NMAP Flags
# nmap -sS -F -O -Pn 21.1.2.0/24
-sS runs stealth TCP scan that determines whether a specific TCP based port is open.
-sU While most popular services on the internet run over the TCP protocol, UDP service are widely deployed. DNS, SNMP and DHCP (53,161/162, 67/68) are three of the most common use. Because UDP scans are generally slower and more difficult than TCP, some security auditors ignore these ports.
-Pn Tells nmap not to use ping to determine whether system is running, instead it will consider all hosts alive.
If you are using internet based penetration test you should use this flag because most networks don't allow Internet Control Message Protocol (ICMP) which is the protocol that ping uses. If your are performing nmap scan internally you can probably ignore this flag.
-F Scans for well known ports
-O Operating system detection
-A Agressive scan
NMAP scan Examples
1. NMAP
Nmap is by far the most popular port scanning tool. It integrates with metasploit quite elegantly, storing scan output in a database backend for later use. Using nmap we interact directly with a system to learn more about it. Conducting port scan for open ports on target or conduct scans to determine which service are running. If you are doing Red team you need to be extra careful not be get nabbed by IDS and IPS.
ACTIVE INFORMATION GATHERING
Ping sweep to find out live machines
# nmap -sn 21.1.2.0/24
Nmap with -v version scanning -A aggresive default 1000 port
# nmap -sV -A 21.1.2.5
Nmap scanning top 25 ports eg: nmap -sT -A --top-ports=20 ip
# nmap --top-ports=25 -v --open --reason 21.1.2.5
Nmap TCP connect scan / Vanilla scan on all ports
# nmap -sT -A 21.1.2.5 -p-
Nmap TCP connect scan with -Pn treats all host are online skips host discovery on all ports
# nmap -sT -Pn 21.1.2.5 -p-
Nmap with -sV version scanning -A aggresive
# nmap -sV -sT -A 21.1.2.5 -p 1-1000
Nmap with OS discovery
# nmap -O 21.1.2.5
# nmap -sS -F -O -Pn 21.1.2.0/24
# nmap -A 21.1.2.0/24