Nmap has been proven to be a very useful command Below are some nice nmap commands i sometimes use. nmap –sT 192.168.0.1 TCP SYN Scan : This type of scanning is also called as half open scanning, as a full TCP connection is not made to the target port on target machine. In this type of Scan first a SYN packet is send to the port which indicates the port as if a real connection is going to be established and if the port is open and listening it sends back a SYN|ACK which is the indication that the port is open and if we get the RST back with means that the port is not listening and it is closed and if we get SYN|ACK back we immediately send a RST packet back which closes down the connection. This type of scanning has an advantage that only a few systems monitor and log this type pof scan attempts. And a Demerit of this scanning technique is that you need to be root to form SYN packets. nmap –sS 192.168.0.1 TCP FIN Xmus and Null scans : Sometimes when it is not just enough to use SYN scans as it can be detected by packet filters when SYN packets are send to unlikely ports. And that’s why FIN and Xmus and Null all these scans are able to by pass these type of filtering, in the technique when FIN packet is send to a open port the open port ignores the packet and a closed port immidiately send back a RST packet which tells nmap which port is open and which is close, But this type of scanning has its own merits and demerits as it is not effective against Microsoft Platform, and infact when ever a FIN packet is send to any port it replys with RST, but this can be used to discover that this system is Microsoft Based. On the other hand it works fine with *nix Boxes. An example of this is : #nmap –sF 192.168.0.1 <= This is FIN Scan #nmap –sX 192.168.0.1 <= This is Xmus Scan #nmap –sN 192.168.0.1 <= This is Null Scan. nmap -v -sn 192.168.1.0/24 Scan entire network nmap -A -T4 192.168.1.10 Spit out extensive info on specific host nmap -sS -O 192.168.1.0/24 Stealth SYN scan against each machine that is up out of the 256 IPs on the class C sized network nmap -sV -p 22,53,110,143,4564 192.168.1.0/24 Scans network and shows state of ports nmap -Pn -p80 -oX port80scan.xml -oG port80scan.gnmap 192.168.1.20/24 This scans network for any web servers (without pinging them) and saves the output in grepable and XML formats.