Ozgur's Blog

Random ramblings of personal nature

Staged Scanning with Nmap


Port scanning is one of the first steps of penetration testing. With this technique our tools enumerate the ports one by one and check whether they are communicating with the outside world or not. This check will also give us a rough idea on the server, which programs does it run and so on.

For example if port 80 is open we can follow this up with Nikto to get more data. The more data we have, the better we can report our findings to the client.

We can do this check in two ways. From TCP or UDP.


Cisco says that

TCP is a connection-oriented transport protocol that sends data as an unstructured stream of bytes. By using sequence numbers and acknowledgment messages, TCP can provide a sending node with delivery information about packets transmitted to a destination node. Where data has been lost in transit from source to destination, TCP can retransmit the data until either a timeout condition is reached or until successful delivery has been achieved.

TCP uses a three way handshake to ensure both ends can initiate and negotiate separate TCP socket connections at the same time. This involves these steps:

  1. SYN: "Hi! I want to connect to you"
  2. SYN+ACK: "Hey I see you and please do connect to me"
  3. ACK: "Okay I also acknowledge you."

But if we are using a stealth scan the last step becomes a RES, meaning "HAHA just kidding, bro!".


UDP on the other hand doesn't have this validation and this handshake, making it faster. But because we don't have this verification UDP can lose packets on the way to the other machine. This protocol is used when the connection is more important than the data integrity - e.g. Live Streaming, MMOs etc. This is like

We often scan TCP side of the servers but it is also useful to check the UDP side of the things - but although it is faster to communicate, UDP scanning takes a lot of time to accomplish so CAVEAT EMPTOR!

Scanning with Nmap

I know we have a lot of scanners in the wild but Nmap is a classic we return to time and again. Sure it doesn't provide a nice interface like Nessus but I find Nmap's output more enlightening.

Who's up? Scanning the Network

Generally we don't have an idea who is going to be our target. We are going to run our penetration tests against a metasploitable or kloptrix - specially designed machines with vulnerabilities to hone our skills. To scan our network from head to toe we use this command

nmap -T4 -sn

This runs the fastest (-T4) pingscan (-sn) on to, which is my local network as you can see from the first three octets.

Do me a portscan baby! In stages!

When we want to scan a machine for all its ports we can use this line:

nmap -T4 -A -p- <ip address>

But this is SSSLLLLOOWWWWW. To make it faster we can divide it into two stages. First we scan the whole portrange without any resolution:

nmap -T4 -p- <ip address>

Then when we get the open ports we run the -A switch on those ports ONLY

nmap -T4 -p80,443,10020 <ip address>

This makes it much faster than the first alternative. The information we'll get is as same as the full portscan but with this way we are targeting the open ports only and don't spend time on closed ports.

Thanks for reading!