Nmap is one of the most powerful tools for scanning open ports, analyzing services, and diagnosing a network. It is used by both system administrators for auditing and intruders for intelligence purposes. In this guide, we will look at the basic commands, as well as non-standard and suspicious scanning methods that can be detected by monitoring tools.
Installing Nmap
Debian/Ubuntu:
CentOS/RHEL:
macOS (Homebrew):
Windows:
Download the installer from the website nmap.org/download.html
Basic TCP scan
Scanning of all TCP ports (1000 popular ports by default):
To scan the entire range of TCP ports (0-65535):
Subnet scan
To scan the entire subnet /24:
With the acceleration option:
UDP port scanning
UDP ports are less visible, but more difficult to scan:
To speed up, you can limit the range:
Aggressive and detailed scanning
To get information about the versions of services, OS, and scripts:
This combination includes:
- OS detection
- Version detection
- Script scanning
- Traceroute
To save the results:
Active and hidden scanning methods
Some types of scanning are used to bypass intrusion detection systems (IDS) or firewalls. The following are the key techniques:
SYN scan ("half-open")
A fast and frequently used method:
It usually requires root access. Many IDS solutions monitor such connections.
TCP Null Scan
Sending TCP packets without flags — can bypass filters:
Many systems interpret this as an anomaly.
FIN Scan
Closing the connection without installation — works against some OS:
Xmas Scan
Uses "highlighted" TCP flags (FIN, PSH, URG):
It is often used by intruders. Such packets can be tracked using tools like iptables or Snort.
Scanning with source substitution
To hide your identity or bypass filters:
In combination with the -D (soundboard) option, you can disguise yourself as other addresses.:
ICMP Ping Sweep
To check the availability of hosts:
For multiple ICMP types:
- -PE: Echo request
- -PP: Timestamp
- -PM: Netmask
A large number of such requests may be detected by the monitoring system as suspicious activity.
Packet fragmentation
To bypass filters and firewalls:
Divides packages into small parts — it may disrupt the operation of some IDS.
How to track such scans
- Use Snort or Suricata for detecting unusual TCP flags.
- iptables or firewalld logs allow you to track SYN floods and strange connections.
- For UDP, it is better to use system counters, as responses are rare.
Nmap is a powerful tool for testing network security. However, its capabilities can be used both for good and for harm. If you are protecting the network, it is important not only to be able to scan, but also to know how to detect potential intelligence from the outside.