SYNOPSIS
nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
There are number of options and scan types which can be used. Consult the man page for a full treatment, but some of the key ones are as follows:
-s*
The -s* flag directs nmap to use scan technique *. Use -sT for a standard TCP connect; it will be detected easily by any service that logs connections. The -sS does a SYN or half-open scan, which can be detected only by some firewall software but not by ordinary services. The Courtney and PortSentry? Intrusion Detection Systems will detect these. Any of -sF, -sX, or -sN will do a very stealthy scans. However, they will not work for the Windows, BSDI, HP/UX, MVX, IRIX, and Cisco platforms. It is not clear whether this is due to bues in them or deliberate decisions in these platforms to ignore the TCP specifications to block detection.
The following scans will map out Pentacorp, a class-C network, reasonably thoroughly, using pings, stealth TCP packets, and UDP packets:
The -sP option simply will ping listed systems to see what IP addresses have systems on them. Normally, this ping test is dont first to see what IP addresses have systems on them, so this flag is useful if you want to do only this ping scan:
nmap -sP -T Aggressive network/mask
To suppress this initial test for pingability before doing other tests, include -P0.
The -sU flag will scan all UDP ports for services. Because UDP addresses can be spoofed easily and many well-known UDP services have security problems, this can be useful for finding vulnerabilities in your network. Note that recent Linux kernels and some UNIX platforms implement a limit to the rate of ICMP error messages, in order to slow this detection down to scanning two ports per second.
The -b ftp_relay_host scan will test FTP servers for a serious vulnerability. this vulnerability is the FTP server's willingness to relay FTP requests to another system. Crackers can use this vulnerability as a means for two attackes. One is to send email, postings, and other data anonymously. The other attack is to comunicated with other systems behind a firewall that the FTP server is allowed to access.
The -I flag will determine which user each TCP service is running as. This helps detect those services set up as root or some other priviledged user. The -v flag will make thise output even more verbose, possibility exposing port redirects and other things.
The -p port_range flag is used to specify a port range to scan. A dash specifies a range, and a comma specifies a lits. For example, to scan priviledged ports, NFS, X, and ports starting at 60000, use
-p 0-1023,2049,6000-6100,60000-
Commonly, you may want to attack just a few ports having common servers of a certain type. For example, you can see who is running a Web server and on what version of what operating system each is running in the 192.168.0.0 class-B network with: