| nmap flag | Description |
| -sV | Attempts to determine the version of the services running |
| -p or -p- | Port scan for port or scan all ports |
| -Pn | Disable host discovery and just scan for open ports |
| -A | Enables OS and version detection, executes in-build scripts for further enumeration |
| -sC | Scan with the default nmap scripts |
| -v | Verbose mode |
| -sU | UDP port scan |
| -sS | TCP SYN port scan |
A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that the port is open.
Null Scan is only workable in Linux machines and does not work on latest version of windows
nmap_null_scan.txt
nmap TCP Ack Scan: This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
ACK scan is enabled by specifying the -sA option. Its probe packet has only the ACK flag set (unless you use –scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back, are labeled filtered. Table 5.5 provides the full details.
sudo nmap -sA 10.10.114.110
This does the default scan with versions and verbose
-v: Increase verbosity level (use -vv or more for greater effect)
nmap -sC -sV -vv 10.10.162.13
-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.
Nmap vuln
The way NSE scripts are defined is based on a list of predefined categories where each script belongs. These categories include: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
Nmap script vuln is the one we’ll be using to launch our next scan against vulnerable subdomains. The syntax is the same as that of the previous NSE scripts, with ‘vuln’ added after ‘–script’, as you can see here:
nmap -sV -sC –script vuln -oN blue.nmap 10.10.230.244
nmap -sT 10.10.121.96
Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-29 18:12 BST
Nmap scan report for ip-10-10-121-96.eu-west-1.compute.internal (10.10.121.96)
Host is up (0.0030s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
MAC Address: 02:10:87:26:F1:E7 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds