Network Enumeration Using Nmap

Host Discovery

Before we begin scanning the entire network (all IP addresses and ports), we first need to discover live hosts.

For example, the 10.0.0.0/8 network contains 16 million IP addresses. The company may only use 3,000 IP addresses. Scanning the entire network would be a waste of time.

Scan Network Range

root@kakarot$ sudo nmap 172.10.10.0/24 -sn

-sn : No Ports Scan.
10.10.5.0/24 : Target network range.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target.
So, if the network is protected by a firewall or IDS, the -sn option may fail to detect live hosts, as the firewall could drop these discovery requests.

Scan IP List

root@kakarot$ sudo nmap -sn -iL hosts.lst

-sn : No Ports Scan.
-iL : Input List.

Scan Multiple IPs

root@kakarot$ sudo nmap -sn 10.10.5.7 10.10.5.100 10.10.5.60

root@kakarot$ sudo nmap -sn 10.10.5.20-150

Scan Single IP

root@kakarot$ sudo nmap -sn <IP>

Like this, we can check if the host is up before starting a port and services scan.

root@kakarot$ sudo nmap <IP> -sn -PE --packet-trace 

Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-10 00:20 CEST
SENT (0.0074s) ARP who-has <IP> tell 10.10.12.7
RCVD (0.0309s) ARP reply <IP> is-at <MAC>
Nmap scan report for <IP>
Host is up (0.023s latency).
MAC Address: <MAC>
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

-PE : Performs the ping scan by using ‘ICMP Echo requests’ against the target.
--pachet-trace : Shows all packets sent and received.

On LANs, Nmap prioritizes ARP request/reply host discovery over ICMP Echo Requests, even when the -PE option is specified, due to ARP’s higher reliability and speed within a LAN.
We can use --packet-trace to shows all packets sent and received.

root@kakarot$ sudo nmap <IP> -sn -PE --reason

Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-10 00:30 CEST
SENT (0.0074s) ARP who-has <IP> tell 10.10.12.7
RCVD (0.0309s) ARP reply <IP> is-at <MAC>
Nmap scan report for <IP>
Host is up, received arp-response (0.028s latency). ⬅
MAC Address: <MAC>
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

--reason : Displays the reason for specific result.

root@kakarot$ sudo nmap <IP> -sn -PE --packet-trace --disable-arp-ping


Starting Nmap 7.80 ( https://nmap.org ) at 2025-08-12 00:24 CEST
SENT (0.0107s) ICMP [10.10.12.7 > <IP> Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [<IP> > 10.10.12.7 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for <IP>
Host is up (0.086s latency).
MAC Address: <MAC>
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

--disable-arp-ping : Disable ARP pings.

Learn more about Host Discovery Strategies !

Host and Port Scanning

After we have found out that our target is alive, we want to get a more accurate picture of the system. The information we need includes:

• Open ports and its services
• Service versions
• Information that the services provided
• Operating system

There are a total of 6 different states for a scanned port we can obtain !

Discovering Open TCP Ports

If we do not specify any option, nmap automatically scans top 1000 TCP ports using the -sS option if we have root privileges and -sT option if we have normal privileges.

root@kakarot$ sudo nmap <IP> --top-ports=10

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-02 14:20 CEST
Nmap scan report for <IP>
Host is up (0.021s latency).

PORT     STATE    SERVICE
21/tcp   closed   ftp
22/tcp   open     ssh
23/tcp   closed   telnet
25/tcp   open     smtp
80/tcp   open     http
110/tcp  open     pop3
139/tcp  filtered netbios-ssn
443/tcp  closed   https
445/tcp  filtered microsoft-ds
3389/tcp closed   ms-wbt-server
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

--top-ports=10 : Scans the specified top ports that have been defined as most frequent.

So, how did nmap know that port 21 was closed ? 🤔

First we need to disable ARP, ICMP, DNS scans to ensure only the SYN scan interacts with the target, with this options :

--disable-arp-ping : Disable ARP pings.
-Pn : Treat all hosts as online — skip host discovery (disable all host discovery probes, including ICMP echo requests, TCP, ARP, etc.).
-n : Never do DNS resolution.

root@kakarot$ sudo nmap <IP> -p 21 --disable-arp-ping -n -Pn --packet-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-13 15:20 CEST
SENT (0.0429s) TCP 10.10.12.7:63090 > <IP>:21 S ⬅ ttl=56 id=57322 iplen=44  seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP <IP>:21 > 10.10.12.7:63090 RA ⬅ ttl=64 id=0 iplen=40  seq=0 win=0
Nmap scan report for <IP>
Host is up (0.014s latency).

PORT   STATE  SERVICE
21/tcp closed ftp
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

We sent a TCP packet with the SYN flag, and the target responded with TCP packet containing the RST + ACK flags, which means the port is closed.

root@kakarot$ sudo nmap <IP> -p 443 --disable-arp-ping -n -Pn --packet-trace -reason -sT

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-12 16:32 CET
CONN (0.0385s) TCP localhost > <IP>:443 => Operation now in progress
CONN (0.0396s) TCP localhost > <IP>:443 => Connected
Nmap scan report for <IP>
Host is up, received user-set (0.013s latency).

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

So, Why is the port closed in SYN Scan and opend in Connect Scan ? 🤨

Because some firewalls are configured to block or drop incomplete handshakes. In a SYN scan -sS, Nmap sends only the first step of the handshake SYN. The firewall may drop this packet or reply with a fake RST, so Nmap interprets the port as closed. In a Connect scan -sT, Nmap performs the full TCP three-way handshake. Since the firewall allows outgoing responses, the connection completes successfully, and Nmap correctly identifies the port as open.

Learn more about SYN Scan and Connect Scan !

Filtered Ports

root@kakarot$$ sudo nmap <IP> -p 139 --packet-trace -n --disable-arp-ping -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-20 15:23 CEST
SENT (0.0381s) TCP 10.10.12.7:60277 > <IP>:139 S ttl=47 id=14523 iplen=44  seq=4175236769 win=1024 <mss 1460>
SENT (1.0411s) TCP 10.10.12.7:60278 > <IP>:139 S ttl=45 id=7372 iplen=44  seq=4175171232 win=1024 <mss 1460>
Nmap scan report for <IP>
Host is up.

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

When Nmap sends a TCP packet with the SYN flag and receives no response from the target, it automatically retransmits SYN packets up to 10 times, since the --max-retries option is set to 10 by default.

Question: why port 139 shown as filtered ? 🧐

In output we see :

SENT (0.0381s) TCP 10.10.12.7:60277 > <IP>:139 S ttl=47 id=14523 iplen=44  seq=4175236769 win=1024 <mss 1460>

This indicates that Nmap sent a TCP packet with the SYN flag. Since there was no response, Nmap sent another SYN packet:

SENT (1.0411s) TCP 10.10.12.7:60278 > <IP>:139 S ttl=45 id=7372 iplen=44  seq=4175171232 win=1024 <mss 1460>

If the target or firewall continues dropping the packets, Nmap marks the port as filtered.

Droped : The firewall ignores the packets as if they never arrived. The target does not respond, and Nmap receives no reply, so the port is marked as filtered.
Rejected: The firewall blocks the connection but sends an explicit response, such as a TCP RST, so the port is marked as closed.

root@kakarot$$ sudo nmap <IP> -p 445 --packet-trace -n --disable-arp-ping -Pn

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:55 CEST
SENT (0.0388s) TCP <IP>:52472 > <IP>:445 S ttl=49 id=21763 iplen=44  seq=1418633433 win=1024 <mss 1460>
RCVD (0.0487s) ICMP [<IP> > <IP> Port 445 unreachable (type=3/code=3) ] IP [ttl=64 id=20998 iplen=72 ]
Nmap scan report for <IP>
Host is up (0.0099s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

In this output, Nmap marks port 445 as filtered because it received an ICMP reply of type 3 and code 3, indicating that the port is unreachable.

• We also notice the difference in scan duration between the two commands:

  • The first scan took 2.06 seconds because Nmap sent 10 TCP packets without any response.

  • The second scan took only 0.05 seconds because the target responded immediately with an ICMP unreachable message, so the scan stopped after the first TCP packet.

Discovering Open UDP Ports

root@kakarot$ sudo nmap <IP> -F -sU

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-7 13:21 CEST
Nmap scan report for <IP>
Host is up (0.059s latency).
Not shown: 95 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
631/udp  open|filtered ipp
5353/udp open          zeroconf
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 98.07 seconds

-F : Scans top 100 ports.
-sU : Performs a UDP scan.

root@kakarot$ sudo nmap <IP> -sU -Pn -n --disable-arp-ping --packet-trace -p 137 --reason 

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-07 12:11 CEST
SENT (0.0367s) UDP 10.10.12.7:55478 > <IP>:137 ttl=57 id=9122 iplen=78
RCVD (0.0398s) UDP <IP>:137 > 10.10.12.7:55478 ttl=64 id=13222 iplen=257
Nmap scan report for <IP>
Host is up, received user-set (0.0031s latency).

PORT    STATE SERVICE    REASON
137/udp open  netbios-ns udp-response ttl 64
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

If the UDP port is open, we only get a response if the application is configured to do so, because Nmap sends empty datagrams to the scanned UDP ports, and we do not receive any response.

root@kakarot$ sudo nmap <IP> -sU -Pn -n --disable-arp-ping --packet-trace -p 100 --reason 

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-07 17:25 CEST
SENT (0.0445s) UDP 10.10.12.7:63825 > <IP>:100 ttl=57 id=29925 iplen=28
RCVD (0.1498s) ICMP [<IP> > 10.10.12.7 Port unreachable (type=3/code=3) ] IP [ttl=64 id=11903 iplen=56 ]
Nmap scan report for <IP>
Host is up, received user-set (0.11s latency).

PORT    STATE  SERVICE REASON
100/udp closed unknown port-unreach ttl 64
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in  0.15 seconds

If we get an ICMP response with error code 3 (port unreachable), we know that the port is indeed closed.

root@kakarot$ sudo nmap <IP> -sU -Pn -n --disable-arp-ping --packet-trace -p 138 --reason 

Starting Nmap 7.80 ( https://nmap.org ) at 2-25-09-06 14:22 CEST
SENT (0.0380s) UDP 10.10.12.7:52341 > <IP>:138 ttl=50 id=65159 iplen=28
SENT (1.0392s) UDP 10.10.12.7:52342 > <IP>:138 ttl=40 id=24444 iplen=28
Nmap scan report for <IP>
Host is up, received user-set.

PORT    STATE         SERVICE     REASON
138/udp open|filtered netbios-dgm no-response
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

For all other ICMP responses, the scanned ports are marked as open|filtered.

root@kakarot$ sudo nmap <IP> -Pn -n --disable-arp-ping --packet-trace -p 445 --reason  -sV
<SNIP>

PORT    STATE SERVICE     REASON         VERSION
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: Ubuntu

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.55 seconds

-sV : Performs a service scan.
-p : Scans only the specified port.

Saving the Results

Formats

We should always save the nmap results for later use. Nmap can save the results in 3 different formats.

• Normal output (-oN) with the .nmap file extension
• Grepable output (-oG) with the .gnmap file extension
• XML output (-oX) with the .xml file extension

root@kakarot$ sudo nmap <IP> -p- -oA scan

-oA : Save the results in all formats.

root@kakarot$ ls

scan.gnmap scan.xml  scan.nmap

Style sheets

We can use the xsltproc tool to convert the .xml file to .html file.

root@kakarot$ sudo xsltproc scan.xml -o scan.html

We can see a clear and structured presentation of our results, if we now open the HTML file in our browser !

Learn more about the Nmap Output Formats !

Service Enumeration

It is important to scan the services running on the ports, and their versions, to accurately identify potential vulnerabilities.

Service Version Detection

First, Lets scan all open ports.

root@kakarot$ sudo nmap <IP> -p-

-p- : Scans all ports.

Then, we only scan open ports with -sV option.

root@kakarot$ sudo nmap <IP> -p <Open-Ports> -sV --stats-every=5s -v

-sV : Performs service version detection on specified ports.
--stats-every=5s : Shows the progress of the scan every 5 seconds.
-v : Increase verbosity level (use -vv or more for greater effect).

Banner Grabbing

Nmap with the -sV option relies on banner grabbing and signature matching, but it may sometimes miss details. Tools like nc or tcpdump can be used to gather additional information.

root@kakarot$ sudo tcpdump -i eth0 host <IP1> and <IP2>

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

18:28:07.128564 IP <IP1>.59618 > <IP2>.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP <IP2>.smtp > <IP1>.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP <IP1>.59618 > <IP2>.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP <IP2>.smtp > <IP1>.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP <IP1>.59618 > <IP2>.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0

root@kakarot$ sudo nc -nv <IP> 25

Connection to <IP> port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)

Nmap Scripting Engine

Nmap Scripting Engine (NSE) is another handy feature of Nmap. It provides us with the possibility to create scripts in Lua for interaction with certain services. There are a total of 14 categories into which these scripts can be divided.

root@kakarot$ sudo nmap <target> -sC

-sC : Equivalent to –script=default.

root@kakarot$ sudo nmap <target> --script <category> #Specific Scripts Category

root@kakarot$ sudo nmap <target> --script <script-name>,<script-name>,... #Defined Scripts

root@kakarot$ sudo nmap <IP> -p 25 --script banner,smtp-commands #Specifying Scripts

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 23:21 CEST
Nmap scan report for <IP>
Host is up (0.050s latency).

PORT   STATE SERVICE
25/tcp open  smtp
|_banner: 220 inlane ESMTP Postfix (Ubuntu)
|_smtp-commands: inlane, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
MAC Address: <MAC> (Intel Corporate)

root@kakarot$ sudo nmap <target> -p22 -A #Aggressive Scan

-A : Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.

root@kakarot$ sudo nmap <IP> -p 80 -sV --script vuln #Vulnerability Assessment

Nmap scan report for <IP>
Host is up (0.036s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-enum:
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2
|   /: WordPress version: 5.3.4
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: admin
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
|   cpe:/a:apache:http_server:2.4.29:
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
<SNIP>

--script vuln : Uses all related scripts from specified category.

Learn more about NSE Scripts !

Performance

Timeouts

Scanning performance plays a significant role when we need to scan an extensive network or deal with low network bandwidth. So we need to build an Nmap syntax to scan faster.

root@kakarot$ sudo nmap 10.10.12.0/24 -F #Default Scan

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 39.44 seconds

In Nmap, RTT (Round-Trip Time) is the time it takes for a probe packet to travel from the Nmap scanner to a target and for the response to come back

root@kakarot$ sudo nmap 10.10.12.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

<SNIP>
Nmap done: 256 IP addresses (8 hosts up) scanned in 12.29 seconds

--initial-rtt-timeout : Sets the specified time value as initial RTT timeout.
--max-rtt-timeout : Sets the specified time value as maximum RTT timeout.

The --initial-rtt-timeout option may cause some host not to be up if the value is smaller.

Max Retries

root@kakarot$ sudo nmap 10.10.12.0/24 -F | grep "/tcp" | wc -l #Default Scan


23 #23 ports

root@kakarot$ sudo nmap 10.10.12.0/24 -F --max-retries 0 | grep "/tcp" | wc -l #Reduced Retries

21 #21 ports

--max-retries 0 : Sets the number of retries that will be performed during the scan.

Reducing the number of retries may result in some open ports being undetected.

Rates

root@kakarot$ sudo nmap 10.10.12.0/24 -F #Default Scan

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 29.83 seconds

root@kakarot$ sudo nmap 10.10.12.0/24 -F --min-rate 300 #Optimized Scan

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 8.67 seconds

--min-rate 300 : Sets the minimum number of packets to be sent per second.

Using the --min-rate option can speed up Nmap scans by increasing the number of packets sent per second. However, setting this value too high may lead to packet loss, incomplete results, or even trigger IDS/IPS alerts. It can also overload the target system or the network.

Timing

Learn more about Timing Templates !

• -T 0 / -T paranoid
• -T 1 / -T sneaky
• -T 2 / -T polite
• -T 3 / -T normal
• -T 4 / -T aggressive
• -T 5 / -T insane

root@kakarot$ sudo nmap 10.10.12.0/24 -F #Default Scan

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 32.44 seconds

root@kakarot$ sudo nmap 10.10.12.0/24 -F -T 5 #Insane Scan

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 18.07 seconds

Learn more about Timing and Performance !

Firewall and IDS/IPS Evasion

Nmap provides various techniques to evade firewall rules and IDS/IPS, including packet fragmentation, employing decoys, and other methods that will be covered in this section.

ACK-Scan

the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

root@kakarot$ sudo nmap <IP> -p 21,22,25 -sS -Pn -n --disable-arp-ping --packet-trace
<SNIP>

-sA : Performs ACK scan on specified ports.

Decoys

Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5–10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. Another critical point is that the decoys must be alive.

root@kakarot$ sudo nmap <IP> -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

<SNIP>

Nmap scan report for <IP>
Host is up (0.099s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

-D RND:5 : Generates five random IP addresses that indicates the source IP the connection comes from.

The spoofed packets are often filtered out by ISPs and routers, even though they come from the same network range. Therefore, we can also specify our VPS servers IP addresses and use them in combination with IP ID manipulation in the IP headers to scan the target.

Spoof source address

Another scenario would be that only individual subnets would not have access to the server’s specific services. So we can also manually specify the source IP address -S to test if we get better results with this one.

root@kakarot$ sudo nmap <IP> -n -Pn -p445 -O

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-02 02:03 CEST
Nmap scan report for <IP>
Host is up (0.032s latency).

PORT    STATE    SERVICE
445/tcp filtered microsoft-ds ⬅
MAC Address: <MAC> (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

root@kakarot$ sudo nmap <IP> -n -Pn -p 445 -O -S <Source-IP> -e tun1

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 01:16 CEST
Nmap scan report for <IP>
Host is up (0.010s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds ⬅
MAC Address: <MAC> (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 3.4 - 3.10 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Synology DiskStation Manager 5.2-5644 (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.5 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds

-S : Scans the target by using different source IP address.
-e tun0 : Sends all requests through the specified interface.
-O : Performs operation system detection scan.

DNS Proxying

By default, Nmap performs reverse DNS lookups to gather information about a target. These DNS queries usually go through, as the web server is expected to respond. Nmap can also use custom DNS servers or set the source port to TCP 53, which can help bypass some firewalls and IDS/IPS protections.

root@kakarot$ sudo nmap <IP> -p50000 -sS -Pn -n --disable-arp-ping --packet-trace #SYN-Scan of a Filtered Port

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-21 22:50 CEST

<SNIP>

PORT      STATE    SERVICE
50000/tcp filtered ibm-db2 ⬅

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds

root@kakarot$ sudo nmap <IP> -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 #SYN-Scan From DNS Port

<SNIP>

PORT      STATE SERVICE
50000/tcp open  ibm-db2 ⬅
MAC Address: <MAC> (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

--source-port / -g : Performs the scans from specified source port (Spoof source port number).

root@kakarot$ ncat -nv --source-port 53 <IP> 50000 #Connect To The Filtered Port With Ncat

Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to <IP>:50000.
220 ProFTPd

Learm more about Firewall/IDS Evasion and Spoofing !

If you find any mistakes in our article, please contact us here: kakarot@powerscrews.com

The End : )