Zenmap is a graphical user interface for Nmap, a widely used free port scanner. Here, we’ll dive deep into the 10 predefined scan types that come with it. Some of the scan kinds are rather evident, yet some readers may miss them.
Initiated in 1997 by Fyodor (Gordon Lyon), Nmap has been continuously improved upon since then. Fyodor, you’ve done an incredible job developing and supporting this fantastic program.
I. The Presets Profiles
Before we dive into the specifics of the various settings, I’ll give a quick rundown of the defaults that Zenmap provides.
A. Intense scan
Command: nmap -T4 -A –v
Scanning the most popular TCP ports is a relatively quick process. It’ll try to identify the OS flavor, the installed services, and their respective versions.
This results from use the -A option, which will attempt to determine services, versions, and OS, as well as a rapid timing template (-T4). The scan will progress in real time, and we’ll get plenty of updates due to the verbose output (-v) option.
B. Intense scan plus UDP
Command: nmap -sS -sU -T4 -A –v
The only difference from a standard Intense scan is that UDP ports will additionally be probed (-sU).
The -sS option instructs Nmap to scan TCP ports using SYN packets as well. Because this scan includes UDP ports, -sS must be explicitly defined.
C. Intense scan, all TCP ports
Command: nmap -p 1-65535 -T4 -A -v
Check all TCP port entries.
Typically, Nmap scans a list of the 1000 most popular protocols, however in this example we will scan every port from 1 to 65535. (max). nmap-services is a file that contains a listing of the 1000 most prevalent protocols.
D. Intense scan, no ping
Command: nmap -T4 -A -v –Pn
Similar to other intense scans, with the assumption that the host is online. Useful if the target is blocking ping requests, but you already know it is online.
E. Ping scan
Command: nmap -T4 -A -v –Pn
Ping only the target; do not perform a port scan.
F. Quick scan
Command: nmap -T4 -F
Scan more quickly than the intensive scan by restricting the number of TCP ports searched to the 100 most common TCP ports
G. Quick scan plus
Command: nmap -sV -T4 -O -F –version-light
Add some version and operating system detection and you have Quick scan plus.
H. Quick traceroute
Command: nmap -sn –traceroute
Use this option to identify hosts and routers during a network scan. It will traceroute and ping every host in the target.
I. Regular scan
Command: nmap
Default everything. This indicates that a TCP SYN scan will be performed on the 1,000 most frequent TCP ports utilizing ICMP Echo request (ping) for host detection.
J. Slow comprehensive scan
Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)”
This scan contains a large number of options, making it initially difficult to comprehend. However, it is not as hard as it may seem upon closer inspection of the possibilities. The scan can be described as “Intense scan plus UDP” with additional characteristics.
It will exert considerable effort in detecting hosts, not giving up if the initial ping attempt fails. It employs three distinct protocols to detect hosts: TCP, UDP, and SCTP.
Based on the most popular TCP and UDP services, if a host is recognized, an attempt will be made to identify the operating system, services, and version of the host. In addition, the scan disguises itself as source port 53. (DNS).
II. The Options
T4
This is a potential time template option. The numbers run from 0 to 5, with 5 being the quickest and 0 the slowest.
What is hence a timing template? The makers of Nmap are essentially providing the user with a simple means of adjusting Nmap’s performance. The handbook for Nmap translates the various numbers as follows:
0: paranoid 1: sneaky 2: polite 3: normal 4: aggressive 5: insane
Again, this means that 1 and 2 are used for IDS evasion, 3 is the default, and 4 and 5 are extremely rapid scans. Using -T2 to perform a standard scan on a single host took 400 seconds, but -T5 required only 0.07 seconds. Refer to the Timing and Performance section of the manual for additional information.
-A
This option enables Nmap to attempt to identify the target operating system, services, and versions. In addition, traceroute and NSE scripts are utilized to detect extra information. This scan is fairly noisy because it employs many scans. Applying NSE scripts is the default configuration for scripts.
The -A option is equivalent to applying the following options to your scan: -sC -sV -O –traceroute
-v
Increased verbosity. This will give your extra information in the data outputted by Nmap.
-sS
Scan for TCP SYN connections. This just indicates that Nmap will send a TCP SYN packet as any other application would. If the port is open, the application must respond with SYN/ACK; however, in order to prevent half-open connections, Nmap will send a RST to close the connection.
–sU
Run a UDP scan. Because UDP is unreliable, it is more difficult to establish whether ports are open compared to TCP. The UDP scan sends an empty-headed UDP packet to the target port. If the port is closed, the operating system should respond with an ICMP port unreachable error. If the port is open, however, the service may or may not respond.
-sN
TCP Null scan. This option transmits TCP packets without any of the TCP flags specified. If the scan returns a RST packet, the port is closed. If nothing is returned, however, the port is either filtered or open.
-sV
Actively probe open ports to determine the service and version being used. This scan against my webserver resulted in the transmission of 14 packets between the client and server, as opposed to just 2 packets during a standard SYN scan.
-p
Comma seperated list of ports being scanned. Easy way to define only a few ports to scan or increase the scope of the scan to e.g. every available TCP port.
-F
Fast mode. Instead of scanning as many ports as the Default scan, the rapid scan just scans a handful. In comparison, when I scanned in fast mode, 202 packets were transferred, whereas with the default scan (no settings), 2002 packets were transmitted. Both scans revealed that ports 80 and 22 are accessible on the target host.
–O
Make Nmap attempt to determine the OS type. The method of operating system detection can be both complex and straightforward. It depends on a variety of factors that I cannot list here. Examining the TTL (Time to live) field on OS-sent packets is a straightforward way to determine whether it is a Windows or Unix operating system. Unix defaults to 64 whereas Windows defaults to 128.
–traceroute
Perform a traceroute to the target.
–version-light
It limits the number of probes sent to the service during service detection scans (-sV and -A). This option restricts the service probes to those that are most likely to return a successful response. If you are wondering about the probes that Nmap sends, I recommend using the –version-trace option to obtain comprehensive scan information.
-PE
This option determines whether or not Nmap uses ICMP echo requests to determine whether or not a host is online. This is the same as pinging the target host to see whether or not it is online.
-PP
This specifies that instead of a conventional ICMP echo request, Nmap should send an ICMP Timestamp request when assessing if a host is up or not. This unique sort of ICMP request was once used to synchronize timestamps between connecting nodes, but has since been supplanted by the more widespread network time protocol.
-PS
Additionally, used for host detection. This option relies exclusively on a port (default 80) to respond to an empty SYN packet, as is the TCP standard. Often, the simplest solution is the best one. This option receives the argument 80,443 in the predefined scans. These are common webserver port numbers that are often accessible on targets.
–PA
Similar to the -PS option, this one instead transmits a TCP packet with the ACK flag set. This should prompt the server listening on the specified port to react with a RST message, as it is not expecting any data to be acknowledged by an ACK packet. Occasionally, firewall administrators configure the firewall to drop inbound SYN packets in order to prohibit traffic, allowing ACK messages to flow through.
In the predefined scans, the input 3389 is passed to this option. This is the port for the remote desktop service, which is commonly enabled on servers. When other methods of host detection fail, this may enhance the likelihood of success.
-PU
This command transmits a UDP packet to the target port (default: 40125) in an attempt to elicit a “ICMP Port unreachable” response from the server. Occasionally, firewalls drop just TCP packets and ignore UDP packets, enabling these packets to pass. Some setups also permit the transmission of any form of packet when only TCP should be permitted. A sneaky technique would be to disguise your host discovery as a UDP packet on port 53 (DNS).
-PY
Very much like a TCP SYN scan, this just utilizes the SCTP (Stream Control Transmission Protocol) instead.
-g
Specify the source port to be used. Note that this is distinct from the destination port that is being scanned. The primary application for this is evading IDS or blending in with other regular data.
–script
Through NSE (Nmap scripting engine), it is possible for anyone to create Nmap-specific custom scripts. This parameter accepts a comma-separated list of NSE script-containing files, categories, and directories. Because NSE supports expressions you can tell Nmap to load scripts in many different ways.
With the “default or (discovery and safe)” parameter, Nmap will only load scripts from the discovery category that are also in the safe category.
-Pn
Assume the host is up thus skipping the host discovery phase.
-sn
Send only ping packets to the target; do not perform port scanning. This is useful if you need to determine which hosts are nearby, but do not wish to scan them at this time. Not to be confused with the TCP Null scan (-sN) option; Nmap is case sensitive.
I. The Presets Profiles
Before we go into the different options in use I will make a brief explanation of each of the presets that come with Zenmap.
A. Intense scan
Command: nmap -T4 -A –v
Should be reasonable quick, scan the most common TCP ports. It will make an effort in determining the OS type and what services and their versions are running.
This comes from having a pretty fast timing template (-T4) and for using the -A option which will try determine services, versions and OS. With the verbose output (-v) it will also give us a lot of feedback as Nmap makes progress in the scan.
B. Intense scan plus UDP
Command: nmap -sS -sU -T4 -A –v
Same as the regular Intense scan, just that we will also scan UDP ports (-sU).
The -sS option is telling Nmap that it should also scan TCP ports using SYN packets. Because this scan includes UDP ports this explicit definition of -sS is necessary
C. Intense scan, all TCP ports
Command: nmap -p 1-65535 -T4 -A -v
Leave no TCP ports unchecked.
Normally Nmap scans a list of 1000 most common protocols, but instead we will in this example scan everything from port 1 to 65535 (max). The 1000 most common protocols listing can be found in the file called nmap-services.
D. Intense scan, no ping
Command: nmap -T4 -A -v –Pn
Just like the other intense scans, however this will assume the host is up. Usefull if the target is blocking ping request and you already know the target is up.
E. Ping scan
Command: nmap -T4 -A -v –Pn
Do only a ping only on the target, no port scan.
F. Quick scan
Command: nmap -T4 -F
Scan faster than the intense scan by limiting the number of TCP ports scanned to only the top 100 most common TCP ports.
G. Quick scan plus
Command: nmap -sV -T4 -O -F –version-light
Add a little bit of version and OS detection and you got the Quick scan plus.
H. Quick traceroute
Command: nmap -sn –traceroute
Use this option when you need to determine hosts and routers in a network scan. It will traceroute and ping all hosts defined in the target.
I. Regular scan
Command: nmap
Default everything. This means it will issue a TCP SYN scan for the most common 1000 TCP ports, using ICMP Echo request (ping) for host detection.
J. Slow comprehensive scan
Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)”
This scan has a whole bunch of options in it and it may seem daunting to understand at first. It is however not so complicated once you take a closer look at the options. The scan can be said to be a “Intense scan plus UDP” plus some extras features.
It will put a whole lot of effort into host detection, not giving up if the initial ping request fails. It uses three different protocols in order to detect the hosts; TCP, UDP and SCTP.
If a host is detected it will do its best in determining what OS, services and versions the host are running based on the most common TCP and UDP services. Also the scan camouflages itself as source port 53 (DNS).
II. The Options
T4
This is an option for timing template. Numbers range from 0-5 where 5 is the fastest and 0 is the slowest.
So what is a timing template? Basically it is Nmap’s developers giving the user an easy way of tuning how fast Nmap performs. The Nmap manual translates the different numbers to this:
0: paranoid 1: sneaky 2: polite 3: normal 4: aggressive 5: insane
Again, this translates into 1-2 being used for IDS evasion, 3 is the default and 4-5 is really quick scans. As an example when I run a regular scan on one host with -T2 it took me 400 seconds while -T5 0.07 seconds. Read more about this in the Timing and Performance section of the manual.