Tools
T1046Nmap
How Nmap maps networks, what scan types produce which results, and the flags analysts actually use --- plus how to detect Nmap scans on your own network.
View on Graph
What It Is and How It Maps Networks
Nmap(Network Mapper) is an open-source tool for network discovery and security auditing.- It sends crafted packets to targets and analyzes the responses to determine which hosts are alive, which ports are open, what services are running, and what operating system the host uses.
- MITRE ATT&CK maps network service scanning to
T1046(Network Service Discovery) — attackers run Nmap to build a map of the internal network before moving laterally. - The tool has been in active development since 1997 and remains the standard for TCP/IP stack fingerprinting.
Scan Types — The Flags Analysts Actually Use
| Scan Type | Command | What It Does | How Fast | Detectable? |
|---|---|---|---|---|
| SYN scan (half-open) | nmap -sS <target> | Sends SYN, receives SYN-ACK (open) or RST (closed). Never completes the handshake. Does not touch the application layer. | Fastest (stealth) | Yes — SYN packets to multiple ports with no ACK follow-up |
| TCP connect scan | nmap -sT <target> | Completes the TCP handshake. Touches the application layer. | Fast | Yes — full connections to closed ports |
| Ping sweep | nmap -sn <subnet> | Sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, ICMP timestamp. | Very fast | Yes — ICMP + TCP probes to multiple hosts in short time |
| UDP scan | nmap -sU <target> | Sends UDP packets to ports. Open = no response or protocol-specific response. | Slow (timeouts) | Yes — UDP packets to multiple ports, ICMP Port Unreachable responses |
| Version detection | nmap -sV <target> | After finding open ports, probes each service to identify version (banner grabbing, probe responses). | Slow | Yes — banner probes to open ports |
| OS detection | nmap -O <target> | Uses TCP/IP fingerprinting (TTL, window size, DF bit, initial sequence number) to identify the OS. | Slow | Yes — distinctive TCP packet characteristics |
| Script scan | nmap -sC <target> | Runs NSE scripts against discovered services (default scripts: http-title, ssl-cert, smb-os-discovery, etc.). | Slowest | Yes — many script-specific probes |
Analysts’ Most-Used Nmap Commands
# Quick network sweep — find all live hosts on a subnet
nmap -sn 192.168.1.0/24
# Fast scan of top 1000 ports
nmap -sS -T4 192.168.1.100
# Full port range scan (1-65535)
nmap -sS -p- -T4 192.168.1.100
# Service and version detection
nmap -sV -sC 192.168.1.100
# OS detection + version + scripts + all ports
nmap -sS -sV -O -sC -p- -T4 192.168.1.100
# Output to all formats
nmap -sS -sV -oA network_scan 192.168.1.0/24
Detection — How to Spot Nmap Scans on Your Network
Detection via Network Flow / Zeek / NetFlow
Nmap scans produce a distinctive pattern in network telemetry. Whether you detect them depends on which level you can observe:
SPL query — detect SYN scan (many SYN packets without ACK responses):
index=network sourcetype=conn
| search proto=tcp
| eval conn_state = if(conn_state == "S0", "SYN_sent_no_reply", "other")
| where conn_state == "SYN_sent_no_reply"
| stats count as SynOnly by src_ip, dst_ip
| where count > 20
| eval alert = "HIGH — possible SYN scan from " . src_ip . " to " . dst_ip . " (" . count . " connections)"
SPL query — detect ping sweep (connections to multiple IPs in short window):
index=network sourcetype=conn
| timechart span=1m dc(dst_ip) as UniqueHosts by src_ip
| where UniqueHosts > 10
| eval alert = "MEDIUM — possible ping sweep from " . src_ip . " — contacted " . UniqueHosts . " hosts in 1 minute"
Detection via IDS/IPS Rules
Snort and Suricata have built-in rules for Nmap scans:
| Rule Type | What It Detects |
|---|---|
| SID 1:469 (community rules) | Nmap SYN scan — distinctive ratio of SYN-only to established connections |
| SID 1:468 | Nmap NULL scan (-sN) — TCP packets with no flags set (extremely rare in legitimate traffic) |
| SID 1:467 | Nmap FIN scan (-sF) — TCP FIN packets without prior connection (legitimate apps never do this) |
| SID 1:470 | Nmap Xmas scan (-sX) — TCP FIN+PSH+URG flags (normal traffic never sends this combination) |
| SID 1:471 | Nmap OS fingerprinting — distinctive combination of probe packets |
Detection via Zeek conn.log
Zeek’s conn.log captures TCP connection state. Nmap scans produce specific states:
| Zeek conn_state | What It Means | Nmap Scan Type |
|---|---|---|
S0 | SYN sent, no SYN/ACK or RST received | SYN scan — target port is filtered or scan rate exceeded |
REJ | SYN sent, RST received | SYN scan — target port is closed |
RSTO | Connection reset by originator | SYN scan — Nmap sent RST after receiving SYN/ACK |
SF | Normal established, clean close | TCP connect scan — full handshake completed |
Understanding Detection Limitations
| Scan Type | Detectable from… | Notes |
|---|---|---|
| SYN scan (-sS) | Network tap, firewall, IDS | Distinctive SYN→SYN-ACK→RST pattern. Most detectable common scan. |
| TCP connect (-sT) | Application logs (HTTP 200 on port 80) | Appears in web server logs if ports have services. |
| Ping sweep (-sn) | Network monitoring (many quick connections) | Easy to spot from network flow data. |
| Slow scan (-T1) | Harder — 5 minutes between probes | Defeats timing-based detectors. Only detectable over long observation periods. |
| Decoy scan (-D) | Cannot determine real source | Hides the real scanner IP among decoy IPs. Very hard to detect. |
| Fragmented scan (-f) | IDS may reassemble fragments | Evades signature-based IDS rules that look for exact patterns. Analyze with Wireshark to see fragmented probe packets. |
Analyst Reference — What Each Port Result Means
| Nmap Port State | What It Means | What the Attacker Can Do |
|---|---|---|
| open | Application is accepting connections | Direct attack surface — banner grab, version detection, exploit targeting |
| filtered | Firewall is blocking probes (no response) | Cannot reach the port — need to find alternate path or wait for firewall rule change |
| closed | No application, but host is reachable | No direct value — but confirms the host is alive |
| unfiltered | Firewall is not blocking but port state is unknown (ACK scan only) | Further investigation needed |
| open|filtered | Nmap cannot distinguish open from filtered (UDP scan) | Useless — need a different scan type |
Prevention
| Control | What It Stops | Limitations |
|---|---|---|
| Block ICMP at firewall | Basic ping sweeps | Not enough — Nmap has 6+ discovery methods besides ICMP echo |
| Rate limiting | Fast scans (SYN floods per second limited) | Does not stop slow scans |
| Stateful firewall with connection tracking | SYN scans (no ACK follow-up) | Can be evaded with TCP connect scan |
| Port knocking / hide services | External scans cannot find services | Internal scans remain a problem |
| Network segmentation | Limits blast radius of scan — attacker in VLAN 1 cannot scan VLAN 2 | Does not prevent lateral scanning within the segment |
Related
- Metasploit — detection and response for T1203 techniques
- RITA — detection and response for T1071 techniques
- Common Ports and Protocols — covers the common ports and protocols concepts
- Log Sources Overview — covers the log sources overview concepts
- Network Security Basics — detection and response for T1040, T1046 techniques
