Published on January 17, 2025
The most popular scan, SYN scanning, sends SYN packets to initiate connections but doesn’t complete the three-way handshake. This minimizes detection.
sudo nmap -sS <target-IP>A full TCP handshake is performed, making it more detectable. It’s used when raw sockets aren’t available or when scanning through proxies.
nmap -sT <target-IP>UDP scans send empty packets to detect open ports. For common ports like SNMP (161), protocol-specific packets are sent.
sudo nmap -sU <target-IP>
sudo nmap -sU -sS <target-IP> (Combined with SYN Scan)
Find live hosts in a range with the -sn option. It uses
ICMP, TCP SYN (port 443), and TCP ACK (port 80) packets for host
discovery.
nmap -sn <target-range>
nmap -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2
Identify the target’s operating system by analyzing TCP/IP stack variations.
sudo nmap -O <target-IP> --osscan-guessAutomate scanning tasks, such as vulnerability detection, with NSE scripts.
nmap --script http-headers <target-IP>
nmap --script-help <script-name>
Scan the most frequently open ports using the --top-ports
option.
nmap --top-ports=20 <target-range>When working in Windows environments, PowerShell can substitute for Nmap when third-party tools aren’t available.
Check if a specific port is open:
Test-NetConnection -Port 445 <target-IP>Scan multiple ports with a PowerShell one-liner:
1..1024 | % {(New-Object Net.Sockets.TcpClient).Connect("<target-IP>", $_); "TCP port $_ is open"} 2>$null
With tools like Nmap and PowerShell, penetration testers can efficiently discover and map network vulnerabilities while minimizing their footprint. Whether you’re conducting a simple port scan or a full network sweep, these techniques will enhance your reconnaissance capabilities.