## NMAP <https://nmap.org/> Port scanning tool ![[2022-01-10-22-18-19.png]] ### Usage ``` nmap <IP subnet / address> [switches] ``` With no switches like this the default behavior of nmap is to `ping` and send a [[TCP]] `ack` packet to ports `80` and `443` to determine whether a host is present. If you want to perform only host discovery, you can use `nmap -sn` (or `-sP` in earlier versions) to suppress the port scan. ### Port scanning - [[TCP]] `syn` (`-sS`) - This is a fast technique (also referred to as half-open scanning) as the scanning host requests a connection without acknowledging it. - The target's response to the scan's `syn` packet identifies the port state. - [[TCP]] connect (`-sT`) - A half-open scan requires nmap to have privileged access to the network driver so that it can craft packets. - If privileged access is not available, nmap must use the OS to attempt a full [[TCP]] connection. - This type of scan is less stealthy. - UDP scans (`-sU`) - Scan UDP ports. - As these do not use `ack`s, nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. - A UDP scan can be combined with a [[TCP]] scan. - Port range (`-p`) - By default, nmap scans 1,000 commonly used ports. - Use the `-p` argument to specify a port range. - You can also use `--top-ports` n, where n is the number of commonly used ports to scan. - The frequency statistics for determining how commonly a port is used are stored in the nmap-services configuration file.