##
Nmap
The standard network scanner — discover hosts, find open ports, fingerprint services and OS. Most scans need root for raw packets.
// scan types
| -sS | SYN "half-open" scan — fast, stealthy (default, needs root) |
| -sT | Full TCP connect — no root needed |
| -sU | UDP scan — slow, finds DNS/SNMP/DHCP |
| -sn | Ping sweep — host discovery, no port scan |
| -sV | Service / version detection |
| -O | OS fingerprinting |
| -A | Aggressive: -sV -O + scripts + traceroute |
// common flags
| -p 22,80,443 | Specific ports (-p- = all 65535) |
| -F | Fast — top 100 ports |
| -Pn | Skip host discovery (assume up) |
| -T0…T5 | Timing — paranoid → insane |
| -oN / -oX / -oG | Output: normal / XML / greppable |
| --script <nse> | Run NSE scripts (e.g. vuln, default) |
| -v / -vv | Verbosity |
// port states
| open | A service is accepting connections |
| closed | Reachable but nothing listening |
| filtered | A firewall is dropping probes |
| unfiltered | Reachable but state unknown (ACK scan) |
| open|filtered | No response — cannot tell (common for UDP) |
recipes · copy & run
# quick host discovery on a subnet
nmap -sn 192.168.1.0/24
# top ports + service/version + OS, save all formats
nmap -sS -sV -O -T4 -oA scan 10.0.0.5
# full TCP port range, no ping
nmap -p- -Pn 10.0.0.5
# UDP scan of common services
nmap -sU -p 53,123,161 10.0.0.5
# NSE: default + safe vuln checks
nmap -sV --script "default,vuln" 10.0.0.5
Only scan hosts you own or are authorized to test — port scanning third parties can be illegal.