General notes

• On local the Discovery users ARP Ping Scan.
• In order to check scan type, will have to set option double verbose: -vv
• If root or admin user then the type is Raw Tcp Packets and only Sync
• If no root or admin then uses high level system calls and full connect (more slowly and detectable from firewalls)
• Default discovery options (if run nmap with no options)
  • ICMP echo (Ping)
  • TCP SYNC @ 443
  • TCP ACK @ port 80
  • ICMP timestamp request (main purpose is error reporting, second is network diagnostics ex ping, traceroute, etc, The ICMP echo-request and echo-reply messages are commonly used for the purpose of performing a ping.

Scan types

• SYN stealth scan (privileged) – raw tcp packets (syn & Syn+ack) – faster – more difficult to detected.
• TCP connect scan (unprivileged) – high level system call connect – slower – always detected by firewalls

Port states

Open: accepting packets, accepting connections

Closed: is accessible but no application running and listening – Shows that the host is active, maybe later run an application

Filtered: is open but a packet filtering prevents from reaching, ex a firewall filters – Provide little info about host – “Destination is unreachable” – Drop probes.

Unfiltered: Post is accessible but nmap cannot find out if it is open or closed. Is classified by ACT scan

Open|Filtered: doesn’t know if the port is open or filtered ++Cloded|Filtered: ip idle scan++

-v, -d

-v: shows output

-v: Increase verbosity level (use -vv or more for greater effect)

-d: Increase debugging level (use -dd or more for greater effect)