In part 2, we looked at the basic scanning workflow. We also understood that Nmap pings the host before scanning it. Choosing the correct ping type is important, because if Nmap doesn't receive a reply from the target, it will not scan it. In this post, we'll look at a variety of options that will help in discovering the state of the host.
Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.
Traceroute
This option requires sudo access. Through this option, we can understand the route, i.e. the devices through which our packet is travelling on the Internet while trying to reach the target system.
nikhilh@ubuntu:~$ sudo nmap -d --traceroute scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:45 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:46
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 17:46, 0.00s elapsed (1 total hosts)
Overall sending rates: 1679.97 packets / s, 63838.72 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 17:46
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 17:46, 0.00s elapsed
..
...
Initiating SYN Stealth Scan at 17:46
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
...
...
Initiating Traceroute at 17:46
Completed Traceroute at 17:46, 0.02s elapsed
...
...
Not shown: 996 filtered ports
Reason: 996 no-responses
...
...
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.15 ms 192.168.182.2
2 0.21 ms scanme.nmap.org (45.33.32.156)
Final times for host: srtt: 12335 rttvar: 22769 to: 103411
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.15 seconds
Raw packets sent: 2021 (88.816KB) | Rcvd: 658 (26.352KB)
From this output we understand that the target host is just 2 hops away. The first address is the private address of my access point (a router) and the second is the target system's public address.
Disable Reverse DNS
As you must have observed in the previous output(s), nmap always conducts a parallel DNS scan along with the initial ping. It is not always necessary for a user to know the DNS information. DNS resolution slows down nmap and it is sometimes necessary to disable it to avoid detection.
nikhilh@ubuntu:~$ sudo nmap -d -n scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:48 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:48
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
We got a TCP ping packet back from 45.33.32.156 port 80 (trynum = 0)
Completed Ping Scan at 17:48, 0.00s elapsed (1 total hosts)
Overall sending rates: 1536.69 packets / s, 58394.16 bytes / s.
Initiating SYN Stealth Scan at 17:48
...
...
Scanned at 2018-08-20 17:48:49 PDT for 7s
Not shown: 996 filtered ports
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds
Raw packets sent: 2003 (88.096KB) | Rcvd: 9 (364B)
If you look closely at the log, you'll observe there is no DNS resolution in parallel with the initial ping.
Ping Only
This option allows only the host discovery part of the process to occur. Port scanning is skipped. By default, this uses an ICMP echo, TCP SYN to port 443, TCP ACK to port 80 and an ICMP Timestamp request.
nikhilh@ubuntu:~$ nmap -sn -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-22 05:37 PDT
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 05:37
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Completed Ping Scan at 05:37, 0.08s elapsed (1 total hosts)
Overall sending rates: 24.31 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 05:37
mass_rdns: 0.12s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 05:37, 0.12s elapsed
DNS resolution of 1 IPs took 0.12s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.082s latency).
Final times for host: srtt: 81927 rttvar: 81927 to: 409635
Read from /usr/local/bin/../share/nmap: nmap-payloads.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Don't Ping
In part 2, we saw that Nmap first pings the host to confirm it is alive before scanning it. When using the "Don't Ping" options, nmap skips this initial ping.
nikhilh@ubuntu:~$ sudo nmap -Pn -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-21 13:14 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 13:14
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 13:14, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:14
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
...
...
22/tcp open ssh syn-ack ttl 128
80/tcp open http syn-ack ttl 128
31337/tcp open Elite syn-ack ttl 128
Final times for host: srtt: 81291 rttvar: 15399 to: 142887
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 30.89 seconds
Raw packets sent: 2007 (88.308KB) | Rcvd: 866 (34.704KB)
TCP SYN or UDP Ping
By default, when Nmap is run with user privileges it uses ICMP echo when pinging hosts. In cases where ICMP ping does not help, you can use TCP SYN or UDP ping.
nikhilh@ubuntu:~$ nmap -PS -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:21 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:21
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Completed Ping Scan at 07:21, 0.08s elapsed (1 total hosts)
Overall sending rates: 11.88 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 07:21
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 07:21, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:21
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds
- When using TCP SYN ping, nmap sends a SYN packet to the target system. If it replies with a SYN-ACK, nmap considers the host to be alive and proceeds to scan it.
- If there is no response, nmap will not scan the target system.
- The default port used by TCP SYN ping is 80.
Let's try pinging using UDP now.
nikhilh@ubuntu:~$ sudo nmap -PU -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:28 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:28
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 07:28, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 27.87 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.09 seconds
Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
nikhilh@ubuntu:~$
By default, UDP ping uses port 40125. From the above output, we can see that
- UDP ping requires sudo privileges. This is because nmap accesses raw sockets when pinging using UDP.
- If the port were unallocated, it would have replied with a ICMP type 3 message - Port Unreachable which means that the target host is alive on the network.
- If the port were open and used, Nmap would receive no response.
TCP ACK Ping
nikhilh@ubuntu:~$ nmap -PA -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 07:41 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 07:41
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Completed Ping Scan at 07:41, 0.10s elapsed (1 total hosts)
Overall sending rates: 9.85 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 07:41
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 07:41, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 07:41
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 23.79 seconds
TCP ACK ping scans are useful when the target system is blocking TCP SYN and ICMP packets.
- If the port is alive, it'll reply with a RST packet since no TCP connection exists between your system and the target.
- If not, Nmap will receive no response.
TCP ACK uses port 80 by default.
ICMP Timestamp Ping
ICMP Timestamp (or ICMP Type 13 message) requests are usually used to synchronize system clocks on the network. These packets are rarely found on a network nowadays. A large number of these packets in the network is abnormal and is cause for suspicion.
nikhilh@ubuntu:~$ sudo nmap -PP -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 13:57 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:57
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 13:57, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 39.84 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.09 seconds
Raw packets sent: 2 (80B) | Rcvd: 0 (0B)
- I expected the system to block ICMP Timestamp packets at the firewall and looks like they have.
- If ICMP Timestamp were not blocked, we would have received an ICMP Timestamp reply.
- It is to be noted that sudo access is required for ICMP Timestamp pings.
ICMP Address Mask Ping
ICMP Address Mask (or ICMP type 17 messages) requests are used to determine the subnet mask used in a network. Again, these are uncommon nowadays.
nikhilh@ubuntu:~$ sudo nmap -PM -d scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 14:18 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:18
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 45.33.32.156)))
Completed Ping Scan at 14:18, 2.01s elapsed (1 total hosts)
Overall sending rates: 1.00 packets / s, 31.87 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received no-response]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.10 seconds
Raw packets sent: 2 (64B) | Rcvd: 0 (0B)
- Again, ICMP Address Mask ping requires sudo access and is also blocked at the target system.
- If ICMP Address Mask were not blocked, we would have received an ICMP Address Mask reply.
IP Protocol Ping
In the IPv4 header, there is a field name called Protocol which highlights the protocol number used at the next level. An IP ping is used to communicate with the target system using a specific protocol. By default, protocol numbers 1 (ICMP), 2(IGMP) and 4 (IPv4 Encapsulation) are used.
nikhilh@ubuntu:~$ sudo nmap -d -PO1,17 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-19 15:55 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 15:55
Scanning scanme.nmap.org (45.33.32.156) [2 ports]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or (src host 45.33.32.156))
Completed Ping Scan at 15:55, 0.16s elapsed (1 total hosts)
Overall sending rates: 12.34 packets / s, 345.44 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Initiating Parallel DNS resolution of 1 host. at 15:55
mass_rdns: 0.01s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 27.54 seconds
Raw packets sent: 2007 (88.276KB) | Rcvd: 559 (22.400KB)
- In the above usage, I've used protocol numbers 1 (ICMP) and 17 (UDP) for communicating with the target host.
- This again requires sudo privileges.
- Sometimes, if you use a protocol that is unsupported by the target system you can get a ICMP Port Unreachable (type 3 ICMP message - see below for example) which is a great hint that the target is alive. You can retry using a different protocol number.
- For a list of all protocol numbers, please refer to https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
nikhilh@ubuntu:~$ sudo nmap -d -PO88 scanme.nmap.org
[sudo] password for nikhilh:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 14:31 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 14:31
Scanning scanme.nmap.org (45.33.32.156) [1 port]
Packet capture filter (device eth0): dst host 192.168.182.136 and (icmp or icmp6 or (src host 45.33.32.156))
Got destination unreachable for 45.33.32.156
Completed Ping Scan at 14:31, 0.00s elapsed (1 total hosts)
Overall sending rates: 296.30 packets / s, 5925.93 bytes / s.
mass_rdns: Using DNS server 127.0.1.1
Nmap scan report for scanme.nmap.org (45.33.32.156) [host down, received proto-unreach]
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.23 seconds
Raw packets sent: 1 (20B) | Rcvd: 1 (48B)
ARP ping
Address Resolution Protocol (ARP) is a protocol used to map IP address to MAC addresses.
- This ping is based on the assumption that if a host is alive, it must reply to an ARP request packet which makes sense.
- ARP packets are not filtered/blocked because every network requires their usage to determine MAC addresses of systems on the network.
- It is important to note the following:
- ARP ping requires sudo access to work properly
- when using ARP ping, the target system must be on your LAN because ARP is non-routable, which means it cannot get outside the LAN. It only exists inside the LAN.
- When scanning a target on the LAN, nmap automatically uses ARP ping as the default discovery method and overrides all other discovery options.
- To disable automatic ARP ping, use the --disable-arp-ping option
When not as the sudo user:
nikhilh@ubuntu:~$ nmap -d -PR 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:30 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 17:30
Scanning 127.0.0.1 [0 ports]
Completed Ping Scan at 17:30, 0.00s elapsed (1 total hosts)
Overall sending rates: 0.00 packets / s.
mass_rdns: Using DNS server 127.0.1.1
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.04 seconds
As a sudo user:
nikhilh@ubuntu:~$ sudo nmap -d -PR 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-20 17:30 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 127.0.1.1
Initiating SYN Stealth Scan at 17:30
Scanning localhost (127.0.0.1) [1000 ports]
Packet capture filter (device lo): dst host 127.0.0.1 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 127.0.0.1)))
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan at 17:30, 0.01s elapsed (1000 total ports)
Overall sending rates: 131908.72 packets / s, 5803983.64 bytes / s.
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.0000020s latency).
Scanned at 2018-08-20 17:30:30 PDT for 0s
Not shown: 999 closed ports
Reason: 999 resets
PORT STATE SERVICE REASON
631/tcp open ipp syn-ack ttl 64
Final times for host: srtt: 2 rttvar: 0 to: 100000
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2001 (84.044KB)
This concludes part 3 of this tutorial series! If you have any questions, leave them in the comments below and I'll get back to you as soon as I can.
In the next part, we'll look at various scanning options that Nmap provides.