Nmap Overview by flw/Dan

This is intended to help you understand a vary flexible tool used in security today and what some people will be using against you. It is not intended for you to go cause trouble for others.


Nmap has 3 basic functions. Scan port/services, OS dectection, and alter ip source of Nmap.

Nmap -sS 192.168.1.1 half open port/service scan

This simply sends a SYN packet, look for the return SYN|ACK (open) or RST (closed) packet and then you tear down the connction before sending the ACK that would normally finish the TCP 3-way handshake. These scans don't depend on the characteristics of the target TCP stack and will work anytime a connect() scan would have worked. They are also harder to detect -- TCP-wrappers or anything outside of the kernel shouldn't be able to pick up these scans but some packet filters will so be aware.

Nmap -O 192.168.1.1 OS dectection scan
This to use it requires one open and one closed port. The closed port is picked at random from a high-numbered port. Machines which do packet filtering on high-numbered ports will cause problems with OS detection (many sites will filter packets to high numbered ports which don't have the ACK bit set). Also excessive packet loss will cause
problems with OS detection. If you run into trouble try selecting an open port which isn't being served by inetd (e.g. ssh/22 or portmap/rpcbind/111).

Note: this is currently Nmaps weakest feature and is not very reliable.

Source IP
Last option is altering your source ip destination. I will not go into any real details on this other than to say it is accomplished by the fact that you can change your source address. The simplest way to do this is with -S <ip>.