this is written for total newbies (Like myself) and talks about
the Hackers favourite target discovery tool “Nmap” coded by Fyodor.
Now If your like me, I like my programs to be quick, reliable and accurate
and Nmap is just that. Also if your a programmer (Like myself again) then
your get a kick out of viewing snippets of source code from these type of
programs (Open-Source) and Nmap again is just that 
So what are you waiting for? DOWNLOAD IT NOW!!!
get it from http://www.insecure.org
let’s take a casual way…
I’m not going to bother explaining what Nmap is and what it does because
you should know that, otherwise you wouldn’t have clicked on the link to
view this notes.
But I am a kind person so as a quick description for those who can’t think,
Nmap is a “Port Scanner” which has features such as “OS detection”,
“Banner Grabbing” and a variety of different Scans + LOADS MORE!!!!
I plan to keep this post short and simple because there are 100’s of files
written on Nmap and they go into way more detail then I do, so
if you want to know everything about Nmap Google about!
Download and Install Nmap! (You can either download NmapWin or CL nmap)
(By the way I’m using *Nix (Slackware, duel booted with XP) but
I belive the commands are exactly the same.
HINT: IF YOUR USING WINDOWS I RECOMMEND YOU DOWNLOAD
THE CL VERSION (COMMAND LINE)YOU NEED TO RUN IT FROM
A DOS WINDOW
I am going to presume you know how to
set up nmap and you have installed the winpcap drivers
Ok first thing is first, lets say you just want to do a basic
scan on YOUR webserver so lets just say you owned
www.michelle-trachtenberg.com
You would type the following command…
nmap -sT -v www.web-aneh.com
-v = Verbose. Its use is ALWAYS recommended.
If you ran the above command you would have performed a TCP scan.
Now lets do a bit of theory of whats a TCP scan, Ahhhh stop
whining!!! if your going to use other peoples tools you should at least
learn how they work properly otherwise I’ll be forced to call you a
Script Kiddie!!!! 
TCP Scanning – Is the most basic form of scanning. With this
method you attempt to open a full TCP connection to determine
if that port is active, that is “Listening”. A TCP scan is usually
quite loud and gets noticed easily, so if you really are scanning a
site like www.microsoft.com you will probably get noticed and leave
entries in the logs (In theory)
You see that wasn’t so bad was it?
Now lets look at a more advance scanning technique
“Stealth Scanning”
The command is this…
nmap -sS -v www.web-aneh.com
If you ran this command you would perform a Half-Open scan also known
as a Stealth scan. Again lets look at the logic behind the scan…
Stealth – This scanning technique is called a Half-open Scan because
you don’t open a Full TCP connection. You send a SYN packet, as if you
were going to open a full connection, and wait for a response. A SYN/ACK
indicates the port is listening. Thefore, an RST response is indicated as a
nonlistener. If a SYN/ACK is recieved, you immediately send an RST to tear down
the connection. The primary advantage of this scanning technique is that fewer
sites will log it.
Did you get any of that? Well, you probably don’t no much about RST and SYN
packets because you have never programmed a Port Scanner , but I’m sure you will
eventually learn and understand how things REALLY work. Anyway to wrap this
paper up, I’ll just list some of the options of Nmap
NOTE: Your Nmap may look different because it’s always being developed
and no features are always being added (Rumour has it Fyodor has coded in
a bomb scan
Nmap Usage – nmap [Scan Type(s)] [Options]
The most common scan types are.. (Google them if you don’t understand them)
-sT – TCP Scan – Default
-sS – TCP SYN stealth port Scan – Best all round
-sU – UDP Scan – Scans for UDP Ports
-sP – Ping Scan – Find any reachable machnies
-sF, -sX, -sN Stealth FIN, Xmas or Null scan – eXpers only!
Some Options….
-O – OS detection!!!!!!! A MUST USE!!!!
nmap -sS -v -O YOUR SERVER
-p <Range> Ports to Scan
-F Only Scans ports listed in Nmap-Services
-v – Verbose.
-P0 – Don’t ping target
-Decoy_host1,decoy2[,..] – Hide scan using Decoys
-T<Paranoid,Sneaky,Polite,Normal,Aggressive,Insane) – Timing Policy
-n/-R – Never do DNS resolution/Always resolve
-oN/-oM <Logfile> – Output results to logfile.
so, thats all…
Anyway thanks Fyodor and the book “Nmap”. Ok next time I’ll write about something which
is actually more Fun!
