Nmap Basic Port Scans TryHackMe

Overview

After discovering live hosts, the next step is finding which services are listening. This room covers the three core Nmap scan types you will use most often at the start of an assessment: TCP connect scan, TCP SYN scan, and UDP scan.

Core idea: live host discovery tells you a system exists; port scanning tells you where it is listening and where to focus next.

1) Port States

Nmap does more than say “open” or “closed.” In practice, firewalls and filters introduce additional states.

Open: a service is listening.
Closed: no service is listening, but the port is reachable.
Filtered: Nmap cannot tell because a firewall or filter blocks access.
Unfiltered: reachable, but Nmap still cannot tell open vs closed in that scan context.
Open|Filtered: no conclusive distinction between those two states.
Closed|Filtered: no conclusive distinction between those two states.

Key exam point: filtered does not mean open. It means the scan cannot decide because traffic is being blocked or obscured.

2) TCP Flags You Need to Know

You do not need the full TCP header memorized, but you do need to understand the flags Nmap relies on.

SYN: starts a TCP connection.
ACK: acknowledges received TCP data.
RST: resets or tears down a connection.
FIN: indicates no more data will be sent.
PSH: pushes data quickly to the application.
URG: marks urgent data.

For scanning: SYN, ACK, and RST matter the most because they determine how the target responds during port checks.

3) TCP Connect Scan

TCP connect scan completes the full TCP 3-way handshake. It is the scan type available to unprivileged users and is selected with -sT.

nmap -sT MACHINE_IP

If a port is open, Nmap completes the handshake.
If a port is closed, the host usually answers with RST/ACK.
After confirmation, Nmap tears the connection down.

Tradeoff: reliable, but noisier than SYN scan because a real TCP connection is fully established on open ports.

4) TCP SYN Scan

SYN scan is the default for privileged users and is selected with -sS. It sends SYN packets but does not complete the full handshake when a port is open.

sudo nmap -sS MACHINE_IP

Open port: replies with SYN/ACK, then Nmap sends RST.
Closed port: replies with RST.
Advantage: faster and less obvious than a full connect scan.

Practical default: if you can run Nmap with sudo, SYN scan is usually the right baseline choice for TCP scanning.

5) UDP Scan

UDP is connectionless, so there is no handshake to observe. This makes UDP scanning slower and less definitive than TCP scanning.

sudo nmap -sU MACHINE_IP

Closed UDP port: often triggers ICMP destination unreachable, port unreachable.
Open UDP port: may stay silent.
Result: many UDP ports show as open|filtered because silence is ambiguous.

Reality: UDP scans are valuable, but they are often slow and less clean than TCP scans. Use them when UDP services matter, such as DNS, SNMP, DHCP, or TFTP.

6) Scope Control

You do not need to accept the default 1000-port scan every time. Nmap gives several ways to tighten or broaden the scope.

-p22,80,443
-p1-1023
-p-
-F
--top-ports 10

-p22,80,443: specific list
-p1-1023: range
-p-: all 65535 ports
-F: fast mode, 100 most common ports
--top-ports 10: scan the N most common ports

Good habit: start narrow when you already have clues, and expand only if needed.

7) Order and Timing

Nmap lets you influence how quickly and in what order it scans.

-r
-T0
-T1
-T3
-T4
-T5

-r: scan ports in consecutive order instead of randomized order.
-T0 to -T5: timing templates from paranoid to insane.
-T3: default normal timing.
-T4: common for labs and CTF-style environments.
-T0 or -T1: slower, quieter options for stealth-sensitive situations.

Tradeoff: faster is not always better. Aggressive timing increases the chance of packet loss and misleading results.

8) Rate and Parallelism

For more precise control, you can limit packet rate and probe parallelism directly.

--max-rate 50
--min-rate 15
--min-parallelism 100

--max-rate: cap packets per second.
--min-rate: force a minimum send rate.
--min-parallelism: maintain a minimum number of simultaneous probes.

Why it matters: these controls help you balance speed, stealth, and reliability depending on the environment.

9) Choosing the Right Scan

Use -sT: when you are unprivileged or want the simplest TCP scan.
Use -sS: when you have privileges and want the standard fast TCP scan.
Use -sU: when UDP services are relevant, but expect slower results and more ambiguity.

PT1 baseline: host discovery first, then TCP SYN for the main TCP surface, then UDP selectively where it makes sense.

Nmap Basic Port Scan Cheat Sheet

nmap -sT MACHINE_IP
sudo nmap -sS MACHINE_IP
sudo nmap -sU MACHINE_IP
nmap -sT -p22,80,443 MACHINE_IP
sudo nmap -sS -F MACHINE_IP
sudo nmap -sS -p- MACHINE_IP

Exam Notes (PT1)

-sT completes the full TCP handshake and works for unprivileged users.
-sS is the usual privileged TCP scan and avoids completing the handshake on open ports.
-sU is slower and often returns open|filtered because silence is ambiguous.
Use -p, -F, or --top-ports to control scan scope.
Timing and rate options affect both stealth and scan accuracy, not just speed.