Tactical Briefing: Mapping the Digital Terrain
Nmap (Network Mapper) is the definitive reconnaissance engine for infrastructure auditing. It operates by sending raw, crafted IP packets to a target network to extract three fundamental truths: Host Presence (Who is alive?), Service Status (What ports are open?), and Asset Attributes (What OS or software version is running?).
In a tactical environment, Nmap is used to baseline the network. By comparing current scans against known "Gold Images" of the infrastructure, analysts can instantly spot rogue assets, unauthorized changes, or misconfigured services that create an attack surface.
Mission Parameters
- Scope: Layer 3 (IP) and Layer 4 (TCP/UDP)
- Mode: Active (Sends probes)
- Subnet Pivot: Automatic ARP discovery on L2
- Scalability: Single IP to Class A Subnets
Asset Enumeration
Building a complete inventory of every device on a subnet, including "invisible" infrastructure like printers, IoT cameras, and management controllers.
Vuln Correlation
Matching service versions (e.g., Apache 2.4.41) against CVE databases to determine exploitability without running a destructive payload.
Compliance Auditing
Automated checking for unauthorized services (like FTP or Telnet) and verifying that administrative ports are restricted to internal VPN ranges.
Operational Lifecycle
Discovery (Is it there?) -> Enumeration (What does it do?) -> Verification (Is it vulnerable or misconfigured?).
CLI vs. GUI (Zenmap)
CLI: Native terminal version used for raw speed and scriptability. Zenmap: Official GUI for topology mapping and profile management.
Defenders vs Attackers: Operation Context
Understanding how both sides leverage packet analysis is key to identifying hostile intent within a capture.
Blue Team / Defenders
Discovering rogue devices, unauthorized IoT hubs, or "personal" routers plugged into the enterprise network.
Verifying that firewall rules are correctly blocking ports (e.g., verifying port 3389 is closed to the internet).
Running aggressive internal scans to verify that monitoring sensors correctly fire alerts and that the SIEM is ingesting high-volume events.
Red Team / Attackers
Utilizing decoys (-D) or packet fragmentation (-f) to hide the attacker's true IP address among a flood of fake scan packets.
Using the Nmap Scripting Engine (NSE) to find CVEs and misconfigured services during active recon.
Scanning the public internet from inside the victim's network to identify which outbound ports (like 53 or 443) are allowed for C2 tunneling.
Strategic Mechanics: The Wire Reality
The Local Subnet Exception
When Nmap scans a host on the same Ethernet segment, it skips ICMP/TCP pings and uses ARP. Why? ARP is Layer 2, faster, and much harder for local firewalls to block than Layer 3 probes.
The "Filtered" Paradox
A "Filtered" port means Nmap received no response. This could be a sophisticated firewall dropping packets silently, or it could be a transient network failure. To an attacker, Filtered is often more interesting than Closed.
Privilege Logic: The Sudo Advantage
Running Nmap as Root/Sudo allows the tool to use Raw Sockets. This enables it to craft the specific, non-standard TCP/UDP packets required for SYN Stealth scans and OS Fingerprinting.
Environmental Noise & Reliability
As the target moves further away (higher hop count), the accuracy of OS fingerprinting drops. Tactical scans must account for network congestion to avoid "false-closed" results.
Timing & Stealth Calibration
Nmap uses Timing Templates ($T0$-$T5$) to control scan speed and probe frequency.
Stealth Path (T0 - T2)
Serial scanning with multi-minute delays. Used for bypassing threshold-based IDS alerts and avoiding network saturation.
Operational Path (T3 - T4)
Standard parallel scanning. Optimized for speed and reliability. Most common path for technical audits.
Hostile Path (T5)
"Insane" speed. Sends probes as fast as the stack allows. Extremely noisy; guaranteed to trigger most IDS systems.
Advanced Tactical Features
Nmap's engine extends beyond simple port scanning into automated vulnerability research and deep packet manipulation.
Nmap Scripting Engine (NSE)
Automates network tasks: vulnerability detection, backdoor discovery, and advanced exploitation via Lua scripts.
Usage: --script [category]
Case: Running --script vuln to automatically find MS17-010 (EternalBlue) signatures.
OS Fingerprinting
Analyzes TCP/IP stack responses (window size, options, TTL) to determine the host's operating system.
Usage: -O
Case: Identifying a legacy Windows XP machine acting as an insecure industrial controller.
Idle Scan (-sI)
The ultimate stealth scan. Uses a "zombie" host to probe the target, making the scan appear to originate from a third party.
Usage: -sI [zombie_ip] [target]
Case: Scanning a target while hiding the attacker's IP entirely behind a silent network printer.
Timing Templates
Controls scan speed. T0 (Paranoid) is used for IDS evasion; T5 (Insane) is used for maximum internal speed.
Usage: -T[0-5]
Case: Using T1 (Sneaky) to stay under the threshold of a basic threshold-based IDS alert.
Decoy Scanning (-D)
Sends probes from multiple spoofed IP addresses alongside your own, flooding the target's logs with false positives.
Usage: -D RND:10 [target]
Case: Obscuring a real scan by surrounding it with 10 random "phantom" scanners.
Packet Fragmentation
Splits TCP headers into tiny fragments to bypass simple signature-based firewalls that lack reassembly logic.
Usage: -f --mtu 8
Case: Bypassing a stateless firewall that doesn't inspect fragmented packet streams.
Version Intensity
Controls the depth of version probing. Higher levels send more complex probes to verify elusive services.
Usage: --version-intensity [0-9]
Case: Digging deep to identify a heavily customized SSH banner on a hardened server.
Format Export
Outputs results into Normal (-oN), XML (-oX), or "Grepable" (-oG) formats for tool-chain integration.
Usage: -oA [filename]
Case: Exporting XML to automatically import scan results into a Metasploit database.
Scan Mechanics & Packet Logic
Mastery requires understanding the bit-level expectations of each probe type and interpreting the "inverted" logic of response packets.
| Scan Type | Flag | Probe Logic (The Packet) | Interpretation (The Response) |
|---|---|---|---|
| SYN Stealth | -sS | Sends SYN. Waits for SYN/ACK. | Sends RST immediately to kill socket before OS-level logging. |
| Connect Scan | -sT | Full 3-way handshake (SYN+ACK+ACK). | Completes connection. Logged by almost all application services. |
| NULL Scan | -sN | Sends packet with ZERO bits set. | Open: No response. Closed: RST returned. (RFC 793 Paradox) |
| FIN Scan | -sF | Sets only the FIN bit. | Open: No response. Closed: RST returned. (Bypasses simple firewalls) |
| XMAS Scan | -sX | Sets FIN, PSH, and URG bits. | Open: No response. Closed: RST returned. (Highly visible to IDS) |
| ACK Scan | -sA | Sets only the ACK bit. | Maps Firewall Rules. RST = Unfiltered; No Response = Filtered. |
| Window Scan | -sW | Analyzes TCP Window field of RST. | Exploits OS stack implementation quirks to identify Open/Closed states. |
| Maimon Scan | -sM | Sets FIN and ACK bits. | Specialized probe to bypass legacy BSD-based stateful firewalls. |
| Custom Scan | --scanflags | User-defined bit combinations. | Used for custom protocol state exploration and advanced bypass research. |
| UDP Scan | -sU | Sends raw UDP packet (Empty/DNS). | Open: Response. Closed: ICMP Port Unreachable. |
Port State: Analysis
- OPEN: Received SYN/ACK or Application Response.
- CLOSED: Received RST (Reset).
- FILTERED: No response (Drop) OR ICMP Admin Prohibited.
- UNFILTERED: (ACK scan only) RST received, port is reachable.
The RFC 793 Paradox
NULL, FIN, and XMAS scans exploit a rule: any packet not containing SYN, RST, or ACK should be ignored if the port is open and responded to with RST if closed. Highly effective against simple firewalls.
Adaptive Re-transmission
Nmap automatically adjusts timing based on network performance. If it detects drops, it will slow down and retry probes (--max-retries) to distinguish between a firewall and congestion.
Custom Packet Crafting
Using --data-length adds random bytes to the payload. This changes the "signature" of the packet, often bypassing legacy signature-based IDS that only look for default sizes.
Terminal Recon Simulator
Execute tactical Nmap commands to see actual stdout output behavior and analytical breakdowns.
Select a tactical scenario below to initialize recon.
Tactical Command Library
A comprehensive mission-ready library for professional field operations. Use the icon to copy to clipboard.
1. Discovery & Enumeration
Ping Sweep: Discover live hosts without port scanning.
No-Ping: Force scan targets that block ICMP Echo.
SYN Ping: Probe specific TCP ports for host vitality.
ACK Ping: Attempt to bypass stateless firewalls via ACK.
UDP Ping: Find live hosts by probing UDP ports (like DNS).
2. Advanced Target Selection
Input List: Scan file targets but skip specific sensitive IPs.
Random Recon: Scan 100 random internet hosts for port 80.
Bulk Exclusion: Reference a file of prohibited targets.
Manual Range: Scan a specific range and a single host.
Domain CIDR: Resolve domain and scan its entire subnet.
3. Surface Mapping
Common Ground: Scan the 1000 most common ports.
Mixed Protocol: Probe specific UDP and TCP ports simultaneously.
Fast Mode: Quick scan of the top 100 ports only.
Legacy Range: Scan all well-known ports.
Critical Scan: Only probe the 20 most statistical 'entry points'.
4. Version & OS Intelligence
Light Versioning: Fast identification of common service banners.
Restricted OS: Fingerprint only if one open port exists.
Heavy Versioning: Max probes to identify obscure services.
The Kitchen Sink: Aggressive OS, version, and script recon.
Balanced Versioning: Medium intensity (default level).
5. Evasion & Stealth
Stack Obfuscation: Fragment headers and add random payload data.
Proxy Pivot: Bounce the scan through a legitimate gateway.
IP Spoof: Fake your source address to frame another host.
Checksum Attack: Use invalid packets to test WAF/IDS logic.
DNS Masquerade: Impersonate DNS traffic to bypass ACLs.
6. NSE Script Workflows
Script Intel: Show help for all SSL related scripts.
Web Audit: Fetch page titles and common directories.
Non-Destructive: Only run scripts that won't crash services.
Recon script: Passive discovery scripts for the target.
High Risk: Use only if you have permission to crash services.
7. Service-Specific Auditing
SMB Check: Specifically probe for EternalBlue exploit.
DB Recon: Extract MySQL server info and status.
VHost Enum: Find hidden subdomains sharing an IP.
Mail Recon: List all SMTP commands supported by server.
SNMP Attack: Brute force common community strings.
8. Performance & Timing
Host Timeout: Give up on a host if it takes over 30m.
Concurrency: Control the number of parallel probes.
Efficiency Tuning: Fast scan, low retry overhead.
Force Speed: Ensure at least 10 probes are always active.
Aggressive Stealth: Enforce a 5s delay between probes.
9. Forensic Debugging
Packet Trace: Watch every raw ethernet frame being sent.
Debug Level: Increase verbosity to see port logic.
High Verbosity: Double the logging detail in terminal.
Interface List: Show local network interfaces and routing.
Persistence: Resume an aborted scan from a log file.