Port scanning with nmap


If you're not familiar with TCP/IP, read my other tutorial, All about IP.



  1. Download eEye's NT port of nmap from here
  2. Unzip the package, and add the packet driver: In W2K, right-click on My Network Places | Properties, double-click on Local Area Network; In LAN Status, click on Properties, followed by Install... . Select Protocol | Add... , and aim at where the package was unzipped, eg. c:\Download\Nmap NT\DRIVERS\Packet2K\Packet_2k.inf. A new protocol is displayed: "Packet driver capture v 2.02". Reboot.



Checking for open ports

-sT is scanning with the standard, three way TCP handshake (SYN, SYN/ACK, ACK), and thus, is just too obvious if you don't want admins on the remote host to know that you're scanning their host.

-sS is a more discrete way to scan for open ports; It uses half open SYN segments: SYNC > SYN/ACK > RESET if the remote port is open, and SYNC > RESET if the remote port is closed.

-sF, -sX, -sN all take advantage of the fact that a standard IP stack should answer RESET when a closed port is probed with a FIN packet, but not return anything if a process is listening on the port. Windows is said not to respond correctly due to a non-standard behavior of its IP stack.

Specifying an interface

In case your host has more than one interface, use -e to specify through which interface nmap should probe the remote host