In this tutorial I'll teach you some basic Nmap scans.

Before learning about the scan methods you should have a basic understanding of TCP and UDP. So I'll also cover these topics very briefly.

UDP
UDP stands  for User Datagram Protocol.
UDP is a connectionless protocol i.e packets are sent from one party to another without any prior connection establishment between the two. This method of transmission doesn't guarantee that the data will reach it's destination. The packets may be delayed, arrive out of sequence or lost.
Thus we can say that UDP isn't a reliable protocol.

TCP
TCP stands for Transmission Control Protocol.
TCP is a connection oriented protocol i.e data exchange occurs between the sender and the receiver only after a connection is established between the two.
Connection is established using three way handshake.

To understand the three way handshake you have to know about the flags field in a TCP header.

Flags field or control field is a 6 bit field and is used to relay control information between TCP peers.
The various types of flags are:
A: SYN or synchronize flag is used to synchronize the sequence numbers.

B:FIN or finish is used to tell the remote machine to terminate the connection.

C:ACK or acknowledgment is the acknowledgment field significant.

D:PSH or push flag is a notification from the sender to the receiver to pass all the data the receiver has to the receiving application.

E:URG or urgent flag signifies that the packet contains urgent data.

F:RST or reset flag is used to reset the connection.

With the knowledge of flags under our belt we can proceed to learn Three -way handshake.

Suppose computer A wants to establish a connection with computer B.
1:Firstly, computer A sends a packet with SYN flag set to computer B
2:Computer B after receiving the SYN packet sends packet with SYN-ACK flag  set to computer A.
3:When computer A receives the SYN-ACK packet it sends a packet with ACK flag set to computer B.
4:Finally, when computer B receives the ACK packet the connection is established.

Computer A --------------------->SYN------------------->Computer B

Computer A<-------------------SYN-ACK<-------------------Computer B

Computer B---------------------->ACK------------------->Computer B


Let's now discuss the Nmap scan methods.

The first scan we'll be talking about is the SYN Scan or sometimes called the half-open scan

A: SYN Scan
SYN scan or half-open scan is almost like the three-way handshake except for one step.
1: Firstly Nmap sends a SYN packet to the destination port.
2: The destination post -if open- replies with a SYN-ACK packet.
3: Now Nmap doesn't wants to establish a connection and instead of sending an ACK response sends a packet with RST flag, and this is where it deviates from the normal three-way handshake.

The steps explained above were for open ports. In case of closed ports:
1:Firstly Nmap sends a SYN packet to the destination port.
2:The remote port -since it's closed- sends a RST response.

Nmap ------------------>SYN------------------->Remote port

Nmap<----------------SYN-ACK<----------------Remote port

Nmap------------------->RST------------------->Remote port

                            OPEN PORT



Nmap ------------------>SYN---------------->Remote port

Nmap<-------------------RST<----------------Remote port

                           CLOSED PORT

Sometimes it happens that Nmap sends a SYN packet to the remote port and gets no response. It means that a firewall is blocking the packet. Nmap declares these posts as filtered

Nmap ------------------>SYN---------------->Remote port

Nmap---------------NO RESPONSE-------------Remote port

                        FILTERED PORTS


SYN scan is the default scan if you are running as a privileged user

The syntax to run this scan in CLI is:
nmap -sS Remote I.P

Here -sS is the SYN scan command and the remote I.P is the I.P address that you want to scan.

So the command looks like this:

You must be asking that if SYN scan is the default scan then for privileged users then why is it necessary to specify the SYN scan command? Well, it isn't. The scan will work perfectly by just using the command: 
nmap remote I.P

But it's a good practice to specify this command in case you are'nt running privileged in which case TCP connect() scan is the default scan.

That's it for this part. I'll be taking more scans in the other parts of this tutorial.

There' a windows version of Nmap too.



I'm a second year computer science engineering student.

i dont like using windows, i rather using gnu/linux as my O.S

i have installed BT4 and it works better than  i thoght

now let's try nmap tutorials