This chapter covers Nmap scanning techniques, a core skill for the Reconnaissance and Enumeration domain of the PT0-002 exam. Nmap is the de facto tool for port scanning and service discovery, and questions about its various scan types, options, and output interpretation appear in approximately 15-20% of exam questions. Mastering Nmap is essential for any penetration tester, as it directly impacts your ability to enumerate targets effectively and efficiently. This chapter provides a deep dive into how Nmap works, the mechanics behind each scan type, and the specific details the exam expects you to know.
Jump to a section
Imagine you are a security consultant hired to assess the security of a large office building. You cannot enter yet, but you can observe from outside. The building has many doors and windows, each potentially representing a network port. You start by knocking on the main entrance (TCP port 80) to see if someone answers. If you hear a reply, you know the door is open and someone is home. But you also want to know if the door is actually unlocked or just cracked open—so you knock softly (SYN scan) and see if they respond without completing the handshake. If they do, the door is open. If you knock and get no response, the door might be closed or blocked by a guard (firewall). To differentiate, you might knock in a way that mimics a regular visitor (connect scan) and see if the guard lets you through. Sometimes you try sending a knock that is not part of the normal protocol, like a loud bang (FIN scan), and see if the guard ignores you (open) or yells back (closed). You also want to map the building's layout (OS detection) by observing how the doors open and close—different building styles have different door mechanisms. By methodically testing each door and window with different knock patterns, you can build a map of all accessible entry points without ever stepping inside. This is exactly what Nmap does: it sends specially crafted packets to target ports and analyzes the responses to determine port states, services, and operating systems.
What is Nmap and Why Does It Exist?
Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing. It was created by Gordon Lyon (Fyodor) and has become the industry standard for port scanning. Its primary purpose is to identify live hosts on a network, open ports, running services, operating systems, and other attributes. For penetration testers, Nmap is often the first tool used after gaining initial access to a network, as it provides a map of potential attack surfaces.
How Nmap Scanning Works Internally
Nmap operates by sending raw IP packets and analyzing the responses. The core mechanism involves crafting packets with specific TCP flags, IP headers, and timing options, then listening for replies. Each scan type manipulates the TCP three-way handshake or other protocol behaviors to infer port state without completing a full connection.
#### TCP SYN Scan (-sS)
This is the default and most popular scan. It sends a SYN packet (like the first step of a handshake) to each target port. - If the port is open, the target responds with a SYN-ACK. Nmap then sends a RST to tear down the connection, never completing the handshake. This makes it stealthy because no full TCP connection is logged by most applications. - If the port is closed, the target responds with a RST. - If the port is filtered (by a firewall), Nmap receives no response or an ICMP unreachable error.
#### TCP Connect Scan (-sT)
This scan uses the operating system's connect() system call to complete the full three-way handshake. It is less stealthy because the connection is fully established and logged, but it works when the user lacks raw packet privileges (e.g., non-root on Linux). The response interpretation is the same as SYN scan, but the handshake is completed.
#### UDP Scan (-sU)
UDP is connectionless, so scanning is more challenging. Nmap sends a UDP packet to each port. - If the port is open, the application may respond with a UDP packet, but often there is no response at all, leading to false negatives. - If the port is closed, the target typically responds with an ICMP Port Unreachable message. - If filtered, no response or a different ICMP error is received. UDP scanning is slower and less reliable.
#### TCP FIN, NULL, and Xmas Scans (-sF, -sN, -sX)
These scans exploit RFC 793 behavior: if a closed port receives a packet without the SYN, ACK, or RST flag set, it should respond with a RST. Open ports should ignore the packet. - FIN scan sends a packet with only the FIN flag. - NULL scan sends a packet with no flags. - Xmas scan sends a packet with FIN, PSH, and URG flags (like a Christmas tree). - If a RST is received, the port is closed. If no response, the port is open/filtered. However, Microsoft Windows and some devices do not follow RFC 793 and will send RST for closed ports, making these scans unreliable on those systems.
#### TCP ACK Scan (-sA)
This scan sends a packet with only the ACK flag set. It is used to map firewall rulesets, not to determine open/closed. - If a RST is received, the port is considered unfiltered (the firewall allowed the packet through). - If no response or ICMP unreachable, the port is filtered. - ACK scan cannot distinguish open from closed ports; it only reveals whether the firewall is stateful or stateless.
#### TCP Window Scan (-sW)
Similar to ACK scan, but it examines the TCP window field of the RST response. Some systems have a non-zero window size for open ports and zero for closed ports. This can sometimes distinguish open from closed when ACK scan cannot.
#### TCP Maimon Scan (-sM)
Sends a packet with FIN and ACK flags set. According to RFC 793, closed ports should respond with RST. Open ports should ignore. This scan is rarely used but appears on some exams.
Key Components, Values, and Defaults
Timing Templates (-T0 to -T5): Control scan speed and stealth. T0 is paranoid (very slow, waits 5 minutes between probes), T3 is normal (default), T5 is insane (fast, may drop packets).
Port Specification: -p flag. Default scans the top 1000 ports. -p- scans all 65535 ports, which is time-consuming.
Service Version Detection (-sV): Enables version detection by connecting to open ports and interacting with the service to determine the exact software and version.
OS Detection (-O): Uses TCP/IP fingerprinting to guess the operating system. Requires at least one open and one closed port for accuracy.
Aggressive Scan (-A): Enables OS detection, version detection, script scanning, and traceroute.
Script Scanning (-sC): Runs default set of NSE scripts for common vulnerabilities and enumeration.
Output Formats: -oN (normal), -oX (XML), -oG (grepable), -oA (all formats).
Configuration and Verification Commands
Basic SYN scan on a target:
nmap -sS 192.168.1.1Scan with version detection and OS detection:
nmap -sV -O 192.168.1.1Stealth scan with timing T1 (sneaky):
nmap -sS -T1 192.168.1.1UDP scan of top 50 ports:
nmap -sU --top-ports 50 192.168.1.1How Nmap Interacts with Related Technologies
Firewalls: Stateful firewalls track TCP connections. SYN scans bypass some logging because the connection is never fully established. However, modern firewalls can detect and block SYN scans. ACK scans help map firewall rules by seeing which ports elicit RST.
IDS/IPS: Intrusion detection systems can detect port scans based on patterns of multiple connection attempts. Nmap's timing templates help evade detection by slowing down the scan.
Network Segmentation: Nmap can be used to map network segments, identify live hosts, and find open ports across VLANs or subnets.
Common Pitfalls and Exam Traps
Assuming FIN scan works on Windows: It does not; Windows always responds with RST for closed ports, making FIN scans useless.
Thinking UDP scan is fast: UDP scanning is slow because of timeouts for open ports.
Confusing ACK scan with SYN scan: ACK scan maps firewall rules, not open ports.
Believing SYN scan is completely undetectable: While stealthy, modern systems can log incomplete handshakes.
Summary of Scan Types and Use Cases
| Scan Type | Flag | Purpose | Stealth | |-----------|------|---------|---------| | SYN | -sS | Default, stealthy | High | | Connect | -sT | Full connection | Low | | UDP | -sU | UDP ports | Low | | FIN | -sF | Bypass firewalls | Medium | | NULL | -sN | Bypass firewalls | Medium | | Xmas | -sX | Bypass firewalls | Medium | | ACK | -sA | Firewall rules | High | | Window | -sW | Open/closed via window | High | | Maimon | -sM | Rare | Medium |
Target Selection and Host Discovery
Before scanning ports, you must identify live hosts. Nmap uses host discovery (ping sweep) with `-sn` to send ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests. If any response is received, the host is considered up. By default, Nmap does host discovery before port scanning. You can skip this with `-Pn` if you know the host is alive, which is common in penetration tests where firewalls block ping.
Port Selection and Scan Type
Choose which ports to scan. Default is top 1000 ports. Use `-p` for specific ports or ranges, `-p-` for all 65535. Then select scan type: SYN (`-sS`) for stealth, Connect (`-sT`) for full TCP, UDP (`-sU`) for UDP services. The decision affects speed, stealth, and accuracy. SYN is faster and stealthier but requires root privileges. Connect works without root but is logged.
Packet Crafting and Transmission
Nmap constructs raw IP packets with appropriate TCP/UDP headers. For SYN scan, it sets SYN flag, random source port, and sequence number. It sends packets sequentially or in parallel depending on timing template. The kernel's raw socket interface is used on Unix-like systems. On Windows, raw sockets are restricted, so Nmap uses the Windows Raw Socket API or falls back to connect scan.
Response Analysis and State Determination
Nmap listens for responses. For TCP, a SYN-ACK indicates open, RST indicates closed, no response indicates filtered. For UDP, any UDP response indicates open, ICMP Port Unreachable indicates closed, no response indicates open/filtered. Nmap uses timeouts to decide when to give up. Default timeout is based on round-trip time estimation. If no response after retransmissions, the port is marked as filtered.
Output and Post-Processing
Results are displayed in real-time and saved to files. Nmap can output normal, XML, grepable, or all formats. Post-processing includes service version detection (`-sV`) which sends probes to open ports to grab banners, and OS detection (`-O`) which analyzes TCP/IP stack fingerprints. Script scanning (`-sC`) runs NSE scripts for vulnerability checks. The final output lists open ports, services, and OS guesses.
Enterprise Scenario 1: Internal Network Penetration Test
A pentester is hired to assess the internal network of a large corporation. They are given a non-privileged workstation on the internal LAN. The first step is to discover live hosts and open ports. Using Nmap with -sn for ping sweep, they find 500 live hosts across multiple subnets. They then perform a targeted SYN scan (-sS -T4 -p 1-10000) on critical servers. The scan reveals a web server with port 8080 open, which is not in the allowed list per policy. This becomes an entry point. The pentester uses -sV to identify Apache Tomcat 8.5.5, which has known vulnerabilities. The scan also reveals an open SSH port on a database server with weak credentials. The pentester documents all findings and recommends firewall rule adjustments and patching.
Enterprise Scenario 2: External Perimeter Assessment
A company wants to test its external firewall rules. The pentester runs an ACK scan (-sA) from the internet to map which ports are allowed through the firewall. The scan shows that ports 80, 443, and 22 return RST (unfiltered), while others time out (filtered). This confirms the firewall allows HTTP, HTTPS, and SSH. Next, a SYN scan on those ports shows they are open. The pentester then runs a UDP scan (-sU --top-ports 50) to find DNS and SNMP services. The scan reveals an open UDP port 161 (SNMP) with a default community string 'public'. This is a critical finding as SNMP can leak system information. The pentester recommends disabling SNMP or changing community strings and restricting access.
Common Misconfigurations and Failures
Scanning too aggressively: Using -T5 may cause packet loss or trigger IDS alerts. In production, slower scans (-T2 or -T3) are safer.
Ignoring host discovery: Skipping -Pn when the host is actually down wastes time. Conversely, using -Pn when the host is up but firewalled can lead to false assumptions.
Not using version detection: Simply knowing a port is open is insufficient; version detection (-sV) identifies exact software versions for vulnerability matching.
Overlooking UDP: Many pentesters focus only on TCP, but critical services like DNS, SNMP, and DHCP run over UDP. A comprehensive assessment includes UDP scanning.
Performance Considerations
Scanning large networks (e.g., /16 subnet) with full port scan can take hours. Use --min-rate and --max-rate to control packet rate. For large scans, use -T4 and --open to only show open ports, reducing output. Use -oA to save results for later analysis. For cloud environments, be aware of rate limits and potential account suspension if scanning too fast.
What PT0-002 Tests on Nmap Scanning Techniques
The PT0-002 exam objectives (2.2) specifically require you to "use appropriate tools and techniques to discover hosts and services." Nmap is the primary tool. The exam tests:
Knowledge of different scan types and their flags: -sS, -sT, -sU, -sF, -sN, -sX, -sA, -sW, -sM.
Understanding of when to use each scan type based on stealth requirements and firewall presence.
Interpretation of scan results: open, closed, filtered, unfiltered, open|filtered.
Ability to identify the correct command for a given scenario.
Knowledge of timing templates and their impact.
Understanding of OS detection and version detection options.
Common Wrong Answers and Why Candidates Choose Them
Choosing Connect scan (-sT) when SYN scan (-sS) is more appropriate: Candidates often think Connect scan is the default or more reliable. However, SYN scan is the default and more stealthy. The exam expects you to know that SYN scan is preferred unless you lack raw packet privileges.
Selecting FIN scan for Windows targets: Many candidates assume FIN scan works universally. The correct answer is that Windows does not comply with RFC 793 and will respond with RST for closed ports, making FIN scans ineffective. The exam may present a scenario with a Windows target and ask for the best scan type.
Confusing ACK scan with SYN scan: ACK scan is for firewall rule mapping, not port state determination. Candidates may incorrectly use ACK scan to check if a port is open. The exam will test this distinction.
Using -Pn when not needed: Candidates may forget that Nmap performs host discovery by default. If a host is known to be up, using -Pn saves time. The exam may ask which flag to use to skip host discovery.
Specific Numbers and Terms to Memorize
Timing templates: -T0 (paranoid) to -T5 (insane). T3 is default.
Default ports: Top 1000 ports.
Flags for scan types: -sS (SYN), -sT (Connect), -sU (UDP), -sF (FIN), -sN (NULL), -sX (Xmas), -sA (ACK), -sW (Window), -sM (Maimon).
OS detection flag: -O
Version detection flag: -sV
Aggressive scan flag: -A
Script scan flag: -sC
Output flags: -oN, -oX, -oG, -oA
Edge Cases and Exceptions
FIN scan on Windows: Not reliable; Windows always sends RST.
UDP scan reliability: High false negatives because many services don't respond to empty probes.
SYN scan on Windows with raw sockets: Requires admin privileges; otherwise falls back to connect scan.
IPv6 scanning: Use -6 flag. Not all scan types work with IPv6.
Idle scan (-sI): A stealth scan using a zombie host. Rarely tested but may appear.
How to Eliminate Wrong Answers
If the scenario mentions "stealth" or "avoid logging", eliminate Connect scan.
If the target is Windows, eliminate FIN, NULL, Xmas scans.
If the goal is to map firewall rules, choose ACK scan.
If the question asks for OS detection, look for -O.
If the question asks for service version, look for -sV.
If the question asks for a quick scan of top ports, default is fine; if all ports, use -p-.
SYN scan (-sS) is the default and most stealthy TCP scan; it sends a SYN and then RST upon receiving SYN-ACK.
Connect scan (-sT) completes the full TCP handshake and is used when raw socket privileges are unavailable.
UDP scan (-sU) is slow and unreliable; closed ports return ICMP Port Unreachable, open ports often give no response.
FIN, NULL, and Xmas scans (-sF, -sN, -sX) exploit RFC 793 but fail on Windows (which always sends RST).
ACK scan (-sA) maps firewall rules; it cannot determine if a port is open or closed.
Timing templates range from -T0 (paranoid) to -T5 (insane); default is -T3.
OS detection (-O) requires at least one open and one closed port for accuracy.
Version detection (-sV) probes open ports to identify service versions.
Aggressive scan (-A) combines OS detection, version detection, script scanning, and traceroute.
Use -Pn to skip host discovery if you know the host is alive.
Default port scan covers top 1000 ports; use -p- for all 65535 ports.
Output formats: -oN (normal), -oX (XML), -oG (grepable), -oA (all).
These come up on the exam all the time. Here's how to tell them apart.
SYN Scan (-sS)
Sends SYN packet, never completes handshake (sends RST after SYN-ACK).
Requires root/administrator privileges for raw sockets.
Stealthier; less likely to be logged by applications.
Faster because it does not wait for full handshake completion.
Default scan type for Nmap when run with sufficient privileges.
Connect Scan (-sT)
Completes full TCP three-way handshake using connect() system call.
Works without root privileges; uses OS network stack.
More detectable; full connections are logged by services.
Slower because it completes the handshake and then closes gracefully.
Used as fallback when raw sockets are not available (e.g., some Windows environments).
FIN Scan (-sF)
Sends packet with only FIN flag set.
Used to determine port state (open/closed) on RFC-compliant systems.
Closed ports respond with RST; open ports ignore the packet.
Can bypass some stateless firewalls that only filter SYN packets.
Not reliable on Windows or other non-compliant systems.
ACK Scan (-sA)
Sends packet with only ACK flag set.
Used to map firewall rules (filtered vs unfiltered), not port state.
Both open and closed ports respond with RST if unfiltered.
Cannot distinguish open from closed; only reveals firewall filtering.
Works on all systems because ACK packets are part of normal TCP traffic.
Mistake
SYN scan is completely undetectable.
Correct
While SYN scan does not complete the TCP handshake, modern firewalls and IDS/IPS can detect incomplete handshakes and log them. Some systems even send RST to abort, which can be logged. SYN scan is stealthier than Connect scan but not invisible.
Mistake
FIN scan works the same on all operating systems.
Correct
FIN scan relies on RFC 793 behavior where closed ports respond with RST. However, Microsoft Windows and some other systems do not follow this; they send RST for both open and closed ports, making FIN scans unreliable on those platforms.
Mistake
UDP scanning is just as fast as TCP scanning.
Correct
UDP scanning is much slower because there is no handshake. Nmap must wait for timeouts for open ports that do not respond. A full UDP scan can take hours compared to minutes for TCP.
Mistake
ACK scan can determine if a port is open or closed.
Correct
ACK scan only determines if a port is filtered or unfiltered by the firewall. It cannot distinguish between open and closed because both elicit a RST if unfiltered. Use SYN or Connect scan for open/closed determination.
Mistake
Nmap always requires root privileges.
Correct
SYN scan and other raw packet scans require root (or admin) privileges. However, Connect scan (-sT) works without root because it uses the operating system's connect() system call. On Windows, raw sockets are restricted, so SYN scan may not work even with admin in some versions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SYN scan (-sS) sends a SYN packet and upon receiving a SYN-ACK, it sends a RST to tear down the connection, never completing the handshake. Connect scan (-sT) uses the operating system's connect() system call to complete the full three-way handshake. SYN scan is stealthier and faster, but requires root privileges. Connect scan works without root but is logged by target services. The exam expects you to choose SYN scan for stealth and Connect scan when you lack privileges.
FIN scan relies on RFC 793 behavior where a closed port sends a RST in response to a FIN packet, while an open port ignores it. However, Microsoft Windows does not comply with this; it sends a RST for both open and closed ports when receiving a FIN packet. Therefore, FIN scan cannot distinguish between open and closed on Windows systems. The exam may present a Windows target and ask why FIN scan is ineffective.
Use the `-p-` flag to scan all 65535 ports. For example: `nmap -sS -p- target`. This is time-consuming, especially on large networks. You can speed it up with timing templates like `-T4` or `-T5`. Alternatively, scan only top ports with `--top-ports 1000` (default) or specify a range like `-p 1-10000`.
The -sA flag performs a TCP ACK scan. It sends packets with only the ACK flag set. This scan is used to map firewall rulesets: if a RST is received, the port is considered unfiltered (firewall allowed the packet through). If no response or an ICMP unreachable is received, the port is filtered. ACK scan cannot distinguish open from closed ports; it only reveals whether a firewall is stateful or stateless.
Use -Pn to skip host discovery. By default, Nmap performs a ping sweep to determine if hosts are alive before scanning ports. If you already know the host is up (e.g., from previous scans or documentation), using -Pn saves time. It is also useful when firewalls block ping probes, as Nmap might otherwise think the host is down and skip it. However, using -Pn on a dead host wastes time scanning a non-existent target.
-sV enables service version detection: Nmap connects to open ports and interacts with the service to determine the exact software and version (e.g., Apache 2.4.41). -O enables OS detection: Nmap analyzes TCP/IP stack fingerprints to guess the operating system (e.g., Linux 4.x). Both can be combined with -A for aggressive scanning. The exam expects you to know which flag to use for version vs. OS detection.
Nmap considers a port filtered if it receives no response to its probe after retransmissions, or if it receives an ICMP unreachable error (e.g., type 3 code 13 - administratively prohibited). For TCP scans, if a SYN-ACK is received, the port is open; if RST, closed. No response or specific ICMP errors indicate filtering. The exact behavior depends on the scan type and firewall configuration.
You've just covered Nmap Scanning Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?