Nmap notes
For other network related things, see:
|
(assumption is use on home LAN. For security stuff, learn it properly)
Nmap port states
- open:
- computer is listen()ing and will accept() connections on port
- closed:
- host responds with ICMP 'Port Unreachable' message
- probably because it's not listen()ing on port
- those ICMP packets can also be generated by firewall rules - meaning that this port may be closed to you but open to others
- filtered can mean a few things:
- got some ICMP unreachable errors that aren't Port Unreachable (net unreachable, host unreachable, etc.)(verify)
- OR when there is no response after some time, e.g if the packets were dropped (at the host, or a router on the way)
- unfiltered:
- most other ports were filtered, but this one is closed (verify)
Note that different ICMP rejections in iptables can lead to either 'closed' or 'filtered', so ports may still be open to other places (or under other conditions).
Some arguments
- -Tn: aggressiveness/speed. See [1]
- 0 and 1 will avoid most intrusion detection, but also take very long
- Default is -T3
- -T4 and -T5 are often acceptable on LAN
- -T4 may affect your internet access, -T5 is a bit asocial and may affect accuracy. Both are likely to be blocked if there is any intrusion detection
Quick (and approximate) host discovery:
- -sP, later -sn
- Ping only, no port scan after it
- won't report hosts not responding to ping
nmap -sP 192.168.1.0/24
Interesting arguments:
- -p: port(s) to scan on.
- By default it scans 1000 commonly used ports
- with -F it scans 100 commonly used ports
- If you're interested in a faster scan and only a single service, e.g. -p 22
- ...or finding hosts with a bunch of services, e.g. -p 1-200
- ...or a few specific things, say -p 80,22,5353,445,139,631,123,3689,548,7,5900,5000
- ...or really everything, with -p 0-65535
- Note that scans on the same subnet are a lot faster than those elsewhere
Target spec
I commonly use 192.168.2.0/24 style
Other options:
- example.org/24 - mask is applied after resolving the name to an IP
- list and ranges like 1,20-200,250-254, probably but not necessarily in the last octet
- 192.168.2.20-200
- 192.168.0-255.1
- 192.168.0,1,2,100.1,20-200,254
There are more tricks, see http://nmap.org/book/man-target-specification.html