Back when I was first learning about Information Technology (IT in a general sense, not infosec), and had absolutely no idea what I was doing (as if I do now) is when I first discovered Nmap. Pretty cool utility, but I actually had no idea what it was doing or what any of the output meant. I just kind of pointed it at whatever and looked at results. Well, that's probably not the best way to do it.

Little by little, I started reading up on what the output meant. I started understanding ports and protocols. It took some time, but I started learning little by little and making more sense of it.

One of the best resources for learning Nmap is the official website here, or the official book, which you can read more about here. Outside of that, there are quite a few resources we can use as we start to understand more of Nmap's output.

It's also worth understanding some of the basics of TCP/IP and networking. These are things that you will need to have a grasp on before anything on Nmap really starts to make sense. I think reading the Network+ and some of the Security+ material really got me started here. Exam or not, the material was very useful in getting me started. I had to understand some networking and I had to understand a bit about ports and protocols.

We talked a bit about TCP vs UDP a short while back. It's pretty essential knowledge if you really want to know what's going on when you're running your portscans (also, I'm a fan of combining words when I think it looks better that way.)

As you may already know, the TCP three-way-handshake is a way for a client and host to set up comms between each other. We went into more detail in the blog post I linked above. It describes how a client and server connect using a connection-oriented protocol like TCP.

TCP SYN Scan

That's where Nmap's most basic scan comes in. It's the default scan if you don't use a flag. You can specify it with -sS, and it's called the TCP SYN scan or the half-open scan.

The way it works is, looking  back at the TCP three-way handshake. Typically it goes something like this:

  1. Client sends a packet with a SYN (synchronize) flag set to a server.
  2. Server responds with SYN-ACK to acknowledge the request to connect.
  3. Client sends back its own ACK and the connection is established.

With the basic Nmap scan, it goes something like this:

  1. Client sends a packet with a SYN flag.
  2. If the port is open/listening for a connection, it responds with SYN-ACK. If it's closed, it responds with a RST.
  3. If the client gets the SYN-ACK, it responds with a RST (reset) saying, "Never mind. Don't wanna talk." Regardless, it's clear at this point whether the port is open or closed.

We will look at some other scans later. This is the simplest of scans. It's an admittedly basic explanation, but that's how it works.