Nmap
Tool to scan an Network has a ton of option and many different ways to scan a Network. Innitially it was simply a Port scanner which was later extended to have an extensive amount of features, for example: different scanning techniques, service, OS and version detection, Firewall and IDS evasion and much more. All of this can also be automated with nmap scripts.
The syntax of Nmap might seem weird at first but it’s actually quite easy to understand. This is the basic structure that you will refer to all the time:
nmap [Scan Type...] [Options] {target specification}
Host Discovery
This is one of the first steps done by nmap when provided with a range of IP addresses it will try to discover which of these IP Hosts in the IP Network are actually up and and will continue scanning only the ones who respond to the Ping messages. Now this can be a problem if for example the Firewall is blocking all the pings sent by nmap. Here are a few options that might be useful:
-Pn
This will basically just skip host discovery and immediately begin port scanning. All IPs are assumed to be 'up'. This way you can scan IPs even if the Firewall blocks all Pings (or ICMP messages in general).
-sL
The list scan will simply display all the IPs in the provided IP range without sending them any packets. However it will still perform reverse-DNS resolution to find out the names of the hosts. This is a very non-intrusive scan.
-sn
This will just do the host discovery without the port scanning. This is an easy way to see which hosts are up on the network.
Port Scanning States
There are a few port scanning techniques that Nmap uses which are explained later. All of them work differently and some of them can find ports others can’t. It’s therefore possible some scans will have different results than other. Here are the port states that nmap recognizes:
| State | Description |
|---|---|
| open | A port that accepts TCP, UDP or SCTP connections. |
| closed | A port that responds but has no application listening on it. |
| filtered | Packets to the port are being filtered by a firewall . |
| unfiltered | Accessible but unsure if open or not. See ACK scan. |
| open|filtered | The port gave no response. See scans that classify like that. |
| closed|filtered | Unable to determine if close or not. See IP ID idle scan. |