Different types of scans

Default scan – if we just run nmap, we get basic top level common ports that are open. Not sending and UDP, OS enumeration, etc

-sN – Ping scan. Sends ARP packets across local network to see whats online

-sN (run as root)- If you want to use ICMP pings to scan. This doesnt have it defaulted as sometimes things dont respond to pings

-sV – looks for service information and version numbers

-sC – Custom scripts built into Nmap

-O  – Gives operating system information

-A – Think ALL. Gives OS and other information

-sS – Stealth scan. Doesnt complete the handshake. Sends Syn, receives a ACK. Then drops it. 1024 bytes

-sT – This sends SYN, it sends SYN-ACK back, Then we send a reset. This size is much larger than the 1024 bytes. Risk means this may be logged on the other side

-sX – Christmas scan.


Blue Team

If you locate any Receiving connections for 1024 bytes, it is most likely Nmap



/usr/nmap/share/nmap/scripts – default location for scripts

Updating scripts – nmap –script-updatedb

-sC – this is for custom default scripts

To specify specific script – –script “script name”