Introduction to NMAP!

So what exactly is nmap? Nmap is a linux-based (though now available on windows as well)  terminal/command-line application used for port scanning, as well as vulnerability scanning. NMAP can also detect Operating systems and OS versions.NMAP can also be used to detect Operating systems and OS versions as well as MAC address (and by using the “Organizationally Unique Identifier” within the MAC address it can then in turn tell you the device type as well). Focusing in on the scanning aspect, NMAP comes with a plethora of different options for the types of scans it can do and the settings associated with those scans.

-sS scan stealth scan -  The key difference of a stealth scan from a regular scan is that it does not complete the 3 way tcp handshake. A successful 3way tcp handshake is what would normally occur as the result of a normal (non-stealth) port scan, but the problem with that is that it gets saved in network monitoring logs, triggering alerts and giving the defensive/blue team the upper hand in spotting you as the pentester. The goal of the stealth scan is just that. To go in unnoticed as you compile information about the target system and sneak out without ever having been detected.

The stealth scan begins with the sending of a SYN packet to the victim/target machine, with the victim/target machine then responding back with a SYN/ACK packet, at which point the attacking machine returns back an RST or RESET packet ( a packet which signifies that it will not accept or receive any more data). This is in contrast to our attacking machine returning an ACK packet to the victim/target, which which would instead mark the completion of the data/packet transfer process as part of the normal non-stealth scan process. As we talk about SYN, SYN/ACK, ACK and RST packets, we are referring to data that can be viewed in a packet sniffer/network traffic analyzer such as the very common Wireshark (shown in screenshot below).

In essence, because the data transfer was never fully completed in the scenario we are referring, it’s not easily detectable, even by the defense. An even better breakdown of how NMAP’s popular stealth scan works can be found right here from the official NMAP site: https://nmap.org/book/synscan.html .For a listing and explanation of all the types of scans NMAP can run, this link is a great resource: https://nmap.org/book/port-scanning-options.html But I would be remiss if I failed to mention that the manual that is built in with NMAP is a highly-detailed and very helpful resource as well. Just be ready to do some reading because it is stacked with details. The command is man nmap Here is a screenshot from the man nmap built-in manual discussing port statuses in NMAP's outputs after a scan:

A handy cheat sheet of all different types of Nmap options (beyond just scans) can be found here:

https://www.tutorialspoint.com/nmap-cheat-sheet