How does nmap discover ports

If not, Nmap reports that fact and exits. I could have specified -Pn to skip this test. This query can be skipped with the -n option to improve speed and stealthiness.

Launches a TCP port scan of the most popular 1, ports listed in nmap-services. A SYN stealth scan is usually used, but connect scan is substituted instead for non-root Unix users who lack the privileges necessary to send raw packets.

Prints the results to standard output in normal human-readable format, and exits. Other output formats and locations files can be specified, as described in Chapter 13, Nmap Output Formats. Example 4. The first output line in Example 4. The time Nmap started and version number are normally provided as well, though these were generally removed from this book for consistency and to avoid line wrapping. The ports considered most interesting because they are open or in a rarely-seen state for that host are itemized individually.

When many ports are in a single non-open state, they are considered a default state, and aggregated onto a single line to avoid diluting the results with thousands of uninteresting entries. In this case, Nmap notes that ports are filtered.

The interesting ports table comes next, and provides the key scan results. The columns vary depending on options used, but in this case provide the port number and protocol, state, and service protocol for each port. The service here is just a guess made by looking up the port in nmap-services. The service would be listed as unknown if any of the ports had no name registered in that file. Three of these ports are open and three are closed.

Finally, Nmap reports some basic timing stats before it exits. These stats are the number of targets specified, the number of those that the ping scan found to be up, and the total time taken. The port list takes the same format as with the previously discussed -PS and -PA options.

If no ports are specified, the default is A highly uncommon port is used by default because sending to open ports is often undesirable for this particular scan type. This signifies to Nmap that the machine is up and available. A lack of response is also interpreted this way. If an open port is reached, most services simply ignore the empty packet and fail to return any response.

This is why the default probe port is , which is highly unlikely to be in use. A few services, such as the Character Generator chargen protocol, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is available.

The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP. The external interface of this device filtered all TCP ports by default, but UDP probes would still elicit port unreachable messages and thus give away the device. The syntax is the same as for the -p except that port type specifiers like S: are not allowed.

Examples are -PY22 and -PY22,80,, Note that there can be no space between -PY and the port list. The INIT chunk suggests to the remote system that you are attempting to establish an association. Nmap sends an ICMP type 8 echo request packet to the target IP addresses, expecting a type 0 echo reply in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet.

But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery.

A system that replies is up and available. Nmap does not currently implement information request packets, as they are not widely supported. Timestamp and address mask queries can be sent with the -PP and -PM options, respectively.

A timestamp reply ICMP code 14 or address mask reply code 18 discloses that the host is available. These two queries can be valuable when administrators specifically block echo request packets while forgetting that other ICMP queries can be used for the same purpose. One of the newer host discovery options is the IP protocol ping, which sends IP packets with the specified protocol number set in their IP header.

This host discovery method looks for either responses using the same protocol as a probe, or ICMP protocol unreachable messages which signify that the given protocol isn't supported on the destination host.

Either type of response signifies that the target host is alive. To disable this implicit behavior, use the --disable-arp-ping option. The default behavior is normally faster, but this option is useful on networks using proxy ARP, in which a router speculatively replies to all ARP requests, making every target appear to be up according to ARP scan. Since Nmap ordinarily considers RST replies to be proof that the target is up, this can lead to wasted time scanning targets that aren't there.

Using the --discovery-ignore-rst will prevent Nmap from considering these replies during host discovery. You may need to select extra host discovery options to ensure you don't miss targets in this case. Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target.

It works with all scan types except connect scans -sT and idle scans -sI. All traces use Nmap's dynamic timing model and are performed in parallel. Traceroute works by sending packets with a low TTL time-to-live in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host.

Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts.

On average Nmap sends 5—10 fewer packets per host, depending on network conditions. If a single subnet is being scanned i. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.

Normally reverse DNS is only performed against responsive online hosts. If a hostname target resolves to more than one address, scan all of them. The default behavior is to only scan the first resolved address. This command will initiate a default scan against the target host and look for ports between the range of This command will initiate a fast scan against the target host looking only for the top common TCP ports.

This command will initiate a scan against the target host looking for ports associated with specified service names. If it receives an ACK packet back, this indicates the port is open. If an RST packet is received, this indicates the port is closed. If no response is received after multiple transmissions, the port is considered filtered a device or application between the source and the target is filtering the packets. This command will initiate a TCP connect scan against the target host.

This command will initiate a UDP port scan against the target host. If a response is received, the port is classified as Open.

An INIT chunk is sent to the target port s. If no response is received after multiple transmissions, the port is classified as filtered. The Nmap installation package comes with a front-end GUI for Nmap called Zenmap, used to control Nmap from a user interface rather than a command-line.

One of the key benefits of using the GUI front-end version is the ability to save scanning profiles. You can configure a profile to include customized scanning options, scan targets, ping options, scripts, and performance options.