Information Gathering tools on NullByte Notes https://jhagan-cyber-blog.pages.dev/tools/information-gathering--reconnaissance/ Recent content in Information Gathering tools on NullByte Notes Hugo en-us Fri, 05 Jun 2026 00:00:00 +0000 NMAP - Complete Network Mapping Guide https://jhagan-cyber-blog.pages.dev/tools/information-gathering--reconnaissance/nmap/ Fri, 05 Jun 2026 00:00:00 +0000 https://jhagan-cyber-blog.pages.dev/tools/information-gathering--reconnaissance/nmap/ <blockquote> <p><strong>Network Mapper: Discover hosts, ports, services, and vulnerabilities on your network</strong></p></blockquote> <hr> <h2 id="table-of-contents">Table of Contents</h2> <ol> <li><a href="#what-is-nmap">What is Nmap?</a></li> <li><a href="#installation">Installation</a></li> <li><a href="#basic-scans">Basic Scans</a></li> <li><a href="#scan-types">Scan Types</a></li> <li><a href="#advanced-options">Advanced Options</a></li> <li><a href="#real-world-examples">Real-World Examples</a></li> <li><a href="#interview-questions">Interview Questions</a></li> </ol> <hr> <h2 id="what-is-nmap">What is Nmap?</h2> <p>Nmap (Network Mapper) is a free, open-source tool for <strong>network discovery and security auditing</strong>. It answers questions like:</p> <ul> <li>What hosts are running on the network?</li> <li>What ports are open?</li> <li>What services are running?</li> <li>What OS is the target running?</li> <li>Are there vulnerabilities?</li> </ul> <hr> <h2 id="installation">Installation</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Ubuntu/Debian</span> </span></span><span style="display:flex;"><span>sudo apt-get update </span></span><span style="display:flex;"><span>sudo apt-get install nmap </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Kali Linux</span> </span></span><span style="display:flex;"><span>sudo apt-get install nmap </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># macOS</span> </span></span><span style="display:flex;"><span>brew install nmap </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Verify installation</span> </span></span><span style="display:flex;"><span>nmap --version </span></span></code></pre></div><hr> <h2 id="basic-scans">Basic Scans</h2> <h3 id="basic-syntax">Basic Syntax</h3> <pre tabindex="0"><code>nmap [Scan Type] [Options] [Target] </code></pre><h3 id="simple-ping-scan-host-discovery">Simple Ping Scan (Host Discovery)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Ping a single host</span> </span></span><span style="display:flex;"><span>nmap -sn 192.168.1.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Ping a range</span> </span></span><span style="display:flex;"><span>nmap -sn 192.168.1.0/24 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What it does: Sends ICMP packets to see if hosts are alive</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output: Lists all responsive hosts (no port scanning)</span> </span></span></code></pre></div><h3 id="basic-port-scan">Basic Port Scan</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Scan default 1000 ports</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan all 65535 ports (takes time)</span> </span></span><span style="display:flex;"><span>nmap -p- 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan specific ports</span> </span></span><span style="display:flex;"><span>nmap -p 80,443,22 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan port range</span> </span></span><span style="display:flex;"><span>nmap -p 1-1000 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scan top ports</span> </span></span><span style="display:flex;"><span>nmap --top-ports <span style="color:#ae81ff">100</span> 192.168.1.100 </span></span></code></pre></div><h3 id="service-detection">Service Detection</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Detect service versions</span> </span></span><span style="display:flex;"><span>nmap -sV 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Example output:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 80/tcp open http Apache httpd 2.4.41</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 443/tcp open https Apache httpd 2.4.41</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 22/tcp open ssh OpenSSH 7.6p1</span> </span></span></code></pre></div><h3 id="os-detection">OS Detection</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Aggressive OS detection</span> </span></span><span style="display:flex;"><span>nmap -O 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Running: Linux 4.x</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Aggressive OS guesses: Linux 4.15-4.19 (95%)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Note: Requires root/sudo privileges</span> </span></span></code></pre></div><hr> <h2 id="scan-types-very-important-for-interviews">Scan Types (Very Important for Interviews)</h2> <h3 id="tcp-scans">TCP Scans</h3> <h4 id="tcp-connect-scan--st">TCP Connect Scan (-sT)</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -sT 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What: Completes full TCP 3-way handshake</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Speed: Slow (establishes full connection)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Logging: Visible in server logs</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Permission: Works without root</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Stealth not required</span> </span></span></code></pre></div><h4 id="tcp-syn-scan--ss---stealth-scan">TCP SYN Scan (-sS) - STEALTH SCAN</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -sS 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What: Sends SYN packet, doesn&#39;t complete handshake</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Speed: Fast</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Logging: Less visible (not full connection)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Permission: Requires root</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Default scan, best balance</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Packet flow:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 1. Send SYN to port</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. If SYN-ACK received → port OPEN</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. If RST received → port CLOSED</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. If no response → port FILTERED</span> </span></span></code></pre></div><h4 id="tcp-ack-scan--sa">TCP ACK Scan (-sA)</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>nmap -sA 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What: Doesn&#39;t determine if port is open</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Purpose: Map firewall rules (which ports are filtered)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output: filtered vs unfiltered</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Firewall reconnaissance</span> </span></span></code></pre></div><h4 id="tcp-null-fin-xmas-scans--sn--sf--sx">TCP NULL, FIN, Xmas Scans (-sN, -sF, -sX)</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># NULL Scan - sends packets with no flags</span> </span></span><span style="display:flex;"><span>nmap -sN 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># FIN Scan - sends packets with FIN flag</span> </span></span><span style="display:flex;"><span>nmap -sF 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Xmas Scan - sends packets with FIN, PSH, URG flags</span> </span></span><span style="display:flex;"><span>nmap -sX 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># All three work on RFC: closed ports send RST</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Open/filtered ports don&#39;t respond</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Evade basic firewalls</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Caveat: Only works on systems following RFC strictly</span> </span></span></code></pre></div><h3 id="udp-scans">UDP Scans</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># UDP scan (slow, but finds DNS, SNMP, etc.)</span> </span></span><span style="display:flex;"><span>nmap -sU 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What: Sends UDP packets, waits for ICMP unreachable</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Speed: Very slow (needs timeout)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Services like DNS (53), SNMP (161), DHCP (67)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Combine TCP and UDP</span> </span></span><span style="display:flex;"><span>nmap -sS -sU 192.168.1.100 </span></span></code></pre></div><h3 id="ping-scan-only">PING Scan Only</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># -sn: Ping scan only (no port scanning)</span> </span></span><span style="display:flex;"><span>nmap -sn 192.168.1.0/24 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Output: Just lists alive hosts</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use: Network discovery without port scan</span> </span></span></code></pre></div><hr> <h2 id="timing-and-performance">Timing and Performance</h2> <h3 id="timing-templates-from-paranoid-to-insane">Timing Templates (from paranoid to insane)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># -T0 (Paranoid): Very slow, stealthy</span> </span></span><span style="display:flex;"><span>nmap -T0 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T1 (Sneaky): Slow, stealthy</span> </span></span><span style="display:flex;"><span>nmap -T1 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T2 (Polite): Slower, doesn&#39;t impact target</span> </span></span><span style="display:flex;"><span>nmap -T2 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T3 (Normal): Default, balanced</span> </span></span><span style="display:flex;"><span>nmap -T3 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T4 (Aggressive): Fast, modern networks</span> </span></span><span style="display:flex;"><span>nmap -T4 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T5 (Insane): Very fast, may miss services</span> </span></span><span style="display:flex;"><span>nmap -T5 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Real-world tip:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use T4 for internal networks (fast)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use T1 for external targets (stealth)</span> </span></span></code></pre></div><hr> <h2 id="advanced-options">Advanced Options</h2> <h3 id="verbosity--debugging">Verbosity &amp; Debugging</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Increase verbosity (show more details)</span> </span></span><span style="display:flex;"><span>nmap -v 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Very verbose</span> </span></span><span style="display:flex;"><span>nmap -vv 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Debug mode</span> </span></span><span style="display:flex;"><span>nmap -d 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Very debug</span> </span></span><span style="display:flex;"><span>nmap -dd 192.168.1.100 </span></span></code></pre></div><h3 id="output-formats">Output Formats</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Normal output (default)</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Save to file</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 -oN output.txt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># XML format (for parsing)</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 -oX output.xml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Greppable format (easy to grep)</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 -oG output.grep </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># All formats at once</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 -oA output </span></span><span style="display:flex;"><span><span style="color:#75715e"># Creates: output.nmap, output.xml, output.gnmap</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Append to file (don&#39;t overwrite)</span> </span></span><span style="display:flex;"><span>nmap 192.168.1.100 -oN output.txt --append-output </span></span></code></pre></div><h3 id="script-scanning-vulnerability-detection">Script Scanning (Vulnerability Detection)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Default scripts (safe)</span> </span></span><span style="display:flex;"><span>nmap -sC 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Specific script</span> </span></span><span style="display:flex;"><span>nmap --script http-title 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Multiple scripts</span> </span></span><span style="display:flex;"><span>nmap --script http-title,http-headers 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># All scripts in category</span> </span></span><span style="display:flex;"><span>nmap --script vuln 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Scripts with output</span> </span></span><span style="display:flex;"><span>nmap --script http-title --script-args script-args.cmd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># List available scripts</span> </span></span><span style="display:flex;"><span>ls /usr/share/nmap/scripts/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Update scripts</span> </span></span><span style="display:flex;"><span>nmap --script-updatedb </span></span></code></pre></div><h3 id="common-script-categories">Common Script Categories</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Vulnerability detection</span> </span></span><span style="display:flex;"><span>nmap --script vuln 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># HTTP enumeration</span> </span></span><span style="display:flex;"><span>nmap --script http-* 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SSL/TLS detection</span> </span></span><span style="display:flex;"><span>nmap --script ssl-* 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SMB enumeration (Windows)</span> </span></span><span style="display:flex;"><span>nmap --script smb-* 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># DNS enumeration</span> </span></span><span style="display:flex;"><span>nmap --script dns-* 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Default credentials</span> </span></span><span style="display:flex;"><span>nmap --script default 192.168.1.100 </span></span></code></pre></div><hr> <h2 id="real-world-examples">Real-World Examples</h2> <h3 id="example-1-complete-network-reconnaissance">Example 1: Complete Network Reconnaissance</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Comprehensive scan</span> </span></span><span style="display:flex;"><span>nmap -sS -sV -sC -O -p- --script vuln 192.168.1.100 -oA recon </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What this does:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -sS: SYN scan (fast, stealthy)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -sV: Detect service versions</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -sC: Run default scripts</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -O: Detect OS</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -p-: All ports</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># --script vuln: Vulnerability detection</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -oA recon: Save all formats</span> </span></span></code></pre></div><h3 id="example-2-quick-internal-network-scan">Example 2: Quick Internal Network Scan</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Fast scan of network</span> </span></span><span style="display:flex;"><span>nmap -T4 -F 192.168.1.0/24 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What this does:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T4: Aggressive timing</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -F: Fast mode (only top 100 ports)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># /24: Entire subnet</span> </span></span></code></pre></div><h3 id="example-3-stealth-scan-slow">Example 3: Stealth Scan (Slow)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Very stealthy (slow)</span> </span></span><span style="display:flex;"><span>nmap -sS -T1 -p1-10000 --script vuln 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># What this does:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -sS: SYN scan</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -T1: Sneaky timing</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -p1-10000: First 10k ports</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># --script vuln: Vulnerability checks</span> </span></span></code></pre></div><h3 id="example-4-firewall-evasion">Example 4: Firewall Evasion</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Fragment packets</span> </span></span><span style="display:flex;"><span>nmap -f 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Decoy scan (hide real IP among fake ones)</span> </span></span><span style="display:flex;"><span>nmap -D 192.168.1.50,192.168.1.51,ME 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Idle scan (use zombie host)</span> </span></span><span style="display:flex;"><span>nmap -sI 192.168.1.50 192.168.1.100 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Randomize ports</span> </span></span><span style="display:flex;"><span>nmap -p- --randomize-hosts 192.168.1.100 </span></span></code></pre></div><hr> <h2 id="output-interpretation">Output Interpretation</h2> <pre tabindex="0"><code>PORT STATE SERVICE VERSION ──────────────────────────────────────── 22/tcp open ssh OpenSSH 7.6p1 80/tcp open http Apache httpd 2.4.41 443/tcp open https nginx 3306/tcp closed mysql 8080/tcp filtered http-proxy # Meanings: # open: Service is listening and accepting connections # closed: Port is accessible but no service (unlikely) # filtered: Firewall blocking - can&#39;t determine state # open|filtered: Likely open but unclear </code></pre><hr> <h2 id="interview-questions--answers">Interview Questions &amp; Answers</h2> <h3 id="q1-whats-the-difference-between--ss-and--st-scans">Q1: What&rsquo;s the difference between -sS and -sT scans?</h3> <p><strong>A:</strong></p>