Performing Scans Using Nmap

Nmap is one of the most important and versatile tools in any hacker's toolbox. It's powerful engine along with it's ease of use allows people who have no prior command line experience to pick it up fairly quickly. Personally, I have used nmap to help exploit systems but also to tell me what ports are open on a printer so I can access the web portal. Overall it is an extremely useful tool and below I am going to explain the 10 most useful Nmap commands you should learn.

At number 10: Traditional Scan (mostly checks to see if host is alive)
# nmap [IP address]

Example 9: A ping scan of the network:
# nmap -sP [network ID/subnet CIDR] 

Number 8: SYN TCP port scan from ports 1 to 65535
# nmap -sS -p1-65535 [IP address]
 
Number 7: UDP port scan from ports 1 to 65535
# nmap -sU -p1-65535 [IP address]

Number 6: Skip the ping, scan specific ports for activity
# nmap -sn -p22,80,443 [IP address]
 
Number 5: OS detection with an aggressive scan
# nmap -O -A [IP address]

Number 4: Conducts an ACK TCP scan and attempts to find the versions of what is running on the ports
# nmap -sV -sA -p22,80,8080 [IP address]

Number 3: Spoofs the IP address on interface eth0, while fragmenting the packets, and conducting an ACK scan
# nmap -S [Spoof source IP address] -e eth0 -f -p20,21,22,2380,143,443,589,8080 -sA [IP address]

Number 2: Incorporating Nikto into your Nmap Scan
# nmap -p80,443 [IP address] -oG - | nikto -h -

Number 1: Nmap Scripting engine
# nmap --script-help=
Example script: http-brute, sshv1, smb-vuln-ms10-054,...

The nmap scripting engine is an incredibly useful tool, that I recommend everyone to learn.