For full text search please use the '?' prefix. e.g. ? Onboarding

Nmap

Details

https://nmap.org/

Port scanning tool

nmap

Usage

nmap <IP subnet / address> [switches]

With no switches like this the default behavior of Nmap is to Ping and send a TCP Ack packet to ports 80 and 443 to determine whether a host is present.

If you want to perform only host discovery, you can use nmap -sn (or -sP in earlier versions) to suppress the port scan.

Port scanning

  • TCP Syn (-sS)
    • This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it.
    • The target's response to the scan's Syn packet identifies the port state.
  • TCP connect (-sT)
    • A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets.
    • If privileged access is not available, Nmap must use the OS to attempt a full TCP connection.
    • This type of scan is less stealthy.
  • UDP scans (-sU)
    • Scan UDP ports.
    • As these do not use Acks, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time.
    • A UDP scan can be combined with a TCP scan.
  • Port range (-p)
    • By default, Nmap scans 1,000 commonly used ports.
    • Use the -p argument to specify a port range.
    • You can also use --top-ports n, where n is the number of commonly used ports to scan.
    • The frequency statistics for determining how commonly a port is used are stored in the Nmap-services configuration file.