nmap - security

Advised Actions (as per THM)

1. Increase verbosity (2 times) with -vv
2. Always save output of scans so we only have to run the scan once; save with -oA filename
    # This will save filename.nmap, filename.xml, and filename.gnmap files
3. If not getting good results and don't care about how loud we are, enable aggressive mode with -A
    # This enables service detection, OS detection, a traceroute and common script scanning
4. Increase the speed of your scan ( at the expense of increasing our noise ) with -T<0-5># 5 levels; Higher is faster
5. "A very useful option that should not be ignored". Scan all ports with -p-
6. When using the slow UDP scan, use nmap -sU --top-ports 20 <target> to get a much more acceptable scan time

Summary:
    sudo nmap <host> -vv -oA nmap-scan -A -T5 -p-
        

Scan Types

When port scanning with Nmap, there are three basic scan types. These are:

    TCP Connect Scans (-sT)
    SYN "Half-open" or "Stealth" Scans (-sS)
    UDP Scans (-sU)

Additionally there are several less common port scan types. These are:

    TCP Null Scans (-sN)
    TCP FIN Scans (-sF)
    TCP Xmas Scans (-sX)
        

SYN Scans

Advantages:
    1. Often not logged because standard practice for applications is to only log a connection that is fully established
    2. Faster than a TCP scan because it doesnt have to complete handshake and disconnect
Disadvantages:
    1. Require sudo permissions ( needs ability to create raw packets )
    2. Unstable services can potentially be brought down by SYN scans

This is the default scan type used by Nmap if run with sudo permissions.
        

UDP Scans

When using the [slower] UDP scan, use nmap -sU --top-ports 20 <target> to get a much more acceptable scan time
        

ICMP Network Scanning (Ping Sweep)

# Used to scan networks for hosts and not open ports
nmap -sn 192.168.0.1-254
or
nmap -sn 192.168.0.0/24