Active Data Gathering: How to Use Nmap

After passive data gathering, comes active data gathering in pentesting. In this step the goal is to actively contact the target and collect data. Since you’ll be actively contacting your target, there’s a high chance that you’ll be on the firewall logs. In this article, I’ll talk about Nmap and how to use it.


You can check our article on how to setup Nmap on Windows.

For Linux:

sudo apt-get install nmap

Some Parameters

  • -iL <file_name> : Takes information from the file that contains information of hosts and networks and scans according to the information in the file.
  • -p : To indicate ports or port gaps. ( -p 21, -p 1-65535, -p U:53, -p T:21-25)
  • -F : Fast mode. Searches the most used 100 ports.
  • -top-ports 50 : Searches the most used 50 ports.
  • -R : If there’s a requirement for IP-Host matching.
  • -n : This used if there’s no requirement for IP-Host matching.

Discovering Machines On The Network Using Nmap

ICMP Scan (-sn or -sP)

In this scan, if you’re scanning the local network, Nmap does ARP query to all of the IP addresses connected to the network. If the ARP query gets an answer, related IP address will be indicated. If you’re scanning other networks, Nmap sends ICMP packets to the target and if the target replies to the packets, this shows that your target machine is active.

Now that you’ve found active machines on the network, next step is port scanning.

Discovering Port Data Using Nmap

Nmap searches, from TCP and UDP ports, 1000 ports in total by default when the user doesn’t enter a port gap.

TCP Connect Scan (-sT)

In this type of scanning, Nmap sends SYN packets to the related ports of the target machine. If RST+ACK packets return from the target machine, then this means the related port is closed. If SYN+ACK packets return instead of RST+ACK packets, this means the related port is open. After the returned SYN+ACK packets, an ACK packet will be sent and the triple handshake will be done. Connect scan is slow because it does triple handshake.

SYN Scan (-sS)

SYN Scan is a lot faster than Connect Scan. Nmap sends SYN packets to the target machine. If the target port sends SYN+ACK packets back, it means the port is open, then Nmap sends a RST packet and does not finish the triple handshake. If RST+ACK packets return, the port is closed. And if ICMP PORT UNREACHABLE packets return, the port is filtered.

UDP Scan (-sU)

This scan is slower and less reliable than the others. Nmap sends UDP packets to the target machine. If it gets UDP packets in return, then the port is open. If ICMP PORT UNREACHABLE packets return, this either means the port is closed or there’s a firewall. Or if nothing returns, this may either mean that there’s a firewall or the port is open.

XMASS Scan (-sX)

Sends packets with fin,urg,push flags to the target. If RST+ACK packets return, this means the target port isn’t open. If nothing returns, there’s a possibility that the port is open.

FIN Scan (-sF)

Sends packets with Fin flags to the target. RST+ACK packets in return means the port isn’t open. If there’s nothing returning, this means the port is open.

NULL Scan (-sN)

This type of scan, which contains no flags at all, is uncommon. Just like the FIN Scan, RST+ACK packets in return means the port isn’t open. No packets in return means the port is open.

ACK Scan (-sA)

Sends packets with ACK flags to the target machine. Getting ICMP DESTINATION UNREACHABLE packet returns or no packets return at all, this means the port is “filtered”. If the target machine returns packets with RST flags, the port is “unfiltered”.

Window Scan (-sW)

The RST Frame (that returns from an off/closed port) size in window is zero. If the RST Frame size in window is more than one, the port is open.

Version Scanning Using Nmap

Version Scan (-sV)

In this scan, Nmap indicates the versions of the services running on active ports. Version knowledge is crucial for choosing exploits to use during the attack process. At the same time, as example, HTTP’s default port is 80. But if the network administrator makes it so that this service runs from TCP 5432 port, we can only tell whether the HTTP service works on the computer or not using the version scan.

Operating System Discovery Using Nmap

OS Scan (-O)

  • -osscan-limit : Indicates the OS’ that have at least one open and one closed ports.
  • -osscan-guess : Indicates the OS more aggressively.
  • -max-retries <number> : Retries indicating the OS in the amount of numbers the user puts in.

Nmap Script

Nmap script version contains features like version scanning, whois query, dns query, vulnerability scanning and so on. Scans specific vulnerabilities and gives data about the exploits suitable to use. To scan scripts, the -sC parameter is used. And to use a specific script, -script=script_name.nse parameter would be suitable.

For a full list of scripts:

ls usr/share/nmap/script/

If you want to scan all of the machines for vulnerabilites in the network:

nmap -sS --script=Vuln

See? One of the machines have SMB vulnerability. 😀 I’ll quickly search the vulnerability ID on Metasploit.

The exploit I used is below.


And the results! 😀

Good Luck!

Leave a Reply

Your email address will not be published. Required fields are marked *