syntax: nmap -options -IP/Range

Port Status

• Open: port accessible, application listening on port
• Closed: port accessible, no application listening
• Filtered: Cannot determine whether or not a port is open due to either packet filtering. Probes may not be able to reach target

TCP Connect Scan (-sT)

• Attempts to make a connection by completing a 3-way handshake
• Simple TCP connection
• Learns if port is open or closed by a complete connection or refusal

TCP Null Scan (-sN)

• Sends TCP packets with no flags set
• Identifies host by response or lack of
• RST is returned if port is closed

TCP FIN Scan (-sF)

• Sends packets with only the FIN flag set
• RST is returned when port is closed
• No packet returned when port is opened

Half-Open Scanning (SYN Scan) (-sS)

• A connection that does not complete 3-way handshake
• Only SYN flag is sent from scanner, NO ACK
• If SYN/ACK is returned, port is open
• If RST packet is returned, port is closed
• If no packet is returned, port is probably filtered

UDP Scan (-sU:)

• Simply scans UDP ports

Spoofing

• (-D) Scans with a decoy or spoofed IP address
• We can also change the MTU of the packets sent

Other Flags

• -T0, T1, T2, T3, T4
  • Determines how fast probe packets are sent to target
  • Slowest = 0; Fastest = 4
• -Pn
  • Disables ping sweep, only scans ports no ARP
• -mtu x
  • Changes the MTU of each packet sent out
• -p, -p-
  • -p ; Scans assigned ports
  • -p- ; Scans all ports
• -sV
  • Attempts to scan service version
• -O
  • Attempts to detect OS via TCP/IP fingerprinting
• -sP
  • Ping scan