Related Topics
- Normal Scan Techniques
- Firewall Detection & Evasion
- Scan Timing and Performance
- Nmap Scripting Engine (NSE)
The verbosity of the scan output by be increased by using -v, -vv & -vvv
When command is prefixed with “sudo” Nmap uses -sS (Stealth Scan) automatically
-F: Fast Scan (Scan Top 100 ports)
If ports are not specified Nmap scans the Top 1000 ports
nmap -sS -A -T4 -p- -oN <filename> <ip-address>
# Scan and find Vulnerabilities in the services
nmap -sS -sV -T4 -p- --script vuln -oN <filename> <ip-address> Port scanning uses specially crafted TCP packets to probe the target to collect relevant information
TCP Header without any options is 20 bytes in size
Nmap Stealth Scans only sets a single option by default and so the header size will be 24 bytes in addition the window size will be set to 1024 which does not match actual traffic and hence can be detected
Full TCP Scan SYN packets are generated by the OS Network stack and hence will be closer to a real packet
Full Scan: Complete 3-Way Handshake
Stealth Scan: SYN, SYN-ACK is followed by RST
Port States
Open: Service is running on the port and accepting new connections
Closed: Not accepting new connections but there is an service running on the port
Filtered: No conclusion. There could be an firewall setup to filter packets
Getting started with nmap | ITTavern.com
Angry IP Scanner - the original IP scanner for Windows, Mac and Linux