LINUXMAKER, OpenSource, Tutorials

The main Nmap scans

The Nmap scan options presented below contain some Nmap commands that can be helpful in many situations and that should be tried at least once.

  • Since rights are often required for the normal user, the Nmap commands should always be executed as "root".

  • The "-oG -" option provides a clearer overview in the case of a network scan.

  • If a scan takes longer, Nmap provides statistical feedback every 60 seconds with the "--stats-every 60s" option.

  • The scan destination (IP address or host name) must be selected correctly.

Classic ping scan (Network scan)

nmap -PE -sn -oG -

The classic ping scan with ICMP echo requests (-PE), but without port scan (-sn).

Extended ping scan (Network-Scan)

nmap -sP -oG -

This TCP ping scan is actually not a scan of the ICMP protocol, but rather a useful extension to a classic ping.
The TCP ping scan combines the classic ping (ICMP echo) with the TCP SYN scan. The TCP ping scan sometimes works better than a classic ping or a simple ICMP echo request.

SYN-TOP100-Port-Scan (Host-Fast-Scan)

nmap -sS -F

This TCP SYN port scan is limited to a few default ports (-F) and is therefore faster.
This port scan is suitable for examining a specific host that has been determined by host discovery (e.g. by ping scan) somewhat more intensively.

SYN/Version-All-Port-without-Ping-Scan (Host-Main-Scan)

nmap -sV -Pn -p0- --reason --stats-every 60s

This TCP SYN port scan would be the next step if the previous fast scan did not provide sufficient information, but weak points are still suspected.
This TCP-SYN port scan checks all ports (-p0-) and determines for listening ports, applications and their version (-sV) for the ports recognized as open. If a port has no defined status, the reason for this is given (--reason).

Aggressive all-host all-port scan (Network-Main-Scan)

nmap -sV -Pn -p0- -T4 -A -oG - --reason --stats-every 60s

This port scan represents a typical use case for a pentest in a network (if possible, this should only be done in your own network and not in external networks or without approval). One should be aware of the fact that this scan creates a high network load (all hosts, all ports).

This port scan checks all hosts and all ports (-p0-) and determines listening applications, services and their version (-sV) for the ports recognized as open. The "aggressive mode" (-A) is activated, in which OS detection, version detection, script scanning and traceroute are activated. If a port has no defined status, the reason for this is given (--reason).
At the same time, no host is checked for accessibility (-Pn). This means that the port scan is carried out for every address.
In general, this means that this Nmap scan will take a very long time.

TCP-ACK-Scan (Host-Fast-Scan)

nmap -sA -F

The TCP-ACK scan is relatively nifty. Because it recognizes a host as reachable, although it was recognized as unreachable with a conventional TCP-SYN scan.
However, the result should be treated with caution, because using the TCP-ACK scan only makes sense if you suspect a packet filter that you want to bypass.

TCP-FIN-Scan (Host-Fast-Scan)

nmap -sF -F

The TCP FIN scan is suitable for bypassing packet filters and shows whether open ports are being filtered.

UDP-Port-Scan (Host-Fast-Scan)

nmap -sU -F

The port scan often neglects that there are also UDP ports in addition to TCP. The same applies to network administrators who protect themselves against attacks on TCP ports but not on UDP ports. This command helps here if you just want to get a rough overview of the default ports quickly and without fuss.

UDP-All-Port-Scan (Host-Main-Scan)

nmap -sU -p0- --reason --stats-every 60s --max-rtt-timeout 100ms --max-retrie 1

This UDP port scan can take a very long time on just one host. You should therefore avoid applying it to an entire subnet. If necessary, the time parameters have to be adapted to the respective local network.

List­-Scan (Network-Main-Scan)

nmap -sL

This simply knitted command simply lists all IP addresses with their host names. For this purpose, a name resolution is carried out for each IP address. It must be taken into account here that this scan is not very reliable because the host name cannot be determined from all IP addresses.
So there are good reasons to start this scan. Because the host name often provides information about the function of a host. In this way, worthwhile goals can be identified more quickly. In addition, it can be checked whether the correct IP range is scanned at all. It is much more important that a name or address resolution in the network is inconspicuous. Because the name resolution is decentralized, the host in question is not aware of the scan.