HakTip 97 – NMap 101: Advanced Scanning Techniques

Shannon Morse shows off several advanced scanning techniques you can use while working within NMap.

Download HD  |   Download MP4

We already know there are numerous ways to scan a target in NMap, from the discovery options we learned last week to the default scanning we’ve used since the beginning. There are other options I wanted to cover for user selectable scan types, instead of a basic TCP scan like NMap usually does. These advanced options are good to know if you’re scanning an uncommon target or you need to use a specific service. Similar to last week, sudo is required for a lot of these options.

The first option we have is -sS. This performs a TCP SYN scan. This option will send a SYN packet (short for synchronize) to the target and wait for a response. Some servers won’t be able to detect a SYN probe, but don’t count on it. This command looks like: nmap -sS If required, use sudo to gain root priveleges.

Next is the -sT option, to perform a TCP connect scan. This is the default for non-root users (so you’re probably already running this kind of scan). It will attempt to connect to the target without any stealthy modes. To do this one, type: nmap -sT You’ll notice when running this that sometimes, our first option, -sS for SYN packets is much faster.

Another option would be the -sU option for scanning with UDP (user datagram protocol).

Type: sudo nmap -sU for this one, and a TCP NULL scan, with the -sN option. TCP NULL is used to trick a target into thinking nothing is probing it with TCP, so it still generates a response. Before we take a break, the last option I wanted to share is the -sF option, for a TCP FIN scan. This is used to solicit a TCP ACK (for acknowledge) packet from a target. It can also be used on a target protected by a firewall.

Let’s take a quick break, but we’ll be right back.

We’re back with some more advanced scanning options, and we have just a few more to share. First off is the -sX option, which looks like this: sudo nmap -sX It’ll “light up the packet like a Christmas tree”, hence the name. Nmap sends packets with URG (urgent), FIN (closes a connection), and PSH (push) active. Next we have a fun one called –scanflags. This will let you run a custom scan with your own choices of packets. You can use SYN, ACK, PSH, URG, RST (for reset), and FIN. It would look like this: nmap –scanflags ACKPSH

TCP ACK scans are simply used by adding -sA to your command (and this is useful to find out if the target is protected by a firewall). If you see a line in your output that says [number] filtered ports, chances are those ports are protected by a firewall.

Unsure which scan to use? Start with an IP Protocol scan, to show you what protocols are available on the target. Type nmap -sO and your target will show the protocol, state, and service it’s running. Remember that handy table we linked to last week that shows all the popular protocols and their most common associated numbers.

There is a way to send raw ethernet packets too, if you’re interested. These are sent with nmap –send-eth, which is naturally implied. Lastly, you can also send raw IP packets with nmap –send-ip, which is also automatically implied, so it’s rare you’d actually have to write it out.

What would you like to see next about NMAP? Send me a comment below or email us at [email protected] If you like NMap, perhaps you’ll enjoy our new show, Metasploit Minute with Mubix, airing every Monday at hak5.wpengine.com. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.


  • Ben

    Hey Shannon,

    thanks a lot for your nmap videos. However I wanted to add that if you forgot to add sudo, you don’t have to retype all of the command. Entering sudo !! will simply add sudo to the last command you typed.

    Cheers Ben

  • Moe

    Im looking to scan a WiFi network that has Cisco’s client side isolation, but no nmap is giving me any results and I’m not sure what to do. i can see the server and the Sonicwall(firewall) but nothing else there are about 180 people connected but its all isolated and im looking to see all there info if possible through nmap or something similar.

    Thanks Moe.

  • FayYKalafut

    When I initially commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get
    several emails with the same comment. Is there any way you can remove me from that service?
    Many thanks!

  • Antonette Rihner

    Being a lodge at homeparent could be work to be very satisfied with Antonette Rihner the
    advantage of this kind of loan is the fact that the lenders are fairly
    flexible in their requirements.

  • ChristalUArietta

    certainly like your web site but you have to test the
    spelling on several of your posts. Many of them are rife
    with spelling issues and I in finding it very bothersome to inform the
    truth however I will definitely come back

  • Nadine Spudis

    This is surely an added incentive to cover personal payday advances off around the specified date, otherwise not simply will you need to pay penalty fees for
    defaulting, you may have to cover further interest Nadine Spudis the higher-education spending has additionally met pushback from conservative website
    redstate, which referred to as the pell grant
    increase a “.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>