03. Port Scanning with Nmap

1. Basic Scan: nmap <IP Address>

Command:

nmap <IP Address>

Explanation:

• Performs a basic scan of the specified IP address.
• Detects open ports and determines if the host is up (using ICMP ping).
• Uses the default 1,000 commonly used TCP ports.

Example:

nmap 192.168.1.1

Output:
Lists open ports, their states (open/closed), and their default services.

---

2. Disable Host Discovery: nmap -Pn <IP Address>

Command:

nmap -Pn <IP Address>

Explanation:

• Treats the target as online without sending ICMP ping requests.
• Useful when ICMP ping is blocked by a firewall.

Example:

nmap -Pn 192.168.1.1

---

3. Full Port Scan: nmap -Pn -p- or Specific Port: nmap -Pn -p <port>

Commands:

1. Scan all 65,535 ports:

   nmap -Pn -p- <IP Address>
   

2. Scan specific port:

   nmap -Pn -p 80 <IP Address>
   

Explanation:

• -p-: Scans all TCP ports (1–65535).
• -p <port>: Scans a specific port.

Example:

nmap -Pn -p- 192.168.1.1

---

4. Fast Scan: nmap -Pn -F <IP Address>

Command:

nmap -Pn -F <IP Address>

Explanation:

• Scans only the top 100 most commonly used ports.
• Faster than the default scan.

Example:

nmap -Pn -F 192.168.1.1

---

5. UDP Scan: nmap -Pn -sU <IP Address>

Command:

nmap -Pn -sU <IP Address>

Explanation:

• Scans UDP ports instead of TCP.
• Useful for finding open UDP services like DNS (port 53) or NTP (port 123).

Example:

nmap -Pn -sU 192.168.1.1

---

6. Verbose Output: nmap -Pn <IP Address> -v

Command:

nmap -Pn <IP Address> -v

Explanation:

• Provides detailed and real-time output during the scan.
• Useful for troubleshooting or monitoring scan progress.

Example:

nmap -Pn 192.168.1.1 -v

---

7. Service Version Detection: nmap -sV <IP Address>

Command:

nmap -sV <IP Address>

Explanation:

• Identifies the version of services running on open ports.
• Provides more detailed information about the services.

Example:

nmap -sV 192.168.1.1

Output:
Displays open ports, services, and their versions (e.g., Apache 2.4.48).

---

8. OS Detection: nmap -O <IP Address>

Command:

nmap -O <IP Address>

Explanation:

• Attempts to detect the operating system running on the target device.
• Uses TCP/IP stack fingerprinting.

Example:

nmap -O 192.168.1.1

---

9. Default Script Scan: nmap -sC <IP Address>

Command:

nmap -sC <IP Address>

Explanation:

• Runs a set of default scripts against the target.
• Detects common vulnerabilities, services, and misconfigurations.
• Example:

nmap -sC 192.168.1.1

---

10. Save Output in Normal Format: nmap -Pn <IP Address> -oN <file>

Command:

nmap -Pn <IP Address> -oN test.txt

Explanation:

• Saves the scan result in a human-readable text file.

Example:

nmap -Pn 192.168.1.1 -oN test.txt

---

11. Save Output in XML Format: nmap -Pn <IP Address> -oX <file>

Command:

nmap -Pn <IP Address> -oX test.xml

Explanation:

• Saves the scan result in XML format for automation or further processing.

Example:

nmap -Pn 192.168.1.1 -oX test.xml

---

Practical Scenarios

1. Identify All Open Ports on a Host:

   nmap -Pn -p- 192.168.1.1
   

2. Detect Operating System and Services:

   nmap -O -sV 192.168.1.1
   

3. Perform a UDP Scan:

   nmap -Pn -sU 192.168.1.1
   

4. Save Results for Later Analysis:

   nmap -Pn 192.168.1.1 -oN scan_results.txt
   nmap -Pn 192.168.1.1 -oX scan_results.xml
   

---

Key Points

• -Pn: Ignores ICMP ping checks; useful for firewalled hosts.
• -sV: Provides service versions, crucial for vulnerability analysis.
• -O: Helps identify the target's operating system.
• Output Options: Use -oN or -oX to save results for documentation or automated processing.