Stealth Scan, TCP SYN

nmap -v -sS 192.168.0.0/24

UDP Scan
nmap -v -sU 192.168.0.0/24

Stealth Scan, No Ping

nmap -v -sS -P0 192.168.0.0/24

Fingerprint
nmap -v -0 192.168.0.0/24 #TCP

Performing Zone Transfers Using the host Command

To attempt a zone transfer for a particular organization, a DNS server IP address is required. If this information is not available, a whois query of the target domain can be attempted, and this will provide the relevant DNS IP addresses. Once a DNS server IP address is obtained, a zone transfer can be attempted using the host command:
host -l domain DNSIP

For example:
[bash]$ host -l somecompanyasanexample.com 10.0.0.1 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 Aliases: somecompanyasanexample.net SOA ns1.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 somecompanyasanexample.net name server ns1.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 Somecompanyasanexample.net name server ns2.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 somecompanyasanexample.com has address 192.168.1.10 Using domain server: Name: 10.0.0.1 Addresssomecompanyasanexample.com mail is handled by 10 mail.somecompanyasane xample.com Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 mail.somecompanyasanexample.com has address 192.168.1.10 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 firewall.somecompanyasanexample.com is an alias for vpn.somecompanyasa nexample.com Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 vpn.somecompanyasanexample.com has address 192.168.1.9 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 payroll.somecompanyasanexample.com has address 192.168.1.33: 10.0.0.1#53

PING SWEEPING
Ping sweeping is the process of pinging numerous hosts. In the case of a large set of target IP addresses, one must perform a ping sweep to determine alive hosts that respond to ICMP echo requests.

Using nmap to Perform Ping Sweeps

Using the -sP option in nmap will perform a ping sweep:

[bash]# nmap -sP 192.168.1.* Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host (192.168.1.1) appears to be up. Host (192.168.1.100) appears to be up. Host (192.168.1.150) appears to be up. Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 33 seconds

TCP PINGING
If a TCP ACK packet is sent to a host that is alive, a RST packet will be sent back. This method can be used to scan machines that block ICMP echo requests.

Using nmap to Perform TCP Pings

Using the -PT option of nmap will perform a TCP ping. By default, nmap sends an ACK packet to port 80 of the destination host. Use the following syntax to instruct nmap to use another port:
nmap -PT[port_number] host

For example:
nmap -PT6000 192.168.1.1

If a host responds with a RST packet, nmap will consider the host alive and will perform a port scan immediately.
[bash]# nmap -PT 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp open auth 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

TDP and UDP port numbers range from 1 to 65535. By default, nmap scans for commonly known ports. Scanning for all 65,535 ports is time consuming but can be performed with nmap when using the -p flag: nmap -sT 192.168.1.1 -p 1-65535

TCP SYN/Half-Open
This type of scanning causes the scanner to send out a SYN packet to the target host. If the target host is listening on a particular port, it will respond with a SYN+ACK. If the target host is alive but not listening on a particular port, a RST packet will be received. As this method of scanning does not complete the TCP three-way handshake, it is stealthy, since it is often not logged by the target host.

SYN Scanning
Using the -sS flag in nmap will perform a SYN scan:
[bash]# nmap -sS 192.168.1.150 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.150): (The 1599 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Source Port Scanning

Due to the design of the FTP protocol, when an FTP client requests data transfer using active mode, the FTP server must initiate a connection back to a port on the FTP client. In order to facilitate this, many firewalls are configured to allow all incoming IP packets whose source port is set to 20. In addition, IP packets from DNS servers have their source port set to 53, and therefore, many firewalls allow all incoming packets whose source port is 53. It is possible to instruct nmap to set the source port of its packets to a constant by using the -g switch:
nmap -sS -g 20 192.168.1.1

FIN
In this method, a FIN packet is sent to a target host. If the target host is alive but not listening on a particular port, it will respond with a RST packet. However, if the target host is listening on a particular port, it will not respond. Note that Microsoft Windows hosts will send RST packets in all cases. This is of interest because it helps identify the target hosts as Microsoft Windows hosts. FIN IP packets are used to tear down established TCP connections.

FIN Scanning
Using the -sF flag in nmap will perform a FIN scan:
[bash]# nmap -sF 192.168.1.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): (The 1594 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds

Reverse Ident
Ident (Identification Protocol) servers listen for connections on port 113. If a TCP connection is established to a port listening on the host running the ident server, the ident server may be queried for the privilege level of the process associated with the connection.

Reverse Ident Scans

Using the -I flag in nmap will perform a TCP reverse ident scan:
[bash]# nmap -I -sT -p 80 192.168.1.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): Port State Service Owner 80/tcp open http nobody Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

XMAS
This method of scanning involves sending out a TCP packet with the FIN, URG, and PUSH flags set. If the target host is listening on the particular port, it sends a RST packet back. If the target host is not listening on that port, it does not respond. FIN packets are normally used to tear down an established TCP connection. URG packets signify that information needing immediate attention is present within the IP packet, such as a ^C sent during a telnet session. A PUSH packet signifies that the sender requests the receiver to immediately pass all buffered data to the applications.

XMAS Scanning
Using the -sX flag in nmap will perform an XMAS scan:
[bash]# nmap -sX 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp open auth 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

NULL Scanning
Using the -sN flag in nmap will perform a TCP NULL scan:
[bash]# nmap -sN 192.168.1.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): (The 1594 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 41 seconds

RPC
This type of scan is used to send NULL commands to open ports in order to determine if they are RPC (remote procedure call) ports. Once an open port is determined to be an RPC port, information about the application that is bound to the port is queried for and obtained.

RPC Scanning
Using the -sR in option in nmap will perform an RPC scan:
[bash]# nmap -sR 10.0.0.10 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (10.0.0.10): (The 1584 ports scanned but not shown below are in state: closed) Port State Service (RPC) 7/tcp open echo 21/tcp open ftp 22/tcp open ssh 37/tcp open time 53/tcp open domain 111/tcp open sunrpc (rpcbind V2-4) 113/tcp open auth 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 587/tcp open submission 2049/tcp open nfs (nfs V2-3) 4045/tcp open lockd (nfs V2-3) 7100/tcp open font-service 32771/tcp open sometimes-rpc5 (ypserv V1-2) 32772/tcp open sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 40 seconds

IP Protocol Scanning
Using the -sO flag in nmap will perform an IP protocol scan:
[bash]# nmap -sO 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting protocols on (192.168.1.1): (The 251 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 2 open igmp 6 open tcp 17 open udp

ACK Scanning
ACK scans can be performed by using nmap with the -sA flag:
nmap sA target_address

Window
This type of scan, while similar to the ACK scan, sometimes helps detect open, filtered, and unfiltered ports on some systems due to an anomaly in the way TCP window sizes are reported.

Window Scanning
Window scans can be performed by potential intruders using nmap with the -sW flag:
nmap sW target_address

UDP
In order to determine if a host is listening on a particular UDP port, a UDP packet is sent to the port. If the target host is not listening on the particular port, an ICMP port unreachable packet is received. However, if the target host is listening on the particular port, no such packet is received. Since UDP is not a connection-oriented protocol, UDP scanning is unreliable.

UDP Port Scanning

Using the -sU option in nmap will perform UDP scanning:
[bash]# nmap -sU 192.168.1.100 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): (The 1454 ports scanned but not shown below are in state: closed) Port State Service 53/udp open domain

Using nmap to Perform Operating System Fingerprinting

The nmap program can also be used by an intruder to perform an OS fingerprint, using the -O flag:
[bash]# nmap -O 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp open auth 6000/tcp open X11 Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 6.584 days (since Sun Oct 27 10:23:37 2002) Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds