Goal: After finding live hosts, we need to identify open ports, running services, versions, and the OS.
Nmap categorizes ports into 6 states based on the response (or lack thereof).
| State | Description |
|---|---|
| Open | Connection established (TCP connection, UDP datagram, etc.). |
| Closed | Target sent an RST flag. (Port is accessible but no service is listening). |
| Filtered | No response (dropped) or error code received. Firewall likely blocking. |
| Unfiltered | Port is accessible, but Nmap can't determine if open/closed (specific to ACK scans). |
| Open|Filtered | Nmap cannot determine if open or filtered. |
| Closed|Filtered | Nmap cannot determine if closed or filtered. |
| Flag | Function | Description |
|---|---|---|
| -sS | TCP SYN Scan | Default, stealthy, half-open scan. Requires root. |
| -sT | TCP Connect Scan | Full 3-way handshake. Accurate but noisy. Default if not root. |
| -sU | UDP Scan | Scans UDP ports. Slow and often returns open|filtered. |
| -sV | Version Scan | Interacts with open ports to detect service versions. |
| -p <ports> | Port Selection | Selects ports (e.g., -p 22, -p 1-100, -p- for all). |
| -F | Fast Scan | Scans only the top 100 most common ports. |
| --top-ports X | Top Ports | Scans the top X most frequent ports (e.g., --top-ports=10). |
| --packet-trace | Trace Packets | Shows sent/received packets (great for debugging firewalls). |
| --reason | Show Reason | Explains why Nmap marked a port as open/closed/filtered. |