NMAP Flag Guide: What They Are, When to Use Them
Nmap is one of the most used and well-known networking tools in information security. In fact, CompTIA's PenTest+ exam specifically tests users on their Nmap knowledge. And if you want to understand Nmap well, you need to know what flags are and how you use them.
Quite simply, Nmap flags are simply the parameters that Nmap uses to accomplish certain objectives. What isn't so simple is how to use them. There are many variations of Nmap commands, and the parameters or flags will help you to tell Nmap exactly what you are trying to do.
Nmap is not only a powerful and versatile tool, but it runs directly from the command line in Windows, Linux, and even macOS. Nmap is used far and wide —and can be seen on screen being used by TV and movie hackers. Nmap has made appearances in movies like The Matrix, Oceans 8, and The Bourne Ultimatum. Movie consultants obviously know the power of Nmap.
Let's look at some of the most common flags that you should know, especially if you plan to tackle the Pentest+.
Nmap: An Essential Penetration Testing Tool
Exam Objective 4.0 of the CompTIA PenTest+ requires that candidates have Nmap knowledge to be successful. The bare requirements outlined by this exam objective must be understood if the candidate hopes to pass the exam. We will look at all of these and dive into some other popular Nmap flags.
So, what can you do with Nmap anyway? Many of Nmap's features are hinted at in its name, which is short for Network Mapper. Nmap functions as a network discovery and security auditing tool all rolled up into one. It can detect open ports, running services as well as their versions, operating system type and version, and packet routing and host monitoring. It's a tool aspiring pentesters need to be familiar with.
Command Analysis with Flags
Let's take a look at an example Nmap command and then break it down into its basic components. Here's an example:
nmap -sT -sV -Pn -p 1-60000 -T2 -oA testscan scanme.nmap.org
That is quite a command. Each of the hyphenated parameters are our Nmap flags, and each one has its own special purpose. Below is an explanation of what each one does in our sample command above.
The first flag ( -sT ) invokes a TCP connect scan.
The next flag ( -sV ) tries to find out which services are running on the target.
The third flag ( -Pn ) disables the ping command and only scans ports.
The fourth flag (-p) 1–65435 runs a port scan from port 1 to port 60000.
The fifth flag (-T2) tells the command to use polite Intrusion Detection Software evasion to get by unnoticed (hopefully).
The sixth and final flag (-oA) specifies all output file types, and 'testscan' is the filename variable for the output files from your scan. The scan will generate 3 different files called:
At the very end of the command is our target that will be scanned. scanme.nmap.org is a test site that allows you to scan it with Nmap as a practical example of how Nmap works. There are a few exceptions though, as noted on the page itself:
"Hello, and welcome to Scanme.Nmap.Org, a service provided by the Nmap Security Scanner Project and Insecure.Org.We set up this machine to help folks learn about Nmap and also to test and make sure that their Nmap installation (or Internet connection) is working properly. You are authorized to scan this machine with Nmap or other port scanners. Try not to hammer on the server too hard. A few scans in a day is fine, but don't scan 100 times a day or use this site to test your ssh brute-force password cracking tool."
Be mindful of this request when testing out the commands for yourself.
5 Nmap Flag Variations: Scanning, Discovery, Ports, Services, Output
Part of the reason that Nmap has been so widely adopted is the fact that it is very customizable from scan to scan. You can plan your scans out and pinpoint a lot of different parameters, giving you a flexible platform to study your target systems from. If you want a full breakdown of the flags, read more in the Nmap Reference Guide on the Nmap website.
Scanning Flags: What You Should Know
These flags all start with a hyphen, followed by a lowercase 's', then another uppercase letter.
What Do Nmap Scanning Flags Do?
These flags are used for scanning port related information about target hosts. If you know which ports are open then you have a potential opening to get into the system, so pentesters rely heavily on this kind of Nmap query.
Why are Nmap Scanning Flags Important?
These are important because they not only reveal information about which ports are open, but also about port states on a target machine. The more information a pentester has about a target, the better.
When Would You Use Nmap Scanning Flags?
The flags would be used at any stage of a pentest as the results that they generate are vast. Learning about scanning flags is essential for any type of penetration testing. Here are some examples of scanning flags:
The TCP Syn Port scan allows you to determine the state of the port without connecting fully to the target system. This comes in handy when you are scanning a target for open ports without revealing yourself to your test subject.
The TCP Connect Port scan lets you detect open TCP ports. This scan method allows for a more granular approach to detecting open ports. A pentester might want to start with a TCP scan, and then move onto a UDP scan afterward.
The UDP Port scan sends a UDP packet to determine what state the UDP port is in. Much like a TCP scan, the UDP scan reveals open ports that are able to accept UDP requests. This could be a security risk if open UDP ports are present, but not known to the owner of the computer.
Using a TCP ack Port scan determines if a port is stateful and/or filtered. What does that mean? Well, it relates to firewalls and can give a skilled attacker deeper insight into the security appliances that are protecting a target network.
Host Discovery Flags: What You Should Know
These flags help specify more particular options when scanning target machines.
What Do Host Discovery Flags Do?
These flags reveal information about the target machine. A pentester can establish the machine state without using the ping command, quick scans of ports, and even ARP based scans that reveal hardware addresses.
Why Are Host Discovery Flags Important?
These scans are important when trying to reveal information about the test environment. It is important to be able to check the state of a target without using the ping command for a few reasons. The main reasons are that ICMP is sometimes disabled on a host machine, and sometimes mitigation is put in place to alert security teams about suspicious ping behavior.
When Would You Use Host Discovery Flags?
Any time that you want to learn more about the target environment without arousing the suspicions of the security teams that are looking after the system. As a pentester it is good to find as many waysaround a system's mitigation measures as possible so that the network can be made that much more secure afterwards. Some examples are:
As we saw in our first command example, -Pn disables ping and only scans for open ports. If the attacker/pentester suspects that there is some mitigation in place to alert when the target system is pinged, then the -Pn switch is a way to avoid detection while still gaining reconnaissance about the target.
This flag performs host discovery but does not scan any ports. You would use this switch for a quick scan to see if a host is online without taking up too much time looking at the state of the open ports on that computer.
This flag performs ARP discoveries on local networks. ARP helps to link a physical MAC address to an IPv4 address on a network. This is useful in cases where you would like to identify the vendor of the network card that is communicating, which can easily be referenced in the hardware MAC address.
This flag specifies that it must not try to resolve DNS entries. This saves time if you only want to perform a quick check without waiting to resolve DNS entries in your scan.
Port Specification Flags: What You Should Know
These flags refer to port specific parameters, which are useful when trying to see which ports are exposed to your scans.
What Do Port Specification Flags Do?
These are generally quick scans that target a particular port or a series that are of interest to the pentester.
Why Are Port Specification Flags Important?
Your time is valuable, and if you can accomplish the same quality of work without needing to wait for lengthy scans then more power to you.
When Would You Use Port Specification Flags?
These scans would be used for checking a few individual ports, or targeted attack vectors that the pentester wants to quickly check without waiting for an entire port scan to finish.
If you want to specify a port, or a range of ports then this is the flag for you. You might have a specific port in mind, so targeting it specifically is more efficient and saves a lot of time.
If time is on your side, and you need to be thorough, then this flag scans all of the ports on a system. It may take a while depending on a few factors such as network speed and the total number of ports that are open.
This flag performs a fast port scan. It is much quicker than doing a full port scan.
Service Versions and Service Flags: What You Should Know
If you are aware of specific vulnerabilities in certain versions of services or operating systems then these flags will help you to identify such systems so that you can determine which steps you need to take next.
What Do Service/Service Version Flags Do?
These help a pentester establish what versions of services and operating systems are running on a target. Most cybersecurity experts have cultivated collections of tools during their time in the field. Knowing which ones to use against specific operating systems and service versions is essential.
Why Are Service/Service Version Flags Important?
These flags are important as they help a pentester get started with their investigation. In order to test vulnerabilities you need to know what you are testing against. Sometimes a blind test will reveal very little about an environment, so the tester has to learn as much as possible with the flags at their disposal.
When Would You Use Service/Service Version Flags?
These flags are generally used during the information gathering and reconnaissance stages of a penetration test.
This flag is called 'Aggressive Detection Mode' and it runs several operations at once (which are additional flags, incidentally) These include:
This flag tells you which operating system the target is running.
This flag determines what version of services are running on the target host. This is important information to know, especially if you have different tools for different versions of services that you discover are running on your target.
The whole idea of using the -A flag is that it saves you typing out these extra flags which is a handy shortcut.
Output Format Flags: What You Should Know
You will need to save your results when performing an investigation, so knowing how to output your findings is important. Here are some of the most common options for outputting data in Nmap.
What Do Output Format Flags Do?
One of the least spoken about aspects of penetration testing is the paperwork. If you are generating a report about your findings, then you will want to output the information that you have gathered in the most clear and objective manner possible. Output flags let you choose your document format and information layout. From there, further refinement can take place when generating the actual reports and executive summaries.
Why Are Output Format Flags Important?
If you cannot present your findings in a professional way, then your findings are not going to have the impact that you want. Even worse, your findings might be ignored, and you might not get paid for all that hard work.
When Would You Use Output Format Flags?
You would use these flags when the output of an Nmap query needs to be captured for later analysis or reporting.
This command flag specifies normal output using the given filename. You should use this when you want to save your results in a normal output.
This command flag outputs data in XML. Some reporting tools are able to import the XML format so this option helps to fill that need.
This command flag outputs the data in a greppable format. If you use a Linux or Unix system (And now even WSL).
This command flag does all three data output types at once. You might want to cover all of your bases when generating data for a report, and this is a great way to do it.
We can say with great confidence that the flags that we have briefly looked at today are just scratching the surface of what Nmap is capable of. Becoming familiar with what Nmap can and can't do in different scenarios is very helpful for cybersecurity professionals, so play around with Nmap as much as you can.