← Back to home
Nmap Reconocimiento Pentesting TCP/IP NSE
Advanced

Nmap: Network Reconnaissance & Scanning

Mar 1, 2022

Nmap (Network Mapper) is the industry standard for network discovery and security auditing. It's not just a port scanner; it's a complex tool capable of evading firewalls, interacting directly with the TCP/IP stack for OS fingerprinting, and executing exploit scripts.

1. The Foundation: TCP 3-Way Handshake

To understand Nmap, you must understand TCP. A normal connection follows three steps: SYN (Request), SYN-ACK (Acknowledge), and ACK (Confirm).

TCP Connect Scan (-sT) vs SYN Stealth Scan (-sS)

The Connect (-sT) scan completes all 3 steps, logging your IP on the target server. The SYN Scan (-sS) (default for root) sends the SYN, receives the SYN-ACK, but immediately sends an RST (Reset) instead of an ACK. The connection is aborted before it's established, effectively bypassing older firewalls and application logs.

2. Advanced Host Discovery

Modern firewalls block standard ICMP Pings. Nmap offers alternative ways to check if a host is alive:

# Basic Ping sweep (Disable port scan):
nmap -sn 192.168.1.0/24

# TCP ACK ping on port 80 (Bypass ICMP blocks):
nmap -sn -PA80 192.168.1.0/24

# Assume host is up (Crucial if firewall blocks all ping sweeps):
nmap -Pn 192.168.1.10

3. Advanced Firewall & IDS Evasion

Intrusion Detection Systems (IDS) catch Nmap patterns easily. Here is your stealth arsenal:

# 1. Packet Fragmentation (Splits TCP headers into 8-byte chunks):
nmap -f 192.168.1.10

# 2. Decoys (Hide your IP among fake IPs like Google and random ones):
nmap -D 8.8.8.8,10.0.0.1,RND:5,ME 192.168.1.10

# 3. MAC Spoofing (Bypass Layer 2 NACs):
nmap --spoof-mac Apple 192.168.1.10

# 4. Source Port Manipulation (Firewalls often trust DNS/HTTP ports blindly):
nmap --source-port 53 192.168.1.10

πŸ”΄ Scan Forensics Analysis

Scanning is only 10% of the job; interpreting the data is the other 90%. I've captured the output of a noisy Nmap scan against a corporate server. Analyze the log and find the three critical security breaches to get the flag.

>_ START CTF 10 CHALLENGE

4. Performance & Timing Tuning

# Timing templates (T0 to T5):
nmap -T4 192.168.1.10  # Fast, recommended for reliable LANs.

# Deep granular control:
# Force Nmap to send at least 1000 packets per second:
nmap --min-rate 1000 192.168.1.10

# Limit retries for dropped packets to speed up scans:
nmap --max-retries 1 192.168.1.10

5. Nmap Scripting Engine (NSE)

Nmap includes over 600 Lua scripts divided into categories like vuln, exploit, brute.

# Check known vulnerabilities on specific services:
nmap --script vuln -p 443 192.168.1.10

# Web directory fuzzing built into Nmap:
nmap --script http-enum -p 80 192.168.1.10