nmap

The output from nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the 'interesting ports table'. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to nmap's probes, but nmap cannot determine whether they are open or closed. nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), nmap provides information on supported IP protocols rather than listening ports.^[1]

Documentation

man 1 'nmap' [EN]

Parameters

Host discovery

--traceroute: Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target.

Scan technique

-sF, -sN, -sX

These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:

FIN scan (-sF): Sets just the TCP FIN bit.
Null scan (-sN): Does not set any bits (TCP flag header is 0).
Xmas scan (-sX): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

-sS: SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.
-sT: TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
-sU: While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP are three of the most common.

Port Specification & Scan Order

-F: Specifies that you wish to scan fewer ports than the default. Normally nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.
-p PORT: This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535.

Service & version detection

-sV: Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.

Script scan

-sC: Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
--script FILENAME|CATEGORY|DIRECTORY: Runs a script scan using the comma-separated list of FILENAMEs, script CATEGORYs, and DIRECTORYs. Each element in the list may also be a Boolean expression describing a more complex set of scripts.

Operating System detection

-O: Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS detection along with other things.

Timing & Performence

-T paranoid|sneaky|polite|normal|aggressive|insane: While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0-5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).

Verbosity and debugging

-v: Increases the verbosity level, causing nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.

Misc

-6: Enable IPv6 scanning.
-A: This option enables additional advanced and aggressive options. I haven't decided exactly which it stands for yet. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute).

Examples

Try to find the application behind the ports

nmap -sV 'xeon.raysoft.loc'

Output:

...
22/tcp  open  ssh      OpenSSH 5.3 (protocol 2.0)
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
...

References

↑ man 1 'nmap'

[1] 1 'nmap'

[1]