Nmap and Zenmap are popular tools for scanning network ports, services, and IP ranges – but what’s the difference? Why would you use one instead of the other? What are some of the benefits and drawbacks of each?
In this article, we’ll answer these questions and provide an in-depth look at both tools. Some of the major points we’ll discuss are:
- What Zenmap and Nmap are, their features, and uses
- Which operating systems they’re available for, and how to install them
- Pros and Cons of Zenmap vs Nmap
- Frequently asked questions
In short, everything you might want to know about both products to determine when you might select one over the other and why.
What Are Zenmap and Nmap?
Nmap security scanner is a command-line-based multi-platform (Windows, Mac OS X, Linux etc.) network scanning application designed to detect hosts and services on a computer network.
Who Uses Zenmap and Nmap?
Regardless of the use case, Nmap and Zenmap should never be used to scan networks and systems you don’t own without explicit permission!
What Are the Capabilities of Zenmap and Nmap?
Both Nmap and Zenmap can be used to provide extensive information about a target network. Some of the commonly-used Nmap features include:
- Host Discovery: Generate a list of hostnames (i.e., a computer or other device that communicates on a network. E.g., PCs, printers, servers, etc.) and their IP addresses.
- Port Scanning: Scan specific ports (or ranges of ports) to determine if they’re open on a given target or set of targets.
- Operating System Detection: Attempts to guess details about the target’s operating system, such as vendor (e.g., Microsoft), underlying OS (e.g., Windows), and OS generation (e.g., 10).
- Firewall/Intrusion Detection System (IDS) Evasion: Provides several options for advanced users to prevent scanning activities from being detected (and subsequently dropped) by a firewall or IDS system. E.g., Hiding (or spoofing) your IP address, source port, MAC address, etc.
Zenmap can also provide (and save) topology map graphics to help you visualize reachable hosts and their ports:
Zenmap also allows you to save scan results, which can be compared with one another to determine what’s changed (e.g., hosts or services that were added or removed).
The infographic below provides a side-by-side comparison:
How to Download and Install Zenmap and Nmap
Both Nmap and Zenmap are available for download at nmap.org/download.html. At the top of the page, you can select your operating system by clicking on the corresponding anchor link:
Supported Operating Systems
Some of the operating systems Nmap and Zenmap are available for are:
You can find support for other operating systems at the bottom of this page.
How to Install Zenmap and Nmap on Windows
1. Browse to https://nmap.org/download.html#windows, then click on the link to download the latest stable release (version 7.93 at the time of writing):
2. Locate and run the installer, e.g., nmap-7.93-setup.exe. The first step of the installation is to accept the license agreement. Select I Agree to continue:
3. Next, choose the components you want to install. Both setup program installs both Nmap and Zenmap. Untick Zenmap if you wish to forgo the GUI. Click Next to continue:
5. The setup program will validate the installation to let you know it was completed successfully. Click Next to continue:
6. The Nmap setup application will default create shortcuts in your Windows Start Menu and Desktop. Click Next to continue:
7. At the end of the installation process, click Finish to close the Nmap Setup application:
How to Install Zenmap on Kali Linux
Nmap comes bundled with Kali Linux (along with hundreds of other useful tools), so there’s no need to install it separately. Kali Linux version 2019.4 (and later) removed Zenmap from its package bundle, but you can still install it manually. Here’s how:
1. Begin by updating Kali Linux’s package index list. To this, open a terminal window (CTRL+ALT+T), then enter, sudo apt update:
2. To upgrade all packages, run sudo apt full-upgrade -y:
3. Since Zenmap requires dependencies that are no longer supported in Kali Linux, we’ll need to use “Kaboxer” (Kali Applications Boxer) to install it as a packaged app in a Docker container. Run sudo apt install zenmap-kbx -y:
4. Zenmap will now be available from the application list:
NMAP vs Zenmap Pros and Cons
Nmap Pros
Free and open source.
Smaller and more portable than Zenmap.
You can run multiple and concurrent scans.
It can be used in environments that lack a GUI (e.g., SSH).
Nmap Cons
The CLI creates a steeper learning curve than GUI-based tools.
Lack of options to export information in a human-readable format suitable for presentation to non-technical stakeholders.
Zenmap Pros
Free and open source.
Displays scan results in text and graphical formats.
Allows you to save and compare previously-run scans.
Zenmap Cons
Larger footprint compared to Nmap and other CLI-based tools.
Requires dependencies not needed for Nmap, which may or may not be available for your chosen operating system.
Conclusion
For those who need a lightweight but powerful network scanning utility and don’t have access to a GUI (e.g., running scans while connected via SSH), Nmap is the way to go.
In conclusion, these are two sides to the same coin, and both are a welcome addition to your cyber security arsenal. You can master Nmap with our Complete Nmap Ethical Hacking Course, or practice using both in your own virtual hacking lab.
Frequently Asked Questions
What are some of the uses of Zenmap?
Zenmap (and Nmap) are used to discover useful information about target endpoints on a network, including:
• Hostnames
• IP Addresses
• Open ports
• Possible operating systems
• Possible services and service versions
How is Zenmap related to Nmap?
What are some alternatives to Nmap?
Advanced Port Scanner (Windows Only): A freeware utility for Windows that can quickly find open ports on network endpoints and retrieve information about programs running on those ports. The application can be installed on your computer or run as a portable executable.
Masscan (Multiplatform): Masscan is a free, open-source internet-scale port scanner. While Linux (including Kali Linux) is the primary target platform, its source code can be compiled to run on other systems such as Windows or macOS.
Level Up in Cyber Security: Join Our Membership Today!
My name is Yousef, I solve problems. I’m a hands-on IT management and information security professional with over a decade of experience supporting and securing IT enterprises both in the US and abroad. You can also find me on LinkedIn.
Are you overwhelmed by the countless Nmap commands and their descriptions in the official documentation? We hear you, and we’ve got you covered. The good news is no one needs to master every element of Nmap to start using it effectively day-to-day.
No longer will Nmap’s complex ins and outs burden you. Let’s scroll down and start scanning our targets for vulnerabilities now.
What Is Nmap?
Network Mapper (Nmap) is a command-line-based multi-platform (Windows, Mac OS X, Linux, etc.) network scanning application designed to detect hosts and services on a computer network.
Nmap is a vital tool for any student or professional in cyber security. This free and open-source utility helps you gather network information and assess the security posture of devices in the networks you scan with it. Nmap can identify a host’s operating system, running applications, open ports, firewall information, and more.
If you don’t have it yet, install Nmap here.
How To Use Nmap
nmap <flag(s)> <target/file>
All flags begin with one (-) or two (–) hyphens, and a single Nmap command may contain multiple flags. A target is typically an IPv4/IPv6 address or address range.
Some flags apply to files instead of targets; those are for Nmap commands that read from a file or write Nmap scan results to files.
Now that you know how to operate Nmap, we’re showing you 20 Nmap commands that’ll come in handy.
All 20 Commands at a Glance
Nmap Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Nmap commands! With our Nmap Command Generator, you can simply say what you need Nmap to do and we will generate the command for you.
1. List all hosts on a network
nmap -sL <target>
This type of scan (list scan) is a version of host discovery that only lists each host on the selected network (s) and doesn’t send any packets to the target hosts. By default, Nmap does a reverse DNS lookup to get host names.
2. Disable port scanning and only discover active hosts
nmap -sn <target>
nmap -sP <target>
With this option, Nmap will only print the names of hosts that have responded to the host discovery probes without any port scan. By default, this option is slightly more intrusive than the list scan. Use this option as a “ping sweep” to count available machines on a network or monitor server availability.
3. Discover the network path to a host
nmap --traceroute <target>
A packet may traverse several hosts before reaching its destination. This option allows you to trace this packet’s journey from host to host.
4. Scan for open ports and version information of services
nmap -sV <target>
When preparing for and doing pentesting, the command above helps you find open ports and determine the versions of running processes. Having accurate version numbers enables you to assess a device’s vulnerabilities.
5. Scan the ports specified
nmap -p <port number or numbers> <target>
Use this option to tell Nmap which ports you want to scan. It admits individual port numbers and ranges separated by a hyphen (e.g., 1-1023). Nmap can also scan port zero, but you must specify it explicitly.
When scanning a combination of protocols (e.g., TCP and UDP), you can specify a particular protocol by preceding the port numbers using a single-letter qualifier:
T: for TCP,U: for UDP,S: for SCTP, andP: for IP Protocol.
The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111, and 137, and the listed TCP ports.
6. Scan all ports on a target
nmap -p- <target>
This command will scan ports numbered 1 through 65535.
7. Scan for open ports on the target
nmap --open <target>
8. Scan for the specified number of most common ports
nmap --top-ports <number> <target>
Specify an arbitrary number of the most commonly open ports for Nmap to scan. Nmap scans the <number> highest-ratio ports found in nmap-services file after excluding all ports specified by –exclude-ports. <number> must be at least 1.
9. Perform a TCP connect scan
nmap -sT <target>
A TCP connect scan is where Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the “connect” system call. The “connect” system call is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection.
10. Scan for UDP ports
nmap -sU <target>
In a UDP scan, Nmap sends a UDP packet to every targeted port, usually without extra data, except for ports where a payload would increase the response rate, such as 53 and 161. If Nmap receives an error message, the port is unavailable. Avoid rushing UDP scans, as operating systems such as Linux and Solaris impose strict rate limits.
11. Enable OS detection, version detection, script scanning, and traceroute
nmap -A <target>
This option turns on operating system detection and the advanced and aggressive functions mentioned above.
12. Scan for remote operating system
nmap -O <target>
Perform remote operating system detection using TCP/IP stack fingerprinting: Nmap sends a series of TCP and UDP packets to the remote host, examines every bit in the responses, compares its nmap-os-db database of more than 2,600 known operating system fingerprints, and prints out the operating system details if there is a match.
13. Scan a target with a specific timing template
nmap -T<timing template: 0-5> <target>
14. Increase the verbosity of the output (second level)
nmap -vv <target>
A single -v flag increases the verbosity level, causing Nmap to print more information about the scan in progress, such as open ports found in real-time and completion time estimates for scans that may take considerable time. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.
15. Scan for commonly used ports and services
nmap -sC <target>
This command is equivalent to nmap --script=default <target>. It uses Nmap’s default Nmap Scripting Engine (NSE) scripts to scan for individual ports and protocols, including HTML and POP3. The scripts are mostly safe but contain intrusive processes. For example, the default script “jdwp-info” tries to exploit Java’s remote debugging port.
16. Run a script on the target
nmap --script <script type> <target>
Nmap runs a script scan using the comma-separated list of filenames, script categories, and directories.
17. Run all vulnerability scans on the target
nmap --script vuln <target>
The vuln scripts check for specific known vulnerabilities, and Nmap generally only reports results when it finds any. Examples include realvnc-auth-bypass and afp-path-vuln.
18. Read targets from a text file
nmap -iL <file>
Nmap reads a list of targets from a file as input. Entries can be in any format Nmap accepts on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must have spaces, tabs, or newlines as delimiters. The input file may contain comments that start with # and extend to the end of the line.
19. Save scan results in normal, XML, and grepable formats at once
nmap -oA <file>
Store Nmap scan results as three separate files, with <file> as the base file name and file extensions .nmap (normal), .xml (XML), and .gnmap (grepable). Like most programs, <file> may include a directory path, such as ~/folder1/foo/ on Unix or c:\folder2\bar on Windows.
20. Save the scan results to a normal format
nmap -oN <file>
Write the Nmap scan results to the given file name. Only use this command together with a valid Nmap scan command containing some <target> as shown in the example below (nmap --top-ports 10 192.168.1.1-10 -oN tenports.txt):
Frequently Asked Questions
How do I do a fast scan in Nmap?
Is it okay to Nmap scan a website?
You must have explicit permission from the website owner (for example, you own the website) to avoid violating the law. Check out our article “Is Port Scanning Legal?” for details.
How do I scan all ports with Nmap?
How do I fully scan a target with Nmap?
Level Up in Cyber Security: Join Our Membership Today!
Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She’s been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she’s honored to join StationX. You can find Cassandra on LinkedIn and Linktree.
This guide will go through the prerequisites of installing Nmap Windows and moving forward how to install the Nmap Windows operating system with different methods exploring in depth.
Prerequisites
- Windows 7 or Later: Nmap officially supports Windows 7 and newer operating systems including Windows Server versions. If you’re using an older version there are alternative methods but these are not officially supported and may have security risks.
- Administrator Privileges: The installation process requires administrator access to modify system files and configurations.
Setting Nmap on Windows
Nmap comes pre-installed in the Kali operating system. If you have installed Kali Linux then Nmap is installed by default. If you are using Ubuntu you can refer to our guide on how to install Nmap on Ubuntu. This article will help you with Nmap download for the Windows system which will handle essential tasks:
- Network discovery: Identifying devices, hosts, and services on a network.
- Port scanning: Determining open ports and the running applications or services on those ports.
- Operating system detection: Guessing the operating system running on a host based on its responses.
- Vulnerability scanning: Identifying potential security vulnerabilities in detected services.
Let’s discuss the steps on how to install Nmap for Windows.
Step 1: Downloading Nmap for Windows
The first step is to download the official version. To do so, navigate to the Nmap download page for Windows by opening your web browser. Scroll down to the section titled ‘Microsoft Windows binaries’. Click on the latest stable release link to download the self-installer.
Step 2: Running the Installer
1. Locate the downloaded file typically in your Downloads folder. Double-click on the Nmap installer for example nmap-x-x-setup.exe.
Step 3: Choosing Components
The installer will then ask which components of Nmap should be installed. It includes:
- Nmap core files (mandatory)
- Npcap (required for packet capturing functionality)
- Zenmap GUI (optional but recommended for easy use)
- Netcat, Netdiff and Nping
Select all the components as per your requirement and click ‘Next’.
Install Nmap on Our Cheap Windows VPS!
Experience the unparalleled ease and speed of hosting Windows VPS with Ultahost. Enjoy blazing-fast SSD NVME speeds without any interruptions at a low cost.
Step 4: Selecting Installation Location
You can stick with the default directory or click ‘Browse’ to select a custom location. After selecting your preferred directory, click ‘Next’.
Step 5: Configuring Additional Tasks (Optional)
Install Nmap as a Windows system path which is recommended so it can be run from any command line. Search for System Properties in the Start menu. In the System Properties window, click on Environment Variables. Under System Variables, find and select the Path variable, then click on Edit.
Click on New and add the path to your Nmap installation.
Step 6: Finalize Installation and Verifying Installation
Review your choices and click ‘Install’ to begin copying files onto your computer. A completion screen will appear indicating a successful installation. Click ‘Finish’.
nmap --version
If installation was successful it should display version information.
Ethical considerations
Always adhere to network privacy and security boundaries. Only scan networks where you have explicit permission. Nmap potential extends far beyond this guide. Refer to this guide Nmap cheat sheet essential commands and options for in-depth exploration of:
- Advanced scan types: Delve into SYN scans, UDP scans, and more, for specific testing needs.
- Flags and filters: Explore these modifiers to fine-tune your scans and gather precise information.
- Scripting: Suggestion of custom scripts to automate tasks and extend Nmap’s capabilities.
Conclusion
Nmap is commonly used in scanning networks, you can install Nmap on our server. Ultahost VPS hosting offers you an easy-to-manage, reliable, and economical hosting plan for businesses of all sizes. Get started today and enjoy the freedom and flexibility of a VPS!
FAQ
What is Nmap and why should I install it on Windows?
Nmap is a powerful network scanning tool used for security auditing and network exploration. Installing it on Windows enables you to assess your network’s security and discover connected devices.
How do I install Nmap on Windows?
Are there any prerequisites for installing Nmap on Windows?
No, there are no specific prerequisites for installing Nmap on Windows. You just need to ensure that your Windows system meets the minimum requirements specified by the Nmap installer.
Can I use Nmap on Windows Command Prompt or PowerShell?
Yes, once installed, you can use Nmap commands directly from the Command Prompt or PowerShell.
Introduction
First we need to have an idea about Nmap.
Nmap, or Network Mapper, is a free and open-source tool that is used for network discovery and security auditing, NMAP is comletely for free, it’s able to scan networks, servers and applications.
Nmap can easily detect open services on a specific host whether it’s a switch , router, firewall, printer, server or an application.
It can be used by hackers or even we can use it in networks troubleshooting, it make life much easier and gives a visibility answering multiple questions when troubleshooting new networks that we’re not used to work on!
How can I use Nmap? What Are Nmap command ?
We can use NMAP in different ways and for different goals.
The first example is in ethical hacking:
Nmap is used in hacking and pentesting, hackers can detect the Operating system of a host for example, than they can search for its vulnerabilities on the internet and try to penetrate into a network using the details and elements provided by nmap.
The second example is troubleshooting networks.
Here are 20 commonly used nmap commands with explanations:
Basic TCP Scan
This command performs a basic TCP scan on the specified target. It scans the most common 1000 TCP ports by default.
Scan Specific Ports
nmap -p <port(s)> <target>This command scans only the specified port(s) on the target.
Scan All TCP Ports
nmap -p- <target>This command scans all 65535 TCP ports on the target.
Scan UDP Ports
nmap -sU <target>This command performs a UDP scan on the target.
Scan Both TCP and UDP Ports
nmap -sS -sU <target>This command performs a TCP and UDP scan on the target.
Service Version Detection
nmap -sV <target>This command attempts to determine the version of the services running on the target.
OS Detection
nmap -O <target>This command attempts to determine the operating system running on the target.
Scan multiple targets
nmap <target1> <target2> <target3>This command scans multiple targets in a single command.
Scan a Range of IPs
nmap <start-ip> -<end-ip>This command scans a range of IP addresses.
Verbose Output
nmap -v <target>This command produces verbose output, providing more detailed information during the scan.
Agressive Scan
nmap -A <target>This command enables aggressive scanning options including OS detection, version detection, script scanning, and traceroute.
Scan for Vulnerabilities
nmap --script vuln <target>This command runs Nmap scripts to check for known vulnerabilities on the target.
Save Output to a File
nmap -oN output.txt <target>This command saves the scan results to a file named output.txt.
Output in XML Format
nmap -oX output.xml <target>This command saves the scan results in XML format.
Output in grepable Format
nmap -oG output.grep <target>This command saves the scan results in grepable format.
Ping Scan
nmap -sn <target>This command performs a ping scan to determine which hosts are online.
Reverse DNS Resolution
nmap -R <target>This command performs reverse DNS resolution on the IP addresses discovered during the scan.
Aggressive Timing
nmap -T4 <target>This command sets the timing template to ‘Aggressive’ to speed up the scan.
Scan IPv6 Addresses
nmap -6 <target>This command scans IPv6 addresses.
Scan for Common Vulnerabilities and Exposures (CVE)
nmap --script vulners <target>This command runs Nmap scripts to check for vulnerabilities using the Vulners database. (link to Vulners database : https://vulners.com/ in short it’s a Vulnerability Database and search engine)
I hope you enjoyed the list of NMAP COMMANDS that I have chosen for you.
That was my selection for the moment, there are other nmap commands that I will be covering in this article so keep reading till the end.
Important
Always make sure you have an authorization before you start working with these commands and launching scans on the network especially if you are scanning hosts or networks that you don’t manage yourself.
Install NMAP on different Operating Systems
The 20 commands that have mentionned before we can use them on different operating systems and in different ways.
The First thing that we need to do is to instal nmap on any operating system fiorst.
Installing nmap on windows
Jump directly to this section “Installing the Nmap zip binaries”
Nmap download on linux
Link : https://nmap.org/book/inst-linux.html
Through this link you will find the installation process for these linux distributions:
Red Hat, Mandrake, SUSE, Fedora, Debian Linux and Derivatives such as Ubuntu all in the same page.
Nmap download on MacOs
Link : https://nmap.org/book/inst-macosx.html
You will find all the requirements in order to install nmap on MacOs through this link. https://nmap.org/book/inst-macosx.html
After downloading nmap on your operating system now you need to start using it of course!
How to use Nmap from the command line interface CLI ?
It’s really easy even if you don’t memorize nmap commands. You can use the list of commands that I have showed you in the first section of this article 😎(1. How can I use Nmap? What Are Nmap command ?).
How to use Nmap from Graphical user Interface GUI — ZenMap
Official website : https://nmap.org
On this Page you can see the tab “Zenmap GUI” here you have a small description of the multi-platform interface that was developed for free.
ZeNmap download
Here are the links to download ZenMap : https://nmap.org/download
Other free tools that look like Nmapand Zenmap
Here are some scanners that you can easily download on a windows or linux machine, they will start doing the work for you right away!
Best Network Scanners That I Found Useful and Have Tested Personally
- Angry IP Scanner
An amazing tool that works just fine and easily gives you the ability to extract your results into an excel file and filter as you want.
Angry IP Scanner could be installed on windows, Mac or Linux.
Download Link : https://angryip.org/download/#windows
2. Advanced IP Scanner download
This one has only a windows version
I use it all the time, sometimes the same network scan could be applied in three scanners because of a small detail that we find in a particular scanner’s result and not in the other network scanner.
Download Link : https://www.advanced-ip-scanner.com/fr/
3. Nmap download
I use it all the time too and it’s basically my first step in scanning hosts.
Download Link : https://nmap.org/download
Conclusion
Nmap commands will make it easier to analyse networks and troubleshoot them, nmap commands also will give you the ability to discover open and closed network ports and services in your infrastructure and nmap commands will be your tool to start pentesting you networks.
I hope this network reminder helps you in the future, network scanners makes life easier for network engineers that’s my opinion.
Maybe the next update of this article will include some cases of use of the tools differently and my approach to using them.
Don’t forget to keep a comment if you like what you read !
Nmap используется для активного зондирования целевой сети на наличие активных хостов (обнаружение хостов), сканирования портов, обнаружения ОС, сведений о версии и активных служб, запущенных на хостах, которые включены. В этой статье рассмотрим три метода сканирования портов и их типы состояния.
Сканирование портов является одной из функций Nmap, в которой инструмент определяет состояние портов на активных хостах в сети. Статус портов может быть открытым, фильтрованным или закрытым. Итак, запустите Nmap. Добавьте необходимые переключатели в соответствии с типом сканирования, чтобы инициировать скан.
Пример: nmap -sS 192.168.0.1-192.168.0.52Типы состояния порта
Открытый: статус открыто означает, что данный порт открыт и на нем активно запущена служба.
Отфильтрованный: статус отфильтрованный означает, что соответствующий порт может быть скрыт за брандмауэром, и его статус остается неизвестным.
Закрытый: закрытое состояние означает, что данный порт закрыт на хост-компьютере.
Различные методы сканирования портов в Nmap
Ниже приведены широко используемые методы сканирования в Nmap:
1. Сканирование TCP Connect: сканирование TCP Connect использует концепцию полного трехстороннего квитирования, чтобы определить, открыт ли данный порт, отфильтрован или закрыт в соответствии с полученным ответом. Nmap отправляет пакет TCP-запроса на каждый указанный порт и определяет статус порта по полученному ответу. В RFC 793 говорится,
Если соединение не существует (ЗАКРЫТО), то сброс отправляется в ответ на любой входящий сегмент, кроме другого сброса. В частности, SYN-адреса, адресованные несуществующему соединению, отклоняются этим средством.
По сути, это означает, что если Nmap отправляет TCP-запрос на закрытый порт с установленным флагом SYN, то он получает TCP-пакет с установленным ФЛАГОМ СБРОСА с целевого сервера. Это сообщает Nmap, что указанный порт “закрыт”.
В противном случае, если порт действительно “открыт”, то Nmap получает ответ с установленными флагами SYN / ACK в ответ на пакет, отправленный Nmap с установленным флагом SYN.
Третья возможность заключается в том, что если порт фильтруется, большинство брандмауэров сервера настроены на просто удаление входящих пакетов. Nmap не получает никакого ответа. По сути, это означает, что данный порт работает за брандмауэром (т.Е. “фильтруется”).
2. Сканирование TCP SYN (-sS): сканирование SYN часто называют “полуоткрытым” или “скрытым” сканированием. SYN-сканирование работает так же, как сканирование TCP Connect с закрытыми и отфильтрованными портами, т.Е. Получает ПЕРВЫЙ пакет для закрытого порта и не отвечает для отфильтрованных портов. Единственное различие заключается в том, как они обрабатывают открытые порты. SYN scan отправляет ответный пакет на сервер с установленным ФЛАГОМ СБРОСА (но не ACK, который обычно используется по умолчанию при фактическом трехстороннем квитировании) после получения SYN / ACK от целевого сервера. Это делается для того, чтобы сервер не мог постоянно отправлять запросы на установление соединения и тем самым сократить время сканирования.
Этот тип сканирования называется скрытым сканированием из-за следующих преимуществ:
Быстрее, потому что для этого не нужно выполнять полное трехстороннее рукопожатие.
Некоторые приложения часто регистрируют только те соединения, которые полностью установлены. Таким образом, приложения, прослушивающие открытые порты, не регистрируют эти соединения, что делает SYN scan “скрытым”.
3. UDP-сканирование (-sU): UDP в отличие от TCP не выполняет квитирование для установления соединения перед отправкой пакетов данных на целевой порт, а скорее отправляет пакеты в надежде, что пакеты будут получены целевым портом. Вот почему UDP-соединения часто называют “без состояния”. Этот тип соединения более эффективен, когда скорость превосходит качество, например, при совместном использовании видео. Поскольку от целевого порта не будет подтверждения о том, получил ли он пакет, сканирование UDP становится более сложным и намного медленнее.
Когда после отправки UDP-пакета нет ответа от целевого порта, это часто означает, что порт либо “открыт”, либо работает за брандмауэром, т.Е. “фильтруется”, и в этом случае сервер просто отбросит пакет без ответа.
UDP-сканирование может эффективно идентифицировать закрытые порты, поскольку целевой UDP-порт отвечает ICMP-пакетом с сообщением о том, что порт недоступен.
Приведенные ниже методы сканирования с меньшей вероятностью будут использоваться в режиме реального времени, но стоит изучить принцип, лежащий в их основе. Говорят, что они еще более незаметны, чем сканирование “SYN stealth”.
Для приведенных ниже типов сканирования, когда пакет отправляется на “открытый” порт, от целевого порта не будет никакого ответа, что очень похоже на UDP-сканирование. Когда следующие типы сканирования не получают ответа, они помечают порт как открытый / отфильтрованный. Согласно RFC 793, для искаженных пакетов закрытые порты на сервере обязаны отвечать ПЕРВЫМ TCP-пакетом и вообще не отвечать на открытые порты.
TCP NULL Scan (-sN): НУЛЕВОЕ сканирование, как следует из названия, отправляет TCP-пакет без установленных флагов. Если порт закрыт, хост отвечает RST.
TCP FIN Scan (-sF): FIN scan вместо отправки полностью пустых пакетов отправляет пакет с установленным флагом FIN. Если порт закрыт, хост отвечает RST.
TCP XMAS Scan (-sX): РОЖДЕСТВЕНСКОЕ сканирование, отправляет пакет с установленными флагами URG, PSH, FIN. Это сканирование получило свое название из-за того, что оно выглядит как рождественская елка, если рассматривать его как захват пакета в Wireshark. Если порт закрыт, хост отвечает RST.
