Windows box (though OS Fingerprinting is a much more
reliable way of determining the OS running on a target!)
The sample below shows a SYN scan and a FIN scan, performed against a
Linux
Lin ux system
system.. The resul
results
ts are, pred
predicta
ictably
bly,, the same, but the FIN scan is less
likely to show up in a logging system.

1   [chaos
[chaos]#
]# nmap
nmap -sS 127.0.0
127.0.0.1
.1
2
3   Starti
Starting
ng Nmap 4.01
4.01 at 2006-0
2006-07-0
7-06
6 17:23 BST
4   Interesti
Interesting
ng ports on chaos
chaos (127.0.0.1
(127.0.0.1):
):
5   (T
(The
he 1668 ports
ports scann
scanned
ed but no
not
t sh
show
own
n be
belo
low
w ar
are
e in state:
state:
6   closed)
7   PO
PORT STATE SERVICE
8   21/tcp open ftp

6
 

9   22/tcp open ssh

10   631/
631/tc
tcp
p ope
open ipp
ipp
11   60
6000
00/t
/tcp
cp op
open
en X1
X11
1
12
13   Nm
Nmap
ap finish
finished
ed:
: 1 IP addres
address
s (1 host up) scann
scanned
ed in 0.
0.20
207
7
14   seconds
15   [chaos
[chaos]#
]# nmap
nmap -sF 127.0.0
127.0.0.1
.1
16
17   Starti
Starting
ng Nmap 4.01
4.01 at 2006-0
2006-07-0
7-06
6 17:23 BST
18   Interesti
Interesting
ng ports on chaos
chaos (127.0.0.1
(127.0.0.1):
):
19   (T
(The
he 1668 ports
ports scann
scanned
ed but no
not
t sh
show
own
n be
belo
low
w ar
are
e in state:
state:
20   closed)
21   PORT STATE SERVICE
22   21
21/t
/tcp
cp op
open
en|f
|fil
ilte
tere
red
d ft
ftp
p
23   22
22/t
/tcp
cp op
open
en|f
|fil
ilte
tere
red
d ss
ssh
h
24   631/tc
631/tcpp open|f
open|filt
iltere
ered
d ipp
25   6000/tcp
6000/tcp open|
open|filte
filtered
red X11
X11
26
27   Nm
Nmap
ap finish
finished
ed:
: 1 IP addres
address
s (1 host up) scann
scanned
ed in 1.
1.28
284
4
28   seconds

5 Ping Scan [-sP]

This scan type lists the hosts within the specified range that responded to a ping.
It allows you to detect which computers are online, rather than which ports are
open. Four methods exist within Nmap for ping sweeping.
The first method sends an ICMP ECHO REQUEST (ping request) packet to
the destination system. If an ICMP ECHO REPLY is received, the system is up,
and ICMP packets
packets are not bloc
blocke
ked.
d. If there is no respo
response
nse to the ICMP ping,
Nmap will try a ”TCP Ping”, to determine whether ICMP is blocked, or if the
host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the
default)
defa ult) on the rem
remote
ote syste
system.
m. If RST, or a SYN/A
SYN/ACK,
CK, is return
returned,
ed, then the
remote system is online.
online. If the remote system does not respond, either it is offline,
or the chosen port is filtered, and thus not responding to anything.
When you run an Nmap ping scan as root, the default is to use the ICMP and
ACK methods. Non-root users will use the connect() method, which attempts to
connect to a machine, waiting for a response, and tearing down the connection as
soon as it has been established (similar to the SYN/ACK method for root users,
but this one establishes a full TCP connection!)
The ICMP scan type can be disabled by setting -P0 (that is, zero, not upper-
case o).

7
 

6 UDP Scan [-sU]

Scanning for open UDP ports is done with the -sU option. With this scan type,
Nmap
Nma p sen
sends
ds 0-byt
0-bytee UDP pack
packets
ets to eac
each
h targ
target
et p
port
ort on the victi
victim.
m. Rece
Receipt
ipt of 
an ICMP Port Unreachable message signifies the port is closed, otherwise it is
assumed open.
One major problem with this technique is that, when a firewall blocks out-
going ICMP Port Unreachable messages, the port will appear open. These false-
positives are hard to distinguish from real open ports.
Another disadvantage with UDP scanning is the speed at which it can be
performed. Most operating systems limit the number of ICMP Port Unreachable
messages which can be generated in a certain time period, thus slowing the speed
of a UD
UDPP sc
scan.
an. Nm
Nmap ap adju
adjust
stss it
itss scan
scan spe
speed
ed acco
accordi
rding
ngly
ly to avoi
avoid
d flood
floodin
ingg a
network with useless packets. An interesting point to note here is that Microsoft
do not limit the Port Unreachable error generation frequency, and thus it is easy
to scan a Windows machine’s 65,535 UDP Ports in very little time!!
UDP Scanning is not usually useful for most types of attack, but it can reveal
information about services or trojans which rely on UDP, for example SNMP,
NFS, the Back Orifice trojan backdoor and many other exploitable services.
Most modern services utilise TCP, and thus UDP scanning is not usually
included in a pre-attack information gathering exercise unless a TCP scan or
other sources indicate that it would be worth the time taken to perform a UDP
scan.

7 IP Pr
Prot
otoc
ocol
ol Sc
Scan
anss [-
[-sO
sO]]
The IP Protocol Scans attempt to determine the IP protocols supported on a
target. Nmap sends a raw IP packet without any additional protocol header (see
a good TCP/IP book for information about IP packets), to each protocol on the
target machine. Receipt of an ICMP Protocol Unreachable message tells us the
protocol is not in use, otherw
protocol otherwise
ise it is assu
assumed
med open. Not all hosts send ICMP
Protocol Unreachable
Unreachable messages. These may include firewafirewalls,
lls, AIX, HP-UX and
Digital UNIX). These machines will report all protocols open.
This scan type also falls victim to the ICMP limiting rate described in the
UDP scans section, however since only 256 protocols are possible (8-bit field for
IP protocol in the IP header) it should not take too long.
Results of an -sO on my Linux workstation are included below.

1   [chaos
[chaos]#
]# nmap
nmap -sO 127.0.0
127.0.0.1
.1
2
3   Starti
Starting
ng Nmap 4.01
4.01 at 2006-0
2006-07-1
7-14
4 12:56 BST
4   Interesti
Interesting
ng protocols
protocols on chaos(127.
chaos(127.0.0.1
0.0.1):
):

8
 

5   (T
(The
he 25
251
1 pr
prot
otoc
ocol
ols
s sc
scan
anne
ned
d bu
but
t no
not
t sh
show
own
n be
belo
low
w ar
are
e
6   in state:
state: closed
closed)
)
7   PROTOCOL STATE SERVICE
8   1 open icmp
9   2 open|filtered igmp
10   6 open tcp
11   17 open udp
12   255 open|filtered unknown
13
14   Nm
Nmap
ap finis
finishe
hed:
d: 1 IP addre
address
ss (1 ho
host
st up) scann
scanned
ed in
15   1.259
1.259 seconds
seconds

8 Id
Idle
le Sc
Scan
anni
ning
ng [-
[-sI
sI]]
Idle scanning is an advanced, highly stealthed technique, where no packets are
sent to the target which can be identified to originate from the scanning machine.
A zombie
zombie host (and option
optionall
ally
y port) mu
must
st be speci
specified
fied for this scan type. The
zombie host must satisfy certain criteria essential to the workings of this scan.
This scan type works by exploiting ”predictable IP fragmentation ID” se-
quence generation on the zombie host, to determine open ports on the target.
The scan checks the IPID on the zombie, then spoofs a connection request to the
target
target machi
machine,
ne, maki
making
ng it appea
appearr to come from the zombi
zombie.
e. If the targ
target
et port is
open, a SYN/ACK session acknowledgement will be sent from the target machine
back to the zombie, which will RST the connection since it has no record of hav-
ing opened such
such a conn
connecti
ection.
on. If the port on the target is closed
closed,, an RST wilwilll be
sent to the zombie, and no further packets will be sent. The attacker then checks
the IPID on the zomzombie
bie agai
again.n. If it has incr
incremen
emented
ted by 2 (or chan
changed
ged by twtwoo
steps in its sequence), this corresponds to the packet received from the target,
plus the RST from the zombie, which equates to an open port on the target. If 
the IPID has changed by one step, an RST was received from the target and no
further packets were sent.
Using this mechanism, it is possible to scan every port on a target, whilst
making
mak ing it appear that the zomzombie
bie was the one doidoing
ng the scan
scannin
ning.
g. Of cours
course,e,
the spoofed connection attempts will likely be logged, so the target system will
have the zombie IP address, and the zombie system’s logs are likely to contain
the attacker’s IP address, so it is still possible, after acquiring logs through legal
channels, to determine the attacker, but this method makes it much more difficult
to do so than if the pac
packe
kets
ts were sent direc
directly
tly from the atta
attack
cker.
er. In additi
addition,
on,
some IDS and firewall software makes attempts to detect spoofed packets based
on the net
netwo
work
rk they arriv
arrivee from
from.. As long as the zomb
zombie
ie host and the attac
attackekerr
are both ”out on the Internet”, or on the same network as each other, relative to
the target, techniques to identify spoofed packets are not likely to succeed.

9
 

This sca
This scan
n ty
type
pe req
requi
uires
res cert
certai
ainn thi
thing
ngss of th
thee zom
zombi
bie.
e. Th
Thee IP
IPID
ID seque
sequence
nce
generation
generati on must be predicta
predictable
ble (single-s
(single-step
tep incremen
increments,
ts, for exampl
example).
e). The host
must also have low traffic so that it is unlikely for other packets to hit the zombie
whilst Nmap is carrying out its scan (as these will artificially inflate the IPID
number!). Cheap routers or MS Windows boxes make good zombie hosts. Most
operating systems use randomised sequence numbers (see the OS Fingerprinting
section for details on how to check a target’s sequence generation type).
The idle scan can also be used to determine IP trust based relationships
between hosts (e.g. a firewall may allow a certain host to connect to port x, but
not other hosts).
hosts). Thi
Thiss scan type can help to dete
determi
rmine
ne which hosts hav
havee acce
access
ss
to such a system.
For more informa
information
tion about this scan type, read  http://www.ins
http://www.insecure.org/
ecure.org/
nmap/idlescan.html

9 Ver
ersi
sion
on De
Dete
tect
ctio
ion
n [-
[-sV
sV]]
Version Detection collects information about the specific service running on an
open port,
p ort, includin
includingg the product name and version num
number.
ber. This inform
information
ation can
be cri
critica
ticall in determ
determini
ining
ng an entry
entry point for an attack
attack.. The -sV option enabl
enables
es
version detection, and the -A option enables both OS fingerprinting and version
detection, as well as any other advanced features which may be added in future
releases.
Version detection is based on a complex series of probes, detailed in the Ver-
sion Detection paper at   http://www.insecure.org/nmap/v
http://www.insecure.org/nmap/vscan/ scan/

10 ACK Sc
Sca
an [-
[-sA
sA]]
Usually used to map firewall rulesets and distinguish between stateful and state-
less firewalls, this scan type sends ACK packets to a host. If an RST comes back,
the port
whate
wh verisfire
atev classified
firewa
wall ”unfiltered”
ll was in pl
place). (that
ace). is,hing
If not
nothi it
ngwas
comallowed
comes back,to
es back send
, th
the its RST
e port through
is sai
said
d to be
”filtere
”filtered”.
d”. That is, the firew
firewall
all prev
preven
ented
ted the RST comin
comingg bac
back
k from the port.
This scan type can help determine if a firewall is stateless (just blocks incoming
SYN packets) or stateful (tracks connections and also blocks unsolicited ACK
packets).
Note that an ACK scan will never show ports in the ”open” state, and so it
should be used in conjunction with another scan type to gain more information
about firewalls or packet filters between yourself and the victim.

10
 

11 Windo
indoww Sc
Sca
an, RP
RPC
C Sc
Sca
an, Lis
istt Scan
can [-s
-sW,
W,
-sR, -sL]
The TCP Window scan is similar to the ACK scan but can sometimes detect
open ports as well as filtered
filtered/unfi
/unfilte
ltered
red ports. Thi
Thiss is due to anomal
anomalies
ies in TCP
Window size reporting by some operating systems (see the Nmap manual for a
list, or the nmap-hackers mailing list for the full list of susceptible OS’).
RPC Scans can be used in conjunction with other scan types to try to deter-
mine if an open TCP or UDP port is an RPC service, and if so, which program,
and versi
version
on num
umbers
bers are run
runni
ning
ng on it. De
Deco
coys
ys are not suppo
supportrted
ed with
with RP
RPCC
scans (see section on Timing and Hiding Scans, below).
List scanning simply prints a list of IPs and names (DNS resolution will be
used unless the -n option is passed to Nmap) without actuall
actually
y pinging or scannin
scanningg
the hosts.

12 Ti
Timi
ming
ng an
and
d H
Hid
idin
ing
g S
Sca
cans
ns
12.1
2.1 Timin
iming
g
Nmap adjusts its timings automatically depending on network speed and response
times of the victim. However, you may want more control over the timing in order
to create a more stealthy scan, or to get the scan over and done with quicker.
The main timing
timing option is set through
through the -T para
paramet
meter.
er. Ther
Theree are six pre-
defined timing policies which can be specified by name or number (starting with
0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite,
Normal, Aggressive and Insane.
A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between
each packet sent. This makes it almost impossible for a firewall to detect a port
scan in progress (since the scan takes so long it would most likely be attributed
to random network traffic). Such a scan will still show up in logs, but it will be
so spread out that most analysis tools or humans will miss it completely.
A -T Insane (or -T5) scan will map a host in very little time, provided you
are on a very fast network or don’t mind losing some information along the way.
Timingss for individu
Timing individual
al aspects of a scan can also be set using the –host timeout,
–max rtt timeout, –min rtt timeout, –initial rtt timeout, –max parallelism, –min parallelism,
and –scan delay options. See the Nmap manual for details.

12.2
2.2 Dec
Decoys
The -D option allows you to specify Decoys. This option makes it look like those
decoys
decoys are scanni
scanning
ng the targ
target
et netw
network.
ork. It does not hide you
yourr own IP
IP,, but it
makes your IP one of a torrent of others supposedly scanning the victim at the

11
 

same time. This not only makes the scan look more scary
scary,, but reduces the chance
of you being traced from your scan (difficult to tell which system is the ”real”
source).

12.3
2.3 FTP
FTP Bou
ounc
nce
e
The FTP protocol (RFC 959) specified support for a ”proxy” ftp, which allowed
a conn
connecti
ection
on to an FTP servserver
er to send data to an
anywh
ywhere
ere on the int
interne
ernet.
t. Thi
Thiss
tends not to work with modern ftpds, in which it is an option usually disabled in
the configurat
configuration
ion.. If a ser
serve
verr wit
with
h this feature is used by Nmap, it can be used
to try to connect to ports on your victim, thus determining their state.
This scan method allows for some degree of anonymity, although the FTP
server may log connections and commands sent to it.

12.4
12.4 Turni
urning
ng Off Ping
Ping
The -P0 (that’s
(that’s a zero
zero)) opti
option
on allo
allows
ws you to swi
switc
tchh off ICMP pings
pings.. The -PT
option switches on TCP Pings, you can specify a port after the -PT option to be
the port to use for the TCP ping.
Disabli
Disabling
ng pin
pings
gs has two advadvan
antage
tages:
s: Fir
First,
st, it adds extra stealt
stealth
h if yo
you’r
u’ree
running one of the more stealthy attacks, and secondly it allows Nmap to scan
hosts which don’t reply to pings (ordinarily, Nmap would report those hosts as
being ”down” and not scan them).
In conjunction with -PT, you can use -PS to send SYN packets instead of 
ACK packets for your TCP Ping.
The -PU option (with optional port list after) sends UDP packets for your
”ping”.
”ping”. Thi
Thiss may be best to sensend
d to sus
suspecte
pected-cl
d-closed
osed ports rath
rather
er than open
ones, since open UDP ports tend not to respond to zero-length UDP packets.
Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP Times-
tamp Request), -PM (Netmask Request) and -PB (defaul(default,
t, uses both ICMP Echo
Request and TCP ping, with ACK packets)

12.5
12.5 Fragmen
ragmentin
ting
g
The -f option splits the IP packet into tiny fragments when used with -sS, -sF,
-sX or -sN. This makes it more difficult for a firewall or packet filter to determine
the packet type. Note that many modern pack packet
et filters and firewa
firewalls
lls (includi
(including
ng
iptables) feature optional defragmenters for such fragmented packets, and will
thus reassemble
reassemble the packet to check its type before sending it on. Less complex
firewalls
firewa lls will not b
bee able to cope with fragmen
fragmented
ted packe
packetsts this small and will most
likely let the OS reassemble them and send them to the port they were intended
to reac
reach.
h. Usi
Using
ng thi
thiss opti
option
on coul
could
d cras
crashh som
somee les
lesss stab
stable
le soft
softwa
ware
re and hardw
hardware
are
since packet sizes get pretty small with this option!

12
 

12.6
12.6 Idle
Idle Scan
Scanni
ning
ng
See the section on -sI for information about idle scans.

13 OS Fing
Finger
erpr
prin
inti
ting
ng
The -O opti
option
on turns on Nmap’s
Nmap’s OS fingefingerpri
rprinti
nting
ng system.
system. Use
Used
d alo
alongsi
ngside
de the
-v verbosity options, you can gain information about the remote operating sys-
tem and about its TCP Sequenmce Number generation (useful for planning Idle
scans).
An article on OS detection is available at   http://www.insecure.org/nmap/
http://www.insecure.org/nmap/
nmap-fingerprinting-article.html

14 Ou
Outp
tput
utti
ting
ng Lo
Logs
gs
Logging
Loggi ng in Nm
Nmapap can be prov
provid
ided
ed by the
the -o
-oN,
N, -oX or -oG
-oG opt
optio
ions.
ns. Eac
Eachh one
is followe
followedd by the name of the logfil
logfile.
e. -oN outpu
outputs
ts a hu
human
man reada
readable
ble log, -oX
outputs an XML log and -oG outputs a grepable log. The -oA option outputs in
all 3 formats, and -oS outputs in a format I’m sure none of you would ever want
to use (try it; you’ll see what I mean!)
The –append-output option appends scan results to the output files you spec-
ified instead of overwriting their contents.

15 Ot
Othe
herr Nm
Nmap
ap Op
Opti
tion
onss
15.1 IPv6
The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Cur-
rently
rently only TCP conn
connect,
ect, and TCP connec
connectt pin
pingg scan are suppo
supported
rted.. For other

scantypes, see   http://nmap6.sourceforge.net

http://nmap6.sourceforge.net

15.2
15.2 Verbos
erbose
e Mode
Mode
Highly recommended, -v
Usee -v twi
Us twice
ce for mo
more
re verbosi
verbosity
ty.. Th
Thee opti
option
on -d can also
also be used
used (once or
twice) to generate more verbose output.

15.3
15.3 Resu
Resumi
ming
ng
Scans cancelled with Ctrl+C can be resumed with the –resume ¡logfilename¿
option.
option. The logfil
logfilee mu
must
st b
bee a Norm
Normal
al or Gre
Grepabl
pablee log
logfile
file (-oN or -oG
-oG).
).

13
 

15.4
15.4 Readin
Reading
g Targ
Targets
ets From A File
File
-iL ¡inputfilename¿ reads targets from inputfilename rather than from the command-
line.
The file should contain a hostlist or list of network expressions separated by
spaces,
spaces, tabs or newlin
newlines.
es. Usi
Using
ng a hyphen
hyphen as inp
inputfil
utfilee mak
makes
es Nmap read fro
from
m
standard input.

15.5
15.5 Fast
ast Scan
Scan
The -F option scans only those ports listed in the nmap services file (or the
protocols file if the scan type is -sO). This is far faster than scanning all 65,535
ports!!

15.6
15.6 Time-T
Time-To-L
o-Liv
ive
e
The -ttl ¡value¿ option sets the IPv4 packets time-to-live. The usefulness of this is
in mapping paths through networks and determining ACL’s on firewalls (setting
the ttl to one past the packet filter can help to determine information about the
filtering rules themselves). Repeated Nmap scans to a single port using differing
ttl values will emulate a traceroute style network path map (Try it, its great
fun for a while, until you get bored and realise traceroute does it all for you
automatically!).

16 Typ
ypic
ical
al Scan
Scanni
ning
ng Se
Sess
ssio
ion
n
First, we’ll sweep the network with a simple Ping scan to determine which hosts
are online.

1   [chaos]#
[chaos]# nmap
nmap -sP 10.0.0
10.0.0.0/2
.0/24
4
2
3   Starti
Starting
ng Nmap
Nmap 4.01
4.01 ( http:/
http://ww
/www.i
w.inse
nsecur
cure.o
e.org/
rg/nma
nmap/
p/ ) at
4   2006-07-1
2006-07-14
4 14:19 BST
5   Ho
Host
st 10.0.
10.0.0.
0.1
1 ap
appe
pear
ars
s to be up
up.
.
6   MAC Address:
Address: 00:09:5B:
00:09:5B:29:FD
29:FD:96
:96 (Netgear)
(Netgear)
7   Ho
Host
st 10.0.
10.0.0.
0.2
2 ap
appe
pear
ars
s to be up
up.
.
8   MAC Address:
Address: 00:0F:B5:
00:0F:B5:96:38
96:38:5D
:5D (Netgear)
(Netgear)
9   Ho
Host
st 10.0.
10.0.0.
0.4
4 ap
appe
pear
ars
s to be up
up.
.
10   Ho
Host
st 10.0.
10.0.0.
0.5
5 ap
appe
pear
ars
s to be up
up.
.
11   MAC Address:
Address: 00:14:2A:B1:
00:14:2A:B1:1E:2E
1E:2E (Elitegro
(Elitegroup
up Computer
Computer System
System Co.)
12   Nm
Nmap
ap fi
fini
nish
shed
ed:
: 25
256
6 IP ad
addr
dres
esse
ses
s (4 ho
host
sts
s up
up)
) sc
scan
anne
ned
d in 5.
5.39
399
9 se
seco
cond
nds
s

14
 

Now we’re going to take a look at 10.0.0.1 and 10.0.0.2, both listed as Netgear
in the ping sweep.
sweep. Thes
Thesee IPs are good criter
criteria
ia for router
routerss (in fact I kno
know
w that
10.0.0.1 is a router and 10.0.0.2 is a wireless access point, since it’s my network,
but lets see what Nmap makes of it...)
We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprinting
and version detection.

1   [chaos
[chaos]#
]# nmap
nmap -sS -A 10.0.0.
10.0.0.1
1
2
3   Starti
Startingng Nmap
Nmap 4.01
4.01 ( http:/
http://ww
/www.i
w.inse
nsecur
cure.o
e.org/
rg/nma
nmap/
p/ ) at
4   2006-07-1
2006-07-144 14:23 BST
5   Insuffici
Insufficient
ent responses
responses for TCP sequencin
sequencing
g (0),
6   OS detect
detection
ion may be less
less accura
accurate
te
7   Interesti
Interestingng ports
ports on 10.0.0.1:
10.0.0.1:
8   (T
(The
he 1671 ports
ports scann
scanned
ed but no
not
t sh
show
own
n be
belo
low
w ar
are
e in state:
state:
9   closed)
10   PORT STATE SERVICE VERSION
11   80/tcp
80/tcp open
open tcpwra
tcpwrappe
ppedd
12   MAC Address:
Address: 00:09:5B:
00:09:5B:29:FD
29:FD:96
:96 (Netgear)
(Netgear)
13   Device
Device type:
type: WAP
WAP
14   Running:
Running: Compaq
Compaq embedded,
embedded, Netgear
Netgear embedded
embedded
15   OS details
details:
: WAP:
WAP: Compaq
Compaq iPAQ
iPAQ Connec
Connectio
tion
n Point
Point or
16   Netgear
Netgear MR814
MR814
17
18   Nm
Nmap
ap finis
finishe
hed:
d: 1 IP addre
address
ss (1 ho
host
st up) scann
scanned
ed in
19   3.533
3.533 seconds
seconds

The only open port is 80/tcp - in this case, the web admin interface for the
router. OS fingerprin
fingerprinting
ting guessed it was a Netgear Wireless Access Point
Point - in fact
this is a Netgear (wired) ADSL router. As it said, though, there were insufficient
responses for TCP sequencing to accurately detect the OS.
Now we’ll do the same for 10.0.0.2...

1   [chaos
[chaos]#
]# nmap
nmap -sS -A 10.0.0.
10.0.0.2
2
2
3   Starting
Starting Nmap 4.01 ( http://www.i
http://www.insec
nsecure.o
ure.org/nm
rg/nmap/
ap/ )
4   at 2006-0
2006-07-1
7-14
4 14:26
14:26 BST
5   Interesti
Interesting
ng ports
ports on 10.0.0.2:
10.0.0.2:
6   (T
(The
he 1671 ports
ports scann
scanned
ed but no
not
t sh
show
own
n be
belo
low
w ar
are
e in state:
state:
7   closed)
8   PORT
PORT STAT
STATE
E SERV
SERVIC
ICE
E VERS
VERSIO
ION
N
9   80/tcp open http Boa HTTPd 0.94.11
10   MAC Address:
Address: 00:0F:B5:
00:0F:B5:96:38
96:38:5D
:5D (Netgear)
(Netgear)

15
 

11   Device
Device type:
type: general
general purpos
purpose
e
12   Running:
Running: Linux
Linux 2.4.X
2.4.X|2.5.
|2.5.X
X
13   OS detail
details:
s: Linux
Linux 2.4.0
2.4.0 - 2.5.20
2.5.20
14   Uptime
Uptime 14.141
14.141 days
days (since
(since Fri Jun 30 11:03:
11:03:05
05 2006)
2006)
15
16   Nm
Nmap
ap finish
finished
ed:
: 1 IP addres
address
s (1 host up) scann
scanned
ed in 9.
9.63
636
6
17   seconds

Interestingly, the OS detection here listed Linux, and the version detection
wass able
wa able to det
detect
ect the httpd
httpd run
runni
ning.
ng. Th
Thee acc
accura
uracy
cy of th
this
is is unce
uncerta
rtain
in,, thi
thiss
is a Netgear home wireless access point, so it could be running some embedded
Linux!
Now we’ll move on to 10.0.0.4 and 10.0.0.5, these are likely to be normal
computers running on the network...

1   [c
[cha
haos
os]#
]# nmap
nmap -s
-sS
S -P
-P0
0 -A -v 10
10.0
.0.0
.0.4
.4
2
3   Starti
Startingng Nmap
Nmap 4.01
4.01 ( http:/
http://ww
/www.i
w.inse
nsecur
cure.o
e.org/
rg/nma
nmap/
p/ ) at
4   2006-07-1
2006-07-144 14:31 BST
5   DN
DNSS re
reso
solu
luti
tion
on of 1 IP
IPss to
took
ok 0.10s
0.10s.
. Mo
Mode
de::
6   Asyn
sync [#:
[#: 2, OK:
OK: 0, NX:
NX: 1, DR:
DR: 0,
0, SF:
SF: 0, TR: 1, CN:
CN: 0]
7   Initia
Initiatin
tingg SYN Stealth
Stealth Scan against
against 10.0.0
10.0.0.4
.4 [1672
[1672 ports]
ports] at 14:31
14:31
8   Discov
Discovere
eredd open
open port
port 21/tcp
21/tcp on 10.0.0.4
10.0.0.4
9   Discov
Discovere
eredd open
open port
port 22/tcp
22/tcp on 10.0.0.4
10.0.0.4
10   Discov
Discovere
eredd open
open port
port 631/tc
631/tcpp on 10.0.0.
10.0.0.4
4
11   Discov
Discovere
eredd open
open port
port 6000/t
6000/tcp
cp on 10.0.0
10.0.0.4
.4
12   Th
Thee SY
SYN
N St
Stea
ealt
lthh Sc
Scan
an took 0.16s
0.16s to sc
scan
an 1672 total
total ports.
ports.
13   Initia
Initiatin
tingg servic
servicee scan
scan agains
against
t 4 servic
services
es on 10.0.0
10.0.0.4
.4 at 14:31
14:31
14   Th
Thee se
serv
rvic
ice
e sc
scan
an took
took 6.
6.01
01s
s to scan
scan 4 se
serv
rvic
ices
es on 1 ho
host
st.
.
15   Fo
Forr OS
OSSc
Scan
an assum
assumin
ing
g po
port
rt 21 is open,
open, 1 is close
closed,
d, and ne
neit
ithe
her
r ar
are
e
16   firewalled
17   Ho
Host
st 10.0.
10.0.0.
0.4
4 ap
appe
pear
ars
s to be up ... good.
good.
18   Interesti
Interesting ng ports
ports on 10.0.0.4:
10.0.0.4:
19   (T
(The
he 16
1668
68 po
port
rtss sc
scan
anne
nedd bu
but
t no
not
t sh
show
own
n be
belo
low
w ar
are
e in st
stat
ate:
e: cl
clos
osed
ed)
)
20   PORT STATE SERVICE VERSION
21   21
2 1/tcp open ftp vsftpd 2.0.3
22   22/tcp open ssh OpenSSH 4.2 (protocol 1.99)
23   631/tcp open ipp CUPS 1.1
24   6000/tcp open X11 (access denied)
25   Device
Device type:
type: general
general purpos
purpose
e
26   Running:
Running: Linux
Linux 2.4.X|2.5.
2.4.X|2.5.X|2.6
X|2.6.X
.X
27   OS detail
details:
s: Linux
Linux 2.
2.4.
4.00 - 2.
2.5.
5.20
20,
, Li
Linu
nux
x 2.
2.5.
5.25
25 - 2.
2.6.
6.8
8 or
28   Gentoo
Gentoo 1.2 Linux
Linux 2.4.19
2.4.19 rc1-rc
rc1-rc7
7

16
 

29   TCP Sequence
Sequence Prediction:
Prediction: Class=rand
Class=random
om positive
positive incremen
increments
ts
30   Difficulty
Difficulty=4732
=4732564
564 (Good
(Good luck!)
luck!)
31   IPID
IPID Sequen
Sequence
ce Generat
Generation
ion:
: All zeros
zeros
32   Servic
Service
e Info:
Info: OS:
OS: Unix
Unix
33
34   Nm
Nmap
ap fi
fini
nish
shed
ed:
: 1 IP ad
addr
dres
ess
s (1 ho
host
st up
up)
) sc
scan
anne
ned
d in 8.
8.33
333
3 se
seco
cond
nds
s
35   Raw packet
packets
s sent:
sent: 1687
1687 (74.7K
(74.7KB)
B) | Rcvd:
Rcvd: 3382
3382 (143KB
(143KB)
)

From this, we can deduce that 10.0.0.4 is a Linux system (in fact, the one I’m
typing
typing this tutorial on!) running a 2.4 to 2.6 kernel (Actuall
(Actually
y, Slackwa
Slackware
re Linux
10.2 on a 2.6.19.9 kernel) with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp.
All but 6000 have version information listed. The scan found the IPID sequence
to be all zeros, which makes it useless for idle scanning, and the TCP Sequence
prediction as random positive integers. The -v option is needed to get Nmap to
print the IPID information out!
Now, onto 10.0.0.5...

1   [c
[cha
haos
os]#
]# nmap
nmap -s
-sS
S -P
-P0
0 -A -v 10
10.0
.0.0
.0.5
.5
2
3   Starting
Starting Nmap 4.01 ( http://www.i
http://www.insec
nsecure.o
ure.org/nm
rg/nmap/
ap/ )
4   at 2006-0
2006-07-1
7-14
4 14:35
14:35 BST
5   Initia
Initiatin
ting
g ARP Ping
Ping Scan
Scan agains
against
t 10.0.0
10.0.0.5
.5 [1 port]
port] at 14:35
14:35
6   Th
The
e AR
ARP
P Pi
Ping
ng Scan
Scan to
took
ok 0.01s
0.01s to scan 1 to
tota
tal
l ho
host
sts.
s.
7   DN
DNS
S re
reso
solu
luti
tion
on of 1 IP
IPs
s to
took
ok 0.02s
0.02s.
. Mo
Mode
de:
: As
Asyn
ync
c
8   [#: 2, OK:
OK: 0, NX:
NX: 1, DR: 0, SF: 0, TR:
TR: 1, CN:
CN: 0]
9   Initia
Initiatin
ting
g SYN Stealth
Stealth Scan against
against 10.0.0
10.0.0.5
.5 [1672
[1672 ports]
ports] at 14:35
14:35
10   Th
The
e SY
SYN
N St
Stea
ealt
lth
h Sc
Scan
an took 35.72
35.72s
s to scan 1672
1672 to
tota
tal
l po
port
rts.
s.
11   Wa
Warn
rnin
ing:
g: OS detec
detecti
tion
on will
will be MUCH
MUCH le
less
ss relia
reliabl
ble
e be
beca
caus
use
e we did
12   not
not find
find at leas
least
t 1 open
open and
and 1 clos
closed
ed TCP
TCP port
port
13   Ho
Host
st 10.0.
10.0.0.
0.5
5 ap
appe
pear
ars
s to be up ... good.
good.
14   All 1672
1672 scanne
scanned
d ports
ports on 10.0.0
10.0.0.5
.5 are: filtere
filtered
d
15   MAC Address:
Address: 00:14:2A:B1:
00:14:2A:B1:1E:2E
1E:2E (Elitegro
(Elitegroup
up Computer
Computer System
System Co.)
16   Too many fingerp
fingerprin
rints
ts match this host to give
give specif
specific
ic OS detail
details
s
17   TCP/IP fingerprint:
18   SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A)
19   T5(Resp=N)
20   T6(Resp=N)
21   T7(Resp=N)
22   PU(Resp=N)
23
24   Nm
Nmap
ap fi
fini
nish
shed
ed:
: 1 IP ad
addr
dres
ess
s (1 ho
host
st up
up)
) sc
scan
anne
ned
d in 43
43.8
.855
55 se
seco
cond
nds
s
25   Ra
Raw
w pa
pack
cket
ets
s se
sent
nt:
: 33
3369
69 (1
(150
50KB
KB)
) | Rc
Rcvd
vd:
: 1 (4
(42B
2B)
)

17
 

No open ports, and Nmap couldn’t detect the OS. This suggests that it is
a firewalled or otherwise protected system, with no services running (and yet it
responded to ping sweeps).
We now have rather more information about this network than we did when
we started,
started, and can guess at sev
several
eral other thin
things
gs based on thes
thesee resu
results
lts.. Usi
Using
ng
that information,
information, and the more advanced Nmap scans, we can obtain further scan
results which will help to plan an attack, or to fix weaknesses, in this network.

17 Frequen
requently
tly Ask
Asked
ed Que
Questi
stions
ons
This section was added as an extra to the original tutorial as it became popular
and some questions were asked about particular aspects of an nmap scan. I’ll use
this part of the tutorial to merge some of those into the main tutorial itself.

17.1 I tried a scan and it appea

peared in firewall logs or
alerts. What else can I do to help hide my scan?
This question assumes you used a scan command along the lines of:

1   nm
nmap
ap -sS -P
-P0
0 -p 1-140
1-140 -O -D xxx.xx
xxx.xxx.
x.xx
xxx.
x.xx
xxx,
x,
2   xxx.xxx.x
xxx.xxx.xxx.xx
xx.xxx,
x, xxx.xxx.xx
xxx.xxx.xxx.xxx
x.xxx -sV xxx.xx.xxx
xxx.xx.xxx.xxx
.xxx

Note: Each xxx corresponds to an octet of the IP address/addresses. This is

instructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1
to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The three
comma-s
comm a-separ
eparated
ated IPs are the deco
decoyy IPs to use
use.. It also specifie
specifiess to use ve
versi
rsion
on
scanning (-sV) which attempts to determine precisely which program is running
on a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often picked
up by mosmostt firew
firewall
allss and IDS sys
systems
tems now
nowdadays.
ys. It was origin
originall
ally
y desi
designed
gned to
prevent logging of a scan in the logs for whatever server is running on the port
the scanner
scanner connec
connectsts to. In other wor
words,
ds, if the scan connec
connects
ts to port 80 to test
if its open, Apache (or whatever other webserver they may be using) will log the
connection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achieved
with the -sT option, or by not running as root) but resets the connection before
it can be fully established. As such, most servers will not log the connection, but
an IDS or firewall will recognise this behaviour (in repeated cases) as typical of 
a port
p ort scan. Thi
Thiss will mean that the scan show
showss up in firew
firewall
all or IDS logs and
alerts. There are few ways around this, to be honest. Most firewall/IDS software
nowdays is quite good at detecting these things; particularly if its running on the
same host as the victim (the system you are scanning).

18
 

Note also, that decoys will not prevent your IP showing entirely; it just lists
the others as we
well.
ll. A part
particu
icularl
larly
y we
well
ll design
designed
ed IDS ma
may y ev
even
en b
bee able to figu
figure
re
out which is the real source of the scans.
Where
Whe re speed of scan
scan isn’
isn’tt essen
essenti
tial
al,, the -P0 opti
option
on is a good idea
idea.. Nm
Nmap
ap
gains timing information from pinging the host, and can often complete its scans
faster with this information, but the ping packets will be sent to the victim from
your IP, and any IDS worth its CPU cycles will pick up on the pattern of a
few pings followed by connects to a variety of ports. -P0 also allows scanning of 
hosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or by
in-kernel settings).
I mentioned timing
timing in the abov
abovee paragraph. You can use the -T timing option
to slow the scan down. The slower a scan is, the less likely it is to be detected by
an IDS. There are bound to be ooccasiona
ccasionall random connects occurring, people type
an IP in wrong or try to connect and their computer crashes half way through
the connect.
connect. Thes
Thesee thi
things
ngs happen, and unlesunlesss an IDS is configur
configured
ed extrem
extremely
ely
strictly, they generally aren’t reported (at least, not in the main alert logs, they
may be logged if logging of all traffic is enabled, but typically these kind of logs

are
-T 0only checked
or -T if theres
1 (Paranoid or evidence of something
Sneaky) should goingdetection.
help avoid on). Setting the timing to
As mentioned in
my main tutorial, you can also set timing options for each aspect of a scan,

Timings for individual aspects of a scan can also be set using the –
host timeout, –max rtt timeout, –min rtt timeout, –initial rtt timeout,
–max parallelism, –min parallelism, and –scan delay options. See the
Nmap manual for details.

The final note I will add to this answer is that use of the Idle scan method
(-sI) means that not a single packet is sent to the victim from your IP (provided
you also use the -P0 option to turn off pings). This is the ultimate in stealth as
there is absolutely no way the victim can determine that your IP is responsible
for the scan (short of obtaining log information from the host you used as part
of your idle scan).

17.2
17.2 NMAP
NMAP seems
seems to have
have stop
stopped,
ped, or my
my scan
scan is taki
taking
ng
a very long while. Why is this?
The timing options can make it take a very long time. I believe the -T Paranoid
( -T 0 )opt
)option
ion wai
waits
ts up to 5 min
minutes
utes betw
between
een pack
packets.
ets...
.. no
now,
w, for 6500
650000 ports
ports,,
thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is therefore
more useful;
useful; but scans will sti
still
ll tak
takee a long while
while!! You can use -v to get more
verbose output, which
which will alert you as to the progress of the scan. Using -v twice
makes the output even more verbose.

19
 

17.3
17.3 Will
Will -sN
-sN -sX and -s
-sF
F wo
work
rk agai
agains
nstt any
any host,
host, or just
just
Windows hosts?
-sN -sX and -sF scans will work against any host, but Windows computers do
not respond correctly to them, so scanning a Windows machine with these scans
results in all ports appearing closed. Scanning a *nix or other system should work
 just fine, though. As I said in the main tutorial, -sX -sF and -sN are commonly
used to determine if you’re scanning a Windows host or not, without using the
-O fingerprinting option.
The Nmap manual page should help to determine which scans work alongside
which options, and on which target systems they are most effective.

17.4
17.4 How
How do I find a dum
dumm
my hos
hostt for the
the Idle
Idle Scan
Scan (-sI)
(-sI)?
?
You simply have to scan for hosts using sequential IPID sequences, these are
(often) suitable for use as a dummy host for the -sI Idle Scan.

17.5
17.5 What
What does
doeour
blocking s ”Hos
”Hostt seem
ping seemss down
probes,dotry
wn..-P0”
If itmean?
is
is reall
really
y up, but
but
When Nmap starts, it tries to ping the host to check that it is online. Nmap also
gains
gains timin
timingg inf
inform
ormatio
ation
n from this pin
ping.
g. If the remo
remote
te host, or a sys
system
tem on the
path between you and the remote host, is blocking pings, this ping will not be
replied to, and Nmap will not start scanning. Using the -P0 option, you can turn
off ping-on-start and have Nmap try to scan anyway.

17.6
17.6 Wher
Where
e can
can I find
find Nmap
NmapFE
FE?
?
NmapFE is a graphical front-end for Nmap.
NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSX
is available at   http://faktory.org/m/software/
http://faktory.org/m/software/nmap/ nmap/  NmapFE for Windows
is under development as part of NmapFE++, a new frontend for Linux, OSX
and Window
Windows. s. InfInforma
ormation
tion is av
avail
ailabl
ablee at  http://www.insecure.org/nmap/
SoC/NmapFE.html

18 Abou
boutt Th
This
is Docum
Documen
entt
This document is copy right  
copyright c 2003-2006, Andrew J. Bennieston. This document
is provided in several formats, including LaTeX source, and it may be freely
redistri
redistribut
buted
ed in any form, provi
providin
dingg no chang
changes
es are made to the cont
content
ent.. The
latest version can always be found at   http://www.nmap-tutorial.com
http://www.nmap-tutorial.com

20