NMAP TL;DR It's a tool used for portscanning and this post will explore some of the common and useful flags that can be used while scanning to pick up

3 years ago

Latest Post A Minor Update - No Blog Posts for a While! by Andy Gill public


It's a tool used for portscanning and this post will explore some of the common and useful flags that can be used while scanning to pick up usful information about targets.

What Is NMAP?

Nmap or Network mapper is an open source tool for network discovery and security analysis. It is used by many people in different job roles, from system administrators to penetration testers to developers and everyone inbetween. The primary uses are network discovery and analysis.

Nmap uses raw IP packets to determine what hosts are available on a network,it can also be used to identify what services (application name and version), operating system verions, what filters/firewalls are in use, and dozens of other characteristics.

Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. Typically nmap is used on the command line by calling nmap however there is also a GUI available in the form of zenmap.

In addition to the core tooling the nmap suite also includes a netcat-like tool on steroids(ncat), scan results comparison (Ndiff), and a packet generation and response analysis tool (Nping).

Port Scanning?

Port scanning is the act systematically scanning a computer's ports/services. Since a port is a place where information goes in and out of a computer, port scanning identifies openings into a computer. Port scanning has legitimate uses in managing networks, system administration and other network based tasks. However it can also be malicious in nature if someone is looking for a weakened access point to break into a system.

Typically it is one of the first techniques used to identify weaknesses or footholds into a network. One thing to note though is that the act of port scanning does fall under active recon and will send traffic to a target rather than passive scanning using things like OSINT.

Port States

Before we dive into the different flags, it is worth understanding that when scanning a port can have three states and depending on the scan type will depend on why the state has been returned. The main three are:

Nmap reports other state combinations such as open|filtered and closed|filtered when it cannot determine which of the two states describe a port.

Some Common Commands

Nmap is one of the most used tools when carrying out infrastructure-like engagements. As such there are many different flags and command combinations that can be used to identify weaknesses and interesting information about hosts. The following sets of commands can be used to scan different types of hosts, each flag is explained and has been tuned for maximum performance.

Basic Scanning Options

There are three fairly commmon flags used in nmap for types of scanning, these are TCP connect scans, SYN & UDP. The flags for thes are shown below and a brief explanation of how they work is included too:

Probe Response Assigned State
TCP SYN/ACK response open
TCP RST response closed
No response received or ICMP unreachable errors filtered
Probe Response Assigned State
Any UDP response from target port open
No response received after retransmission `open
ICMP port unreachable error (type 3, code 3) closed
Other ICMP unreachable errors (type 3, code 1, 2, 9, 10, or 13) filtered

Probing (-P<x>)

There are so many different options when it comes to probing a service however here are some of the specifics when it comes to probing things.

Default Timing Options (-Tx)

Sometimes when tuning a scan you might want to have certain options set to speed up or slow down scanning depending on if you want to be noisy or stealthy!

In addition to these options you can fine tune a scan even more with the particular settings most people use these options to speed nmap up, but they can also be useful for slowing Nmap down. Often people will do that to evade IDS systems, reduce network load, or even improve accuracy if network conditions are so bad that even nmap's conservative default is too aggressive., these flags are detailed in the following table:

Function Flags
Size of the group of hosts to be scanned concurrently --min-hostgroup, --max-hostgroup
Number of scanning probes to be launched in parallel --min-parallelism, --max-parallelism
Timeout values for probes --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout
Maximum number of probe retransmissions allowed --max-retries
Maximum time before giving up on an entire host --host-timeout
Control the delay inserted between each probe against an individual host --scan-delay, --max-scan-delay
Rate of probe packets sent per second --min-rate, --max-rate
Defeat RST packet response rate by target hosts --defeat-rst-ratelimit


Viewing the output in realtime can be useful however parsing the information afterwards and feeding it into other tools is 10x more useful. Enter the different output options from nmap, saving to a file of one sort or another.

There's a few options to output to but mainly these are xml,gnmap & nmap and have the flags; -oX, -oG, -oN but there is also an easter egg output in 1337 speak which is -oS.

Another useful output type is to view stats on the running scan. An example would be: nmap –stats-every 25s to show me the statistical information every 25 seconds during a scan. You can use s for seconds, m for minutes, or h for hours for this scan. This can be done to reduce the amount of info filling up a screen.

Scanning a single host for top 1000 open ports

nmap -sT <host> --top-ports 1000 -oA TCP-Top-1k

This command essentially does the following:


if you're interested.

Some Options I Use

nmap -sSV -p- --min-parallelism 64 --min-hostgroup 16 --max-hostgroup 64 --max-retries 3 -Pn -n -iL input_hosts.txt -oA output --verson-all  --reason

The different flags in this command do the following:

Probing a specific service for more information and looking for known issues:

sudo nmap -sSV --version-all -p 11211 --min-parallelism 64 --script=vuln -Pn -n 

The addition of the --script=vuln and specifc port tells nmap to only probe the port 11211 and tell me any vulnerable services it knows about running on that port. Additionally -sC can be used to scan a target and probe with common scripts. More information on the scripting engine can be found below.

One final one-liner I use a lot is to get the output of a subnet mask, something like:

nmap -sL -n | grep report | cut -d " " -f 5 >>  ips.txt

This will simply print all of the hosts in the range given as individual IP addresses, very useful when you don't have a subnet calc on hand or want unique ips for other tools!

Going Further

So going beyond normal scans, nmap does a lot more. It is capable of scanning IPv6 networks, has an inbuilt vulnerability scanning engine and can even be tuned to evade filtering. The next few subsections explain the different flags and features that can be leveraged to do these things.

Scanning IPv6

I've covered scanning IPv6 before in my post about pwning ipv6 things which you can read here. However as a quick input the -6 or --ipv6 flags will instruct nmap that you're scanning an IPv6 address. Typically using something like:

sudo nmap -6 -sSV -p- -iL targets.txt -oA example_IPv6 --version-all --max-retries 3 -T4 -Pn -n --reason –vvv 

Will work no problem, the breakdown of this command is as follows:

Of course, you must use IPv6 syntax if you specify an address rather than a hostname. An address might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended.

NSE - Nmap Scripting Engine

Most people reading this will have heard of metasploit framework(MSF), however a few may not realise that nmap has it's own vuln scanning ability built in. It's not a repacement for MSF but it has got some great features.

The NSE is a framework that runs code written in the programming language Lua with specific flags that the engine can parse. Lua is a lightweight, fast, and interpreted programming language.

I could write a whole article on itsown covering the NSE side of nmap as it is so vast and includes many many many different options. Here are a few basic ones to get you started:

A full list of the main NSE scripts built into nmap can be found on the nmap site here.

Evading Filtering

Here are some options that you might not know about that will help you in evading firewall blockages;

nmap -D RND:10 (Generates a random number of decoys)
nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the IP addresses of the decoys)

It's also worth noting that the hosts being used as decoys must be online in order this technique to work.Also using many decoys can cause network congestion.

There are of course more options that can be leveraged to evade and bypass IDS/IPS/Firewalls however the above should be a good starter.

Other Tooling with NMAP

Port scanning is great but nmap also has a suite of other tools that can be used, here's a quick overview on how to use them and some common options to try.

Statically Compiling

Here is a short explanation on how to compile nmap statically.

Version of nmap used:

First set up the environment (''-fPIC'' is needed, for static compilation):

    export CFLAGS="-march=core2 -O2 -fomit-frame-pointer -pipe -fPIC"
    export CXXFLAGS="-march=core2 -O2 -fomit-frame-pointer -pipe -fPIC"

Then run ./configure with minimal options:

    ./configure --without-subversion --without-liblua --without-zenmap --with-pcre=/usr --with-libpcap=included --with-libdnet=included --without-ndiff --without-nmap-update --without-ncat --without-liblua --without-nping --without-openssl

And compile - this will mostly work:

    make -j4 static

The final compilation step fails - the actual error is:

/usr/lib/gcc/x86_64-unknown-linux-gnu/4.8.4/../../../../x86_64-unknown-linux-gnu/bin/ld: dynamic STT_GNU_IFUNC symbol `strcmp' with pointer equality in /usr/lib/gcc/x86_64-unknown-linux-gnu/4.8.4/../../../../lib/libc.a(strcmp.o)' can not be used when making an executable; recompile with -fPIE and relink with -pie

Making it Work

Hacking the Makefile, to make the compilation ''mostly'' static:

  1. Change the LIBS = -lnsock -lnbase -lpcre line 54 to:
    LIBS =  -lnsock -lnbase $(LIBPCAPDIR)/libpcap.a $(OPENSSL_LIBS) libnetutil/libnetutil.a $(top_srcdir)/libdnet-stripped/src/.libs/libdnet.a  $(top_srcdir)/liblinear/liblinear.a -ldl
  1. Change the $(CXX) $(LDFLAGS) -o [email protected] $(OBJS) $(LIBS) line 122 (under "Compiling nmap") to:

    $(CXX) $(LDFLAGS) -o [email protected] $(OBJS) $(LIBS) /usr/lib/libpcre.a

And re-run the final compilation step:


This succeeds, and we have:

    $ ldd nmap | cut -d '(' -f1 => /usr/lib/ => /usr/lib/ => /usr/lib/ => /usr/lib/ => /usr/lib/ 

This is as ''static'' as the executable can be made, with glibc - those are all links to glibc's libraries.

Andy Gill

Published 3 years ago