Jarret W. Buse


Before getting too far into Network Mapping (NMAP) everyone should have an understanding of the Transmission Control Protocol Internet Protocol (TCP/IP). By knowing the basics of TCP/IP, you will have a better understanding of what NMAP is doing. To help back up the underlying workings, I will try to include packet captures from Wireshark which can be found at www.wireshark.org.

NOTE: For more information on TCP/IP, try the TCP/IP Reading Guide at Linux.Org.

There are four parts of TCP/IP used by NMAP. These four items are:

  1. Internet Protocol (IP) – connectionless protocol to handle the sending of Datagrams from one network to another
  2. Transmission Control Protocol (TCP) – manages reliable transmission of data from Source to Target system (connection oriented)
  3. User Datagram Protocol (UDP) – manages transmission of data from Source to Target system (connectionless oriented)
  4. Internet Control Message Protocol (ICMP) – protocol used by IP to send messages between systems about network traffic, lost packets, etc.

The most common NMAP scan is a TCP SYN Scan (-sS). There are six general TCP Control Bits, with SYN being one of them. The Control Bits are:

  1. SYN – used to Synchronize communications between two systems
  2. ACK – Acknowledges receipt of request
  3. RST – Restarts communications
  4. FIN – Finishes communications from one system, but still listens for further requests
  5. PSH – Push data to the application since no more data is being sent
  6. URG – Urgent data is contained in the packet (some or all) and should be managed accordingly by the requesting application

Keep in mind that usually only the first four will be seen in NMAP, but we will focus on the first three.
The SYN, ACK and RST Control Bits are used during the NMAP TCP Three-Way Handshake. The Three-Way Handshake is used when initializing communications between two systems. NMAP finds which Hosts are on-line and then performs a Port Scan, when specified.

To find the remote systems online, NMAP performs a four step process. The processes are as follows:

  1. Performs a Domain Name System (DNS) Lookup
  2. Pings IP Address(es) specified in command-line
  3. A Reverse DNS Lookup is performed which can provide extra information about the system being scanned
  4. Performs the Port scan

To find the local systems online, NMAP performs a two step process. The processes are as follows:

  1. Performs an ARP Request for the IP Address
  2. Performs the Port scan

There are two things listed in the previous processes which need to be covered: ARP Request and the Port scan.

An Address Resolution Protocol (ARP) Request is used to determine the MAC Address, on a local subnet, for a given IP Address. When two systems need to communicate on a local subnet, they need each other's MAC Address. The Source system will send an ARP request with the known IP Address as a broadcast. When the system with the matching IP Address receives the request, it sends back a data packet including its MAC Address to the Source system. The broadcast from the Source system included its own IP and MAC Addresses.

A Port Scan is performed by starting a Three-Way Handshake with each Target system. When a Port scan is performed, it uses the Three-Way Handshake. The Handshake is used to open communications between two systems. NMAP does not complete the Handshake, but obtains enough information to know which Ports are open. The Handshake is managed as follows:

  1. SYN – sent from Source to Target to begin communications
  2. SYN/ACK – Target sends SYN and ACK to Source to accept communications between the two systems
  3. RST – Source sends a RST to Target to stop Handshake process

NOTE: A normal Three-Way Handshake will have an ACK for step three. The ACK allows communications to commence between the Source and Target systems.

When a Handshake is started, the Source system uses the IP, MAC and Port Addresses of the Target to send the request to the Target system. If the Target is accepting requests on the specified Port number, it will respond with the SYN and ACK Control Bits. At this point, the Source system running NMAP knows that the Target System has the specified Port open.

When scanning using UDP, no handshake is used since UDP is connectionless. A connectionless protocol does not open communications between the systems, but sends the data to the Target and does not know if the data is received. UDP is usually used for streaming data, like video and audio casts.
Keep in mind that Ports being used and scanned are not the same between TCP and UDP. Port 80 is used for HTTP for both TCP and UDP. For a Port number like 520, TCP uses Extended File name Server (EFS), while UDP uses it for the Routing Information Protocol (RIP).

When dealing with NMAP, be aware of how the underlying network system is acting. You can watch these steps using Wireshark as mentioned previously.


$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online