nmap flagDescription
-sVAttempts to determine the version of the services running
-p or -p-Port scan for port or scan all ports
-PnDisable host discovery and just scan for open ports
-AEnables OS and version detection, executes in-build scripts for further enumeration 
-sCScan with the default nmap scripts
-vVerbose mode
-sUUDP port scan
-sSTCP SYN port scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that the port is open.

Null Scan is only workable in Linux machines and does not work on latest version of windows

nmap_null_scan.txt

nmap TCP Ack Scan: This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

ACK scan is enabled by specifying the -sA option. Its probe packet has only the ACK flag set (unless you use –scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back, are labeled filtered. Table 5.5 provides the full details.

sudo nmap -sA 10.10.114.110

nmap_tcp_ack.txt

This does the default scan with versions and verbose
-v: Increase verbosity level (use -vv or more for greater effect)

nmap -sC -sV -vv 10.10.162.13

nmap_default_version.txt

Disable host discovery and just scan open ports

nmap -Pn 10.10.230.244

nmap_open_ports_only.txt

-oN/-oX/-oS/-oG : Output scan in normal, XML, s|
and Grepable format, respectively, to the given filename.

Nmap vuln

The way NSE scripts are defined is based on a list of predefined categories where each script belongs. These categories include: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.

Nmap script vuln is the one we’ll be using to launch our next scan against vulnerable subdomains. The syntax is the same as that of the previous NSE scripts, with ‘vuln’ added after ‘–script’, as you can see here:

nmap -sV -sC –script vuln -oN blue.nmap 10.10.230.244

nmap_vulns.txt

nmap -sT 10.10.121.96

Starting Nmap 7.60 ( https://nmap.org ) at 2021-10-29 18:12 BST
Nmap scan report for ip-10-10-121-96.eu-west-1.compute.internal (10.10.121.96)
Host is up (0.0030s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
MAC Address: 02:10:87:26:F1:E7 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds