The network mapper (Nmap)

Nmap is the top dog in port scanning and enumeration. Covering all options and modules of Nmap in this guide is outside the scope of this book; instead, we will cover the scans that I mostly use when testing. But first, here's some info on port states:

• Open: An application on the target machine is listening for connections/packets on that port
• Closed: Ports have no application listening on them, though they could open up at any time
• Filtered: A firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed

The following are the Nmap options available:

• O: OS detection
• p: Port scan
• p-: Scan all ports (1-65535)
• p 80,443: Scan port 80 and 443
• p 22-1024: Scan ports 22 through 1024
• top-ports X: X is a number and it will scan X number of the top popular ports; I usually use 100 for a quick scan
• sV: Service-detection
• Tx: Set scan speed
• T1: Really slow port scan
• T5: Really fast port scan (really noisy)
• sS: Stealth scan
• sU: UDP scan
• A: OS-detection, version-detection, script-scanning, and traceroute