Tools

T1046

Nmap

How Nmap maps networks, what scan types produce which results, and the flags analysts actually use --- plus how to detect Nmap scans on your own network.

View on Graph

What It Is and How It Maps Networks

  • Nmap (Network Mapper) is an open-source tool for network discovery and security auditing.
  • It sends crafted packets to targets and analyzes the responses to determine which hosts are alive, which ports are open, what services are running, and what operating system the host uses.
  • MITRE ATT&CK maps network service scanning to T1046 (Network Service Discovery) — attackers run Nmap to build a map of the internal network before moving laterally.
  • The tool has been in active development since 1997 and remains the standard for TCP/IP stack fingerprinting.

Scan Types — The Flags Analysts Actually Use

Scan TypeCommandWhat It DoesHow FastDetectable?
SYN scan (half-open)nmap -sS <target>Sends SYN, receives SYN-ACK (open) or RST (closed). Never completes the handshake. Does not touch the application layer.Fastest (stealth)Yes — SYN packets to multiple ports with no ACK follow-up
TCP connect scannmap -sT <target>Completes the TCP handshake. Touches the application layer.FastYes — full connections to closed ports
Ping sweepnmap -sn <subnet>Sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, ICMP timestamp.Very fastYes — ICMP + TCP probes to multiple hosts in short time
UDP scannmap -sU <target>Sends UDP packets to ports. Open = no response or protocol-specific response.Slow (timeouts)Yes — UDP packets to multiple ports, ICMP Port Unreachable responses
Version detectionnmap -sV <target>After finding open ports, probes each service to identify version (banner grabbing, probe responses).SlowYes — banner probes to open ports
OS detectionnmap -O <target>Uses TCP/IP fingerprinting (TTL, window size, DF bit, initial sequence number) to identify the OS.SlowYes — distinctive TCP packet characteristics
Script scannmap -sC <target>Runs NSE scripts against discovered services (default scripts: http-title, ssl-cert, smb-os-discovery, etc.).SlowestYes — many script-specific probes

Analysts’ Most-Used Nmap Commands

# Quick network sweep — find all live hosts on a subnet
nmap -sn 192.168.1.0/24

# Fast scan of top 1000 ports
nmap -sS -T4 192.168.1.100

# Full port range scan (1-65535)
nmap -sS -p- -T4 192.168.1.100

# Service and version detection
nmap -sV -sC 192.168.1.100

# OS detection + version + scripts + all ports
nmap -sS -sV -O -sC -p- -T4 192.168.1.100

# Output to all formats
nmap -sS -sV -oA network_scan 192.168.1.0/24

Detection — How to Spot Nmap Scans on Your Network

Detection via Network Flow / Zeek / NetFlow

Nmap scans produce a distinctive pattern in network telemetry. Whether you detect them depends on which level you can observe:

SPL query — detect SYN scan (many SYN packets without ACK responses):

index=network sourcetype=conn
| search proto=tcp
| eval conn_state = if(conn_state == "S0", "SYN_sent_no_reply", "other")
| where conn_state == "SYN_sent_no_reply"
| stats count as SynOnly by src_ip, dst_ip
| where count > 20
| eval alert = "HIGH — possible SYN scan from " . src_ip . " to " . dst_ip . " (" . count . " connections)"

SPL query — detect ping sweep (connections to multiple IPs in short window):

index=network sourcetype=conn
| timechart span=1m dc(dst_ip) as UniqueHosts by src_ip
| where UniqueHosts > 10
| eval alert = "MEDIUM — possible ping sweep from " . src_ip . " — contacted " . UniqueHosts . " hosts in 1 minute"

Detection via IDS/IPS Rules

Snort and Suricata have built-in rules for Nmap scans:

Rule TypeWhat It Detects
SID 1:469 (community rules)Nmap SYN scan — distinctive ratio of SYN-only to established connections
SID 1:468Nmap NULL scan (-sN) — TCP packets with no flags set (extremely rare in legitimate traffic)
SID 1:467Nmap FIN scan (-sF) — TCP FIN packets without prior connection (legitimate apps never do this)
SID 1:470Nmap Xmas scan (-sX) — TCP FIN+PSH+URG flags (normal traffic never sends this combination)
SID 1:471Nmap OS fingerprinting — distinctive combination of probe packets

Detection via Zeek conn.log

Zeek’s conn.log captures TCP connection state. Nmap scans produce specific states:

Zeek conn_stateWhat It MeansNmap Scan Type
S0SYN sent, no SYN/ACK or RST receivedSYN scan — target port is filtered or scan rate exceeded
REJSYN sent, RST receivedSYN scan — target port is closed
RSTOConnection reset by originatorSYN scan — Nmap sent RST after receiving SYN/ACK
SFNormal established, clean closeTCP connect scan — full handshake completed

Understanding Detection Limitations

Scan TypeDetectable from…Notes
SYN scan (-sS)Network tap, firewall, IDSDistinctive SYN→SYN-ACK→RST pattern. Most detectable common scan.
TCP connect (-sT)Application logs (HTTP 200 on port 80)Appears in web server logs if ports have services.
Ping sweep (-sn)Network monitoring (many quick connections)Easy to spot from network flow data.
Slow scan (-T1)Harder — 5 minutes between probesDefeats timing-based detectors. Only detectable over long observation periods.
Decoy scan (-D)Cannot determine real sourceHides the real scanner IP among decoy IPs. Very hard to detect.
Fragmented scan (-f)IDS may reassemble fragmentsEvades signature-based IDS rules that look for exact patterns. Analyze with Wireshark to see fragmented probe packets.

Analyst Reference — What Each Port Result Means

Nmap Port StateWhat It MeansWhat the Attacker Can Do
openApplication is accepting connectionsDirect attack surface — banner grab, version detection, exploit targeting
filteredFirewall is blocking probes (no response)Cannot reach the port — need to find alternate path or wait for firewall rule change
closedNo application, but host is reachableNo direct value — but confirms the host is alive
unfilteredFirewall is not blocking but port state is unknown (ACK scan only)Further investigation needed
open|filteredNmap cannot distinguish open from filtered (UDP scan)Useless — need a different scan type

Prevention

ControlWhat It StopsLimitations
Block ICMP at firewallBasic ping sweepsNot enough — Nmap has 6+ discovery methods besides ICMP echo
Rate limitingFast scans (SYN floods per second limited)Does not stop slow scans
Stateful firewall with connection trackingSYN scans (no ACK follow-up)Can be evaded with TCP connect scan
Port knocking / hide servicesExternal scans cannot find servicesInternal scans remain a problem
Network segmentationLimits blast radius of scan — attacker in VLAN 1 cannot scan VLAN 2Does not prevent lateral scanning within the segment

Sources