paint-brush
How to Map Your Home Networks Using NMAPby@aditibhatnagar
14,650 reads
14,650 reads

How to Map Your Home Networks Using NMAP

by OffgridDecember 23rd, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

How to Map Your Home Networks Using NMAP is an easy way to learn the basics of the network network. The network layer manages flow control and handles re-transmission of dropped or garbled packets, and acknowledges all packets that arrive. This is how a connection is established and maintained until the application programs at each end have finished exchanging messages. The first ACK (4 bits) is the size of the header and the maximum number of the data and the name of the sender of the packet is set to the start of the next segment.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - How to Map Your Home Networks Using NMAP
Offgrid HackerNoon profile picture

Here's to learning basics of networking and an awesome tool called NMAP!

Hi there!

How are you doing? More so, how is your internet doing? What about LAN? Are you exchanging traffic with domains you'd not want to? Are there any open ports on your network that can be attacked? Most importantly (and somewhat not related to the post) have you changed your router's default credentials?

If you are not sure about the majority of the questions asked above, congrats, you have landed on the correct post! Please follow along.

Networks is a very broad concept to understand and explore. There are just way too many exciting things in this single concept! So, let's begin with the basics: The initial things that'll get you started with learning more about the networks and getting hang of the awesome tool: NMAP

Sneak peek into (somewhat applicable history):

OSI Layer:

Even if you have bunked the Computer Networks lectures in your school/college, if you are remotely associated with engineering, there are high chances you'd have heard of this term. Let me throw a diagram out here:

Presenting OSI Seven Layers:

Source: https://community.fs.com/blog/tcpip-vs-osi-whats-the-difference-between-the-two-models.html

These layers are responsible for handling everything that happens behind the scenes when you make that new network connection (say, open a new tab on your browser and go to https://www.aditi.fyi/home ), and in here are a bunch of protocols.

In the attempt to keep this post away from surpassing its limits to be called a post, let's discuss briefly one of these layers, L4 => Transport layer

One of the most prominent protocols in this layer is TCP [Transmission Control Protocol].

If you want to learn the philosophy behind TCP && need a book to read on weekends check out this masterpiece dated September 1981! And that's what is fascinating about networks, the protocols we are using today are exactly the same as were defined decades ago with very few alterations, if at all.

TCP is a connection-oriented protocol, which means a connection is established and maintained until the application programs at each end have finished exchanging messages. It determines how to break application data into packets that networks can deliver, sends packets to and accepts packets from the network layer, manages flow control and handles re-transmission of dropped or garbled packets, and acknowledges all packets that arrive.

The connection is established, using the well-known THREE-WAY HANDSHAKE


This is how a TCP connection is established and data starts to get across, but wait what is SYN, ACK ?

These are "flags", just bits that are set to 1 while crafting the corresponding TCP packet.

A TCP packet is made up of header and data. Where Header has a fixed set of fields:

[Source: WikiPedia]

A TCP segment consists of a segment header and a data section. The segment header contains 10 mandatory fields, and an optional extension field (Options, pink background in table).

Source port (16 bits): Identifies the sending port.

Destination port (16 bits): Identifies the receiving port.

Sequence number (32 bits): The accumulated sequence number of the first data byte of this segment for the current session.

Acknowledgment number (32 bits): If the ACK flag is set then the value of this field is the next sequence number that the sender of the ACK is expecting. This acknowledges receipt of all prior bytes (if any). The first ACK sent by each end acknowledges the other end's initial sequence number itself, but no data.

Data offset (4 bits): Specifies the size of the TCP header in 32-bit words. The minimum size header is 5 words and the maximum is 15 words thus giving the minimum size of 20 bytes and a maximum of 60 bytes, allowing for up to 40 bytes of options in the header. This field gets its name from the fact that it is also the offset from the start of the TCP segment to the actual data.

Reserved (3 bits): For future use and should be set to zero.

Flags (9 bits)Contains 9 1-bit flags (control bits) as follows:

  • NS (1 bit): ECN-nonce - concealment protection
  • CWR (1 bit): Congestion window reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set and had responded in congestion control mechanism.
  • ECE (1 bit): ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates:
  • URG (1 bit): Indicates that the Urgent pointer field is significant
  • ACK (1 bit): Indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set.
  • PSH (1 bit): Push function. Asks to push the buffered data to the receiving application.
  • RST (1 bit): Reset the connection
  • SYN (1 bit): Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags and fields change meaning based on this flag, and some are only valid when it is set, and others when it is clear.
  • FIN (1 bit): Last packet from sender

Window size (16 bits): The size of the receive window, which specifies the number of window size units that the sender of this segment is currently willing to receive.

Checksum (16 bits): The 16-bit field is used for error-checking of the TCP header, the payload, and an IP pseudo-header.

Urgent pointer (16 bits): If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte.

So, SYN and ACK are the segments that have the respective flags turned on i.e. set to 1.

Now, let's jump to NMAP and see how the information we learned above comes in handy while exploring this tool.

Want to see some live captures and scans, checkout this video:
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics

Source: https://nmap.org/book/man.html

You can setup nmap by downloading it from here: https://nmap.org/download.html

Once you have set NMAP, we can use it to find available hosts, open ports, OS versions etc. All you need is an IP Address and it's best to try it out on your own IP (unless you have the required permissions to do so on any other IP).

So, how to begin, very simple just refer to the manual above and try out the different types of scans! There are a plethora of flags that one can use while typing nmap.

I'm documenting some popular commands here, let's understand how these work:

> sudo nmap <IP Address> : Does basic scan of router
[If] you get a Mac address back on using sudo, you can have some idea on type of device it’ll be. Note that only the popular ports will be scanned, you can specify specific ports using -p 
E.g: -p 443,80
To scan all ports use -p-


> sudo nmap -v <IPAddress> 192.168.1.0/24 
(class C:: 24)
-v verbose (what’s happening)
Scans all IPs in the subnet.


> sudo nmap 192.168.1.0/24 -oN /home/scanresults.txt
Captures the scan results and outputs them in the specified file.
-oN => basic text output
-oX => XML file output
-oG => Output in grepable format
-oA => Outputs in all three format


> sudo nmap -F 192.168.1.0/24 -oN /home/scanresults.txt
Does a fast scan
-F : speeds up the scan by restricting the ports scanning to most popular ports

> sudo nmap —script vuln <target IP>
Use all scripts in vuln category to scan for all possible vulnerabilities on the target IP

> sudo nmap —script vuln <target IP>
Use all scripts in vuln category to scan for all possible vulnerabilities on the target IP

> sudo nmap -sS -D <some IP> <target IP>
To do a Stealth Scan and use Decoys. Decoys craft the traffic to appear from multiple IPs thus causing confusion in narrowing down the exact attacker's IP 

Wait, you just saw -sS in the above command, what is that?

That stands for Stealth scan.

When port scanning with Nmap, there are three basic scan types. These are:

  • SYN "Half-open" Scans (-sS) (aka Stealth scan)
  • TCP Connect Scans (-sT)
  • UDP Scans (-sU)

Additionally, there are several less common port scan types, such as:

  • TCP Null Scans (-sN)
  • TCP FIN Scans (-sF)
  • TCP Xmas Scans (-sX)

Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems.

Here are the details on some of them, right from nmap book:

-sS (TCP SYN scan)

SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. It also allows clear, reliable differentiation between the open, closed, and filtered states.

You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as filtered.


-sT (TCP connect scan)

TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API.

-sF (FIN Scan), -sX (XMas Scan), -sN (Null Scan):

These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.

Any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) is OK.

Nmap exploits this with three scan types:

  • Null scan (-sN) : Does not set any bits (TCP flag header is 0)
  • FIN scan (-sF): Sets just the TCP FIN bit.
  • Xmas scan (-sX): Sets the FIN, PSH, and URG flags

Most firewalls work by preventing incoming TCP connections (while allowing outbound connections). This is accomplished by blocking any TCP packets with SYN bit set and ACK bit cleared. The above scans clear the SYN bit and are hence able to bypass the firewall rules. However, note that not all systems follow the RFC 793 as properly and end up sending RST to probes regardless of whether the port is open or not. Examples include Microsoft Windows, many Cisco devices, and IBM OS/400

And there are SO MANY other scans that we have not covered here. So you see, the FLAGS are crucial in indicating in which stage the communication is. Crafting packets skillfully by setting the right flags can thus help us in triggering the required response from the host, be it to just check the general availability or gather more details about the system.

So, I'll leave you to it now, the post has almost reached its full length.

Check out NMAP, explore the networking basics! I'll be writing and covering more details around the same in coming blog posts or live learning sessions!

To stay updated subscribe aditi.fyi, the YouTube Channel, and join our free open Discord Community!

Keep Hacking! xoxo

Previously published at https://www.aditi.fyi/post/basics-of-network-nmap