Nmap and Network Scanning

  1. Core Port Scanning Techniques
    1. TCP SYN Scan (-sS)
      1. Half-Open Scanning
        1. SYN Packet Transmission
          1. Response Analysis
          2. Stealth Characteristics
            1. Connection Avoidance
              1. Log Evasion
              2. Privileges Required
                1. Raw Socket Access
                  1. Root/Administrator Rights
                  2. Typical Use Cases
                    1. Default Scan Method
                      1. Stealth Requirements
                    2. TCP Connect Scan (-sT)
                      1. Full Connection Establishment
                        1. Complete TCP Handshake
                          1. System Call Usage
                          2. Detectability
                            1. Connection Logging
                              1. Service Impact
                              2. When to Use
                                1. Non-Privileged Scanning
                                  1. Compatibility Requirements
                                2. UDP Scan (-sU)
                                  1. Connectionless Protocol Challenges
                                    1. No Connection State
                                      1. Response Variability
                                      2. Interpreting Responses
                                        1. Open Ports
                                          1. Closed Ports
                                            1. Filtered Ports
                                            2. False Positives and Negatives
                                              1. ICMP Unreachable Messages
                                                1. Timeout Interpretation
                                                2. UDP Scan Optimization
                                                  1. Rate Limiting
                                                    1. Payload Customization
                                                  2. TCP FIN Scan (-sF)
                                                    1. FIN Flag Scanning
                                                      1. RFC 793 Compliance
                                                        1. Closed Port Responses
                                                          1. Firewall Evasion
                                                          2. TCP Null Scan (-sN)
                                                            1. No Flags Set
                                                              1. System Response Patterns
                                                                1. Stealth Characteristics
                                                                2. TCP Xmas Scan (-sX)
                                                                  1. FIN, PSH, and URG Flags
                                                                    1. Christmas Tree Analogy
                                                                      1. Detection Signatures
                                                                      2. TCP ACK Scan (-sA)
                                                                        1. Firewall Rule Probing
                                                                          1. Differentiating Stateful vs Stateless Firewalls
                                                                            1. RST Response Analysis
                                                                              1. Filtered vs Unfiltered
                                                                              2. Network Topology Mapping
                                                                              3. TCP Window Scan (-sW)
                                                                                1. Window Size Analysis
                                                                                  1. System-Specific Responses
                                                                                    1. Limited Applicability
                                                                                    2. TCP Maimon Scan (-sM)
                                                                                      1. FIN/ACK Flag Combination
                                                                                        1. BSD System Targeting
                                                                                          1. Unique Response Patterns
                                                                                          2. Custom TCP Scans
                                                                                            1. --scanflags Option
                                                                                              1. Custom Flag Combinations
                                                                                                1. Manual Flag Setting
                                                                                                2. Advanced Evasion Techniques
                                                                                                3. SCTP INIT Scan (-sY)
                                                                                                  1. SCTP Protocol Overview
                                                                                                    1. Stream Control Transmission Protocol
                                                                                                      1. Multi-Homing Support
                                                                                                      2. INIT Chunk Scanning
                                                                                                        1. Specialized Applications
                                                                                                        2. IP Protocol Scan (-sO)
                                                                                                          1. Protocol-Level Scanning
                                                                                                            1. Supported IP Protocols
                                                                                                              1. Raw IP Packet Analysis
                                                                                                              2. Idle Scan (-sI)
                                                                                                                1. Zombie Host Concept
                                                                                                                  1. IP ID Sequence Analysis
                                                                                                                    1. Identifying Suitable Zombie Hosts
                                                                                                                      1. Idle Host Requirements
                                                                                                                        1. IP ID Predictability
                                                                                                                        2. Scan Process
                                                                                                                          1. Baseline Establishment
                                                                                                                            1. Target Probing
                                                                                                                              1. Result Interpretation
                                                                                                                              2. Advantages and Limitations
                                                                                                                                1. Ultimate Stealth
                                                                                                                                  1. Complexity Requirements
                                                                                                                                2. Specifying Ports and Scan Order
                                                                                                                                  1. Port Range Specification (-p)
                                                                                                                                    1. Individual Ports
                                                                                                                                      1. Port Ranges
                                                                                                                                        1. Protocol-Specific Ports
                                                                                                                                        2. Fast Scan (-F)
                                                                                                                                          1. Top 100 Ports
                                                                                                                                            1. Speed Optimization
                                                                                                                                            2. Don't Randomize Ports (-r)
                                                                                                                                              1. Sequential Port Scanning
                                                                                                                                                1. Predictable Order
                                                                                                                                                2. Top Ports (--top-ports)
                                                                                                                                                  1. Most Common Ports
                                                                                                                                                    1. Customizable Count
                                                                                                                                                    2. Port Exclusion (--exclude-ports)
                                                                                                                                                      1. Avoiding Specific Ports
                                                                                                                                                        1. Service Disruption Prevention

                                                                                                                                                    Previous

                                                                                                                                                    4. Host Discovery

                                                                                                                                                    Go to top

                                                                                                                                                    Next

                                                                                                                                                    6. Service and Version Detection