Intrusion Detection FAQ: What is nmap and what can it do?

(This was taken from a report done by the Shadow Intrusion Detection team and released to the public domain by NSWC Dahlgren - Author John Green)


Nmap was the source of strange new scan patterns started being detected by the SHADOW ID Systems located throughout the Internet.

The reported traffic varies from incident to incident. However, it can generally be categorized into two distinct groups.

The first group is denoted as the "random scan" category. This scan’s signature is characterized by SYN packets sent to apparently random destination (or service) ports over some discreet range of values. At the end of these scans we typically see several packets to high numbered tcp and udp ports, followed by a small number of packets to a common destination port. (See Figure 1)

The second class of traffic is called (for the lack of a better term) "exploits plus". Although the signature of these probes can vary with respect to the service ports accessed, the basic characteristics closely resemble the random scan discussed above. The primary difference is the exclusion of random destination ports in favor of well-known (and highly exploited) service ports. (See Figure 4)

Details, Details… The "Random Scan"

Let’s take a closer look at a real-life example from the "random scan" category. This sanitized excerpt was taken from an actual incident report that was filed by the Army Research Laboratory - Adelphi Md.

Timestamp Source >
Destination Flag Sequence Numbers Window size

18:42:25.241999 > S 3596953827:3596953827(0) win 4096
18:42:25.251999 > S 3596953827:3596953827(0) win 4096
18:42:25.481999 > S 3596953827:3596953827(0) win 4096
18:42:25.491999 > S 3596953827:3596953827(0) win 4096
18:42:25.651999 > S 3596953827:3596953827(0) win 4096
18:42:25.661999 > S 3596953827:3596953827(0) win 4096
18:42:25.681999 > S 3596953827:3596953827(0) win 4096
18:42:25.681999 > S 3596953827:3596953827(0) win 4096
18:42:25.731999 > S 3596953827:3596953827(0) win 4096
18:42:25.731999 > S 3596953827:3596953827(0) win 4096
18:42:25.731999 > S 3596953827:3596953827(0) win 4096
18:42:25.741999 > S 3596953827:3596953827(0) win 4096
18:42:25.741999 > S 3596953827:3596953827(0) win 4096
18:42:25.751999 > S 3596953827:3596953827(0) win 4096
18:42:25.751999 > S 3596953827:3596953827(0) win 4096
18:42:25.761999 > S 3596953827:3596953827(0) win 4096
18:42:25.771999 > S 3596953827:3596953827(0) win 4096
18:42:25.791999 > S 3596953827:3596953827(0) win 4096
18:42:25.951999 > S 3596953827:3596953827(0) win 4096
18:42:25.951999 > S 3596953827:3596953827(0) win 4096
18:42:25.951999 > S 3596953827:3596953827(0) win 4096
18:42:25.881999 > S 3596953827:3596953827(0) win 4096
18:42:26.151999 > S 3596953827:3596953827(0) win 4096
18:42:26.151999 > S 3596953827:3596953827(0) win 4096
18:42:26.151999 > SFP 1769772146:1769772146(0) win 4096 urg 0
18:42:26.151999 > udp 300
18:42:26.151999 > udp 300
18:42:26.171999 > S 1884246333:1884246333(0) win 4096
18:42:26.171999 > S 1884246332:1884246332(0) win 4096
18:42:26.171999 > S 1884246331:1884246331(0) win 4096
18:42:26.221999 > S 1884246330:1884246330(0) win 4096
18:42:26.221999 > S 1884246329:1884246329(0) win 4096

(Figure 1. Example "Random Scan")

Author’s note: The traffic examples throughout this paper have been beautified in an attempt to isolate the signatures created by nmap. Therefore, the packets sent by nmap have been retained, while responses from the victim hosts have been removed. In addition, responses from the hostile system (i.e. RSTs sent in response to SYN/ACKs from the victim) have also been removed for the sake of signature clarity.

A quick analysis of the traffic can yield some important clues that can helpful in determining what might have caused it. For example, the timestamp fields of this scan reveal that it was automated. This also indicates that the host "" was not part of a larger parallel scan by "". A review of the ports used in this scan show a fixed source port of 42558 with some minor deviations at the end. The destination ports that were accessed seem to have a random distribution, again, showing some variation at the end of the activity. The variation is comprised of a packet with the SYN/FIN/PUSH flags set, followed by udp datagrams destined for high-numbered ports. The scan concludes by sending several more SYN packets to a fixed destination port (in this case, port 13).

A New Version of Nmap

The prominent features of the scan discussed in the previous section indicate an automated process for constructing packets and scanning a target host with them. We can infer from the widespread incident reporting that the agent is a tool that is readily available to the hacker community.

The obvious way to begin testing this theory is by looking for scan tools that produce a similar signature. The question is "What is the tool and what exactly is it doing?" A search of the exploit archives reveals a release of "Nmap V2.02" in late December of 1998. The next step in the discovery process is to use nmap to perform a test on a limited number of ports for a particular machine. Given the appropriate set of arguments, the resulting pattern (Figure 2, below) correlates beautifully with the real scan seen in Figure 1.

Timestamp Source
Destination Flag Sequence Numbers Window size

01:41:25.180240 > S 1301162276:1301162276(0) win 1024
01:41:25.180274 > S 1301162276:1301162276(0) win 1024
01:41:25.180305 > S 1301162276:1301162276(0) win 1024
01:41:25.180336 > S 1301162276:1301162276(0) win 1024
01:41:25.180380 > S 1301162276:1301162276(0) win 1024
01:41:25.180411 > S 1301162276:1301162276(0) win 1024
01:41:25.180455 > S 1301162276:1301162276(0) win 1024
01:41:25.180499 > S 1301162276:1301162276(0) win 1024
01:41:25.180942 > S 1301162276:1301162276(0) win 1024
01:41:25.180977 > S 1301162276:1301162276(0) win 1024
01:41:25.181007 > S 1301162276:1301162276(0) win 1024
01:41:25.183345 > S 1301162276:1301162276(0) win 1024
01:41:25.183375 > S 1301162276:1301162276(0) win 1024
01:41:25.183420 > S 1301162276:1301162276(0) win 1024
01:41:25.183461 > S 1301162276:1301162276(0) win 1024
01:41:25.183834 > S 1301162276:1301162276(0) win 1024
01:41:25.183867 > S 1301162276:1301162276(0) win 1024
01:41:25.184060 > S 1301162276:1301162276(0) win 1024
01:41:25.184091 > S 1301162276:1301162276(0) win 1024
01:41:25.184122 > S 1301162276:1301162276(0) win 1024
01:41:25.184165 > S 1301162276:1301162276(0) win 1024
01:41:25.184195 > S 1301162276:1301162276(0) win 1024
01:41:25.184239 > S 1301162276:1301162276(0) win 1024
01:41:25.184281 > S 1301162276:1301162276(0) win 1024
01:41:25.184324 > S 1301162276:1301162276(0) win 1024
01:41:25.187237 > S 1815095948:1815095948(0) win 1024
01:41:25.187310 > SFP 1815095948:1815095948(0) win 1024
01:41:25.187388 > S 1815095948:1815095948(0) win 1024
01:41:25.188223 > udp 300
01:41:25.402977 > S 1815095949:1815095949(0) win 1024
01:41:25.413377 > S 1815095950:1815095950(0) win 1024
01:41:25.433429 > S 1815095951:1815095951(0) win 1024
01:41:25.453555 > S 1815095952:1815095952(0) win 1024
01:41:25.473427 > S 1815095953:1815095953(0) win 1024
01:41:25.493411 > S 1815095954:1815095954(0) win 1024

(Figure 2. Tcpdump output of nmap test run)

As indicated above, only the correct set of arguments produces this signature. In an effort to answer the question "What’s going on here?", I will explain the pertinent arguments used to generate this signature. Of course, other command line arguments will produce varied, and in some cases, completely different signatures.

commandline_prompt> ./nmap -v -sS -P0 -O -p1-25

The -sS argument tells nmap to use a SYN half-open stealth scan. The -P0 argument tells nmap not to ping the destination host. Perhaps the most crucial argument in this example is the -O option. This activates the TCP/IP fingerprinting routines that try to guess what operating system and version the victim host is running. This operating system identification is responsible for the strange (even by nmap standards) signature at the end of the scan. Finally the -p1-25 tells nmap to use destination ports one though twenty-five.

Nmap provides a surprising amount of information (using -v for verbose) about the targeted host. Below are the results from the test run of nmap seen in figure 2.

tarting nmap V. 2.02 by Fyodor (,
Initiating SYN half-open stealth scan against (
Adding TCP port 9 (state Open).
Adding TCP port 1 (state Open).
Adding TCP port 7 (state Open).
Adding TCP port 21 (state Open).
Adding TCP port 22 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 19 (state Open).
Adding TCP port 13 (state Open).
Adding TCP port 23 (state Open).
The SYN scan took 0 seconds to scan 25 ports.
For OSScan assuming that port 1 is open and port 35401
is closed and neither are firewalled

Interesting ports on (
Port State Protocol Service
1    open   tcp     tcpmux
7    open   tcp     echo
9    open   tcp     discard
13   open   tcp     daytime
19   open   tcp     chargen
21   open   tcp     ftp
22   open   tcp     unknown
23   open   tcp     telnet
25   open   tcp     smtp

TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
Sequence numbers: 584D7800 584E7200 584F6C00 58506600
58516000 58525A00
Remote operating system guess: IRIX 6.2 - 6.5
OS Fingerprint:
Nmap run completed -- 1 IP address (1 host up)
scanned in 0 seconds

(Figure 3. Nmap output)

The output of a Nmap scan provides crucial information to the hacker. First, it provides a list of services that are active on the remote host. Second, by sending invalid tcp packets, nmap performs a TCP stack analysis of the remote system. Since these anomalous packets are not covered by the RFCs, each operating system handles them differently. Nmap compares the responses to these packets against an internal database and provides a ‘best guess’ as to the operating system and version number running there. This combination allows the hacker to target the specific vulnerabilities on a given host, providing a higher success rate and a much lower attack signature. Finally, Nmap tells the user how difficult tcp sequence number prediction is for the remote host. This information can be used to target hosts that have a high potential for session hijacking. Such measures might be employed when a remote system has no vulnerable services running, or when it is shielded behind a firewall.

Details, Details... The “Exploits Plus Scan”

As mentioned earlier SHADOW sensors have detected another scan that appears to be a variation of the random scan detailed above. This scan probes commonly exploited service ports and concludes with the signature of the fingerprinting process. Figure 4 is also a sanitized excerpt from a real incident reported by the SHADOW Team at NSWC, Dahlgren.

Timestamp Source >
Destination Flag Sequence Numbers Window size

01:07:37.870000 > S 2443641632:2443641632(0) win 512
01:07:37.870000 > S 1849709624:1849709624(0) win 512
01:07:37.870000 > S 1979681472:1979681472(0) win 512
01:07:37.880000 > S 2831594802:2831594802(0) win 512
01:07:37.880000 > S 200714632:200714632(0) win 512
01:07:38.160000 > S 4224441585:4224441585(0) win 512
01:07:38.160000 > S 3131164300:3131164300(0) win 512
01:07:38.160000 > S 27440843:27440843(0) win 512
01:07:38.460000 > S 2018442450:2018442450(0) win 512
01:07:38.460000 > S 3598088389:3598088389(0) win 512
01:07:38.460000 > S 3603076159:3603076159(0) win 512
01:07:38.790000 > S 942548711:942548711(0) win 512
01:07:38.790000 > S 1558966803:1558966803(0) win 512
01:07:38.800000 > S 1627652454:1627652454(0) win 512
01:07:39.090000 > S 2308481275:2308481275(0) win 512
01:07:39.090000 > S 375730554:375730554(0) win 512
01:07:39.090000 > S 2363444754:2363444754(0) win 512
01:07:39.390000 > S 2983142263:2983142263(0) win 512
01:07:39.390000 > S 2931404189:2931404189(0) win 512
01:07:39.390000 > S 30889188:30889188(0) win 512
01:07:39.720000 > S 2995015889:2995015889(0) win 4096
01:07:39.730000 > FP 2995015889:2995015889(0) win 4096 urg 0
01:07:39.730000 > udp 300
01:07:40.150000 > udp 300
01:07:42.590000 > S 495516404:495516404(0) win 4096
01:07:42.590000 > FP 495516404:495516404(0) win 4096 urg 0
01:07:42.600000 > udp 300
01:07:43.060000 > udp 300
01:07:45.340000 > S 1550032560:1550032560(0) win 4096
01:07:45.340000 > FP 1550032560:1550032560(0) win 4096 urg 0
01:07:45.350000 > udp 300
01:07:45.910000 > udp 300

(Figure 4. Example "Exploits Plus" Scan)

At first glance, this attack bears only a minor semblance to the random scan activity. Examining the pertinent features of this probe, one might notice several distinctions. First, exploits plus employs random (within a range) source ports. Second, as its name implies, this scan focuses on service ports with well-known vulnerabilities. Third, the sequence numbers appear more realistic, as compared to those in the random scan. Finally, the end of the scan appears to be three separate OS fingerprinting attempts.

One might be inclined to think that this is the result of a second tool. However, by coding a simple shell script with multiple calls to nmap, this signature can be easily duplicated as shown in the following script:

nmap –v -sS -P0 -p12345 & # SYN half-open stealth probe for netbus
nmap –v -sS -P0 -p143 & # SYN half-open stealth probe for imap
nmap –v -sS -P0 -p635 & # SYN half-open stealth probe for linux mountd
nmap –v -sS -P0 -p53 & # SYN half-open stealth probe for domain
nmap –v -sS -P0 -p31337 & # SYN half-open stealth probe for back orifice
nmap –v -sS -P0 -p143 &
nmap –v -sS -P0 -p635 &
nmap –v -sS -P0 -p53 &
nmap –v -sS -P0 -p143 &
nmap –v -sS -P0 -p635 &
nmap –v -sS -P0 -p53 &
nmap –v -sS -P0 -p53 &
nmap –v -sS -P0 -p635 &
nmap –v -sS -P0 -p143 &
nmap –v -sS -P0 -p53 &
nmap –v -sS -P0 -p635 &
nmap –v -sS -P0 -O -p143 & # S h-o probe for imap PLUS OS fingerprinting

When this script is run, tcpdump shows the resulting network traffic. This matches the detected probe.

Timestamp Source 
Destination Flag Sequence Numbers Window size

03:50:28.255696 > S 3529719230:3529719230(0) win 4096
03:50:28.255696 > S 1289452862:1289452862(0) win 4096
03:50:28.255696 > S 1053163340:1053163340(0) win 4096
03:50:28.265696 > S 2174813682:2174813682(0) win 4096
03:50:28.285696 > S 1208327640:1208327640(0) win 4096
03:50:28.295696 > S 2484113855:2484113855(0) win 4096
03:50:28.295696 > S 3316743593:3316743593(0) win 4096
03:50:28.305696 > S 2743618682:2743618682(0) win 4096
03:50:28.315696 > S 2564506522:2564506522(0) win 4096
03:50:28.335696 > S 2522641932:2522641932(0) win 4096
03:50:28.345696 > S 2127702081:2127702081(0) win 4096
03:50:28.375696 > S 3126700193:3126700193(0) win 4096
03:50:28.375696 > S 3932342401:3932342401(0) win 4096
03:50:28.395696 > S 1863130126:1863130126(0) win 4096
03:50:28.415696 > S 3665870250:3665870250(0) win 4096
03:50:28.425696 > S 1882012961:1882012961(0) win 4096
03:50:28.465696 > S 2634475111:2634475111(0) win 4096
03:50:28.465696 > S 3872554032:3872554032(0) win 4096
03:50:28.465696 > FP 3872554032:3872554032(0) win 4096
urg 0 03:50:28.465696 > udp 300
03:50:30.685696 > S 229752757:229752757(0) win 4096
03:50:30.685696 > FP 229752757:229752757(0) win 4096
urg 0 03:50:30.685696 > udp 300
03:50:32.905696 > S 1585272933:1585272933(0) win 4096
03:50:32.905696 > FP 1585272933:1585272933(0) win 4096
urg 0 03:50:32.905696 > udp 300

(Figure 5. Tcpdump output of the scripted nmap run)

A quick look at the output from the nmap script reveals some interesting tidbits that help us to understand the resulting network traffic. In the script, each call to nmap (except the last one) generates a block of output as shown below:

Starting nmap V. 2.02 by Fyodor (,
Initiating SYN half-open stealth scan against (
The SYN scan took 0 seconds to scan 1 ports.
No ports open for host (
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

This tells us that none of the services that we are looking for are running on this machine. In contrast, the output from the last call to nmap produces the following output.

Starting nmap V. 2.02 by Fyodor (,
Initiating SYN half-open stealth scan against (
The SYN scan took 0 seconds to scan 1 ports.
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
Warning: No ports found open on this machine,
OS detection will be MUCH less reliable
No ports open for host (
No OS matches for this host. TCP fingerprints:
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

What we discover is that nmap is unable to find the specified port open. It tries three times to find an open tcp/udp port for the purposes of fingerprinting the operating system. This is the activity responsible for the three fingerprinting signatures at the end of the scan. Finally the fingerprinting attempt fails, reporting that it was unable to identify the operating system.

If the host had been running the imap service on port 143, the signature of the scan would have been slightly different, as shown below. For the sake of brevity, we will only show the output for a successful fingerprint attempt.

04:49:24.845696 > S 1746270164:1746270164(0) win 4096
04:49:24.845696 > S 904899788:904899788(0) win 4096
04:49:24.845696 > SFP 904899788:904899788(0) win 4096 urg 0
04:49:24.845696 > S 904899788:904899788(0) win 4096
04:49:24.845696 > FP 904899788:904899788(0) win 4096 urg 0
04:49:24.845696 > udp 300
04:49:25.095696 > S 904899789:904899789(0) win 4096
04:49:25.115696 > S 904899790:904899790(0) win 4096
04:49:25.135696 > S 904899791:904899791(0) win 4096
04:49:25.155696 > S 904899792:904899792(0) win 4096
04:49:25.175696 > S 904899793:904899793(0) win 4096
04:49:25.195696 > S 904899794:904899794(0) win 4096

In this case, the final output of the nmap script shows the following:

Starting nmap V. 2.02 by Fyodor (,
Initiating SYN half-open stealth scan against (
Adding TCP port 143 (state Open).
The SYN scan took 0 seconds to scan 1 ports.
For OSScan assuming that port 143 is open and
port 32159 is closed and neither are firewalled
Interesting ports (

Port State Protocol Service
143  open   tcp      imap

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Sequence numbers: 8EE8EDC6 6A9E9A8B DA6DB46D 5D9366 CFE64AAB 4822733B
Remote operating system guess: Linux 2.0.35-36
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds


Nmap is a powerful tool that is capable of generating a multitude of signatures depending on how it is used. However, if we understand the operation of the tool in general, it is easier to recognize its overall signature in network traffic. Dissecting the signature into sub-patterns one can differentiate between fingerprinting attempts that were successful and those that were not. It is important to understand that we have examined only one of the scan types that nmap can perform, the SYN half-open stealth scan. Several other scans are supported by Nmap: Tcp connect, FIN, Xmas, NULL, udp, ping, and even ftp-bounce. Expect to see these in the near future!

The intelligence that can be garnered by using nmap is extensive. It provides all the information that is needed for a well-informed, full-fledged, precisely targeted assault on a network. Such an attack would have a high probability of success, and would likely go unnoticed by organizations that lack intrusion detection capabilities.


Now that we understand what is causing the recently detected traffic patterns, we should avoid becoming complacent. I’ve often heard "That’s just a reset scan" or "It’s only a icmp mapping attempt, what’s the harm?". Psychological operations, subterfuge, and decoy mechanisms are both prevalent and effective modern warfare methods. Information warfare is no different. The network analyst should always assume that there is more to an incident than meets the eye.

SHADOW has some evidence that this might indeed be the case in this latest round of scans. There are known overt organized efforts underway to create a detailed database of all Internet hosts. Why shouldn’t there be underground ones? Nmap provides many of the tools to make this possible and fairly easy.

In the past the cost of storing such a map was prohibitive, this is no longer an issue. Even moderately funded groups could undertake such a venture, given the arrival of 40-gigabyte disk drives that cost less than $2000.

In figure 4, I showed just a minute fraction of the scan reported by the NSWC SHADOW team. The structure of the actual scan indicates concurrent, cooperating processes. "Process 1" used the ping scan mode of nmap to create a map of hosts that responded to the query from our class B network. About half way through the ping mapping, another process started scanning only the hosts that replied to the icmp query. This implies that process 1 (the mapping process) was writing a file that process 2 (the scanning process) was reading, simultaneously. This falls under the category of "slick time saving" techniques. So, in a matter of less than ten minutes every machine that would respond to an icmp echo request or tcp ping had been mapped and its operating system fingerprinted.

Many of the responding systems were infrastructure computers. Since this class of computer is fairly static on any given network, hackers are willing to sacrifice an ISP account in order to construct maps that will likely be valid for a long time. These scans should be taken seriously, and should be considered a strong indication and warning of future attacks.

There may still be skeptics who think that cost or storage required to create such a map is insurmountable. Please take a moment to consider the worst case scenario and "work through the numbers".

Let’s begin by determining how much disk space might be required to store such a map using a non-optimal, brute force method. Ignoring the fact that IANA has set aside "reserved address blocks", there are 2554 or 4,228,250,625 possible addresses. Each address is a 32-bit representation that can be stored as an integer. So, storing every possible Internet address would require 4 bytes (the integer representation) times the 4,228,250,625 possible addresses. This multiplication yields 16,913,002,500 bytes.

Assume that each of these hosts has an average of 10 tcp and 10 udp services running and can be mapped. If we store these 20 services as short integers (2 bytes each), then the amount of space required would be 16,913,002,500 bytes times 20 services times 2 bytes or 676,520,100,000 bytes or 645.18 gigabytes. At 40 gigabytes per disk, it would take 645.18 gigabytes divided by 40 gigabytes per disk, or 17 disk drives. Seventeen disk drives times $2000 dollars yields a final cost of $34,000. Presupposing we had a $40,000 budget, this leaves $6000 dollars to buy 4 PCs to house the hard disks.

John Green - Shadow Team Leader NSWC Dahlgren

Track 3: The Most Advanced Intrusion Detection Immersion Training Avilable
< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >