Network Scanning using nmap

1) Identify live hosts (ping scan). If the target(s) are on the same subnet, this command will send an ARP request to the LAN broadcast address and will determine whether the host is alive, based on the response that is received. If the target(s) are not on the same subnet, then ICMP echo requests will be used to determine if the hosts are alive.
root@kali:~# nmap -sn  192.168.122.1-255
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:53 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.00031s latency).
MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
Nmap scan report for 192.168.122.73
Host is up (0.00066s latency).
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap scan report for 192.168.122.115
Host is up.
Nmap done: 255 IP addresses (3 hosts up) scanned in 2.53 seconds



2) UDP Port Scan.
root@kali:~# nmap -sU 192.168.122.73

PORT     STATE         SERVICE
53/udp   open          domain
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
111/udp  open          rpcbind
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
2049/udp open          nfs
MAC Address: 00:0C:29:FA:DD:2A (VMware)


3) TCP Connect Scan. Establishes a full TCP connection. If a connection is established, the port is determined to be open.
root@kali:~# nmap -sT 192.168.122.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:33 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.79s latency).
Not shown: 981 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http


3) TCP Stealth Scan.(SYN Scan) A single SYN packet is sent to the destination port. If SYN+ACK is received, the port is assumed to be open. Logging solutions which only record established connections will not record any evidence of the scan.
root@kali:~# nmap -sS 192.168.122.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:35 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.00038s latency).
Not shown: 981 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http
88/tcp   closed kerberos-sec



4) Banner Grabbing (with Nmap NSE)
root@kali:~# nmap -sT 192.168.122.1 -p 22 --script=banner
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:40 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.00032s latency).
PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_6.4
MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)

root@kali:~# nmap -sT 192.168.122.73 -p 21 --script=banner

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:42 IST
Nmap scan report for 192.168.122.73
Host is up (0.00061s latency).
PORT   STATE SERVICE
21/tcp open  ftp
|_banner: 220 (vsFTPd 2.3.4)


5) Service Identification (using probe-response analysis)
root@kali:~# nmap -sV -p 80 192.168.122.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:44 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.00059s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16)


6) O.S. identification.
root@kali:~# nmap -O  192.168.122.1
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop


7) Identify Filtering on ports. A filtered port means that the port is open but our access is being blocked by a firewall.
root@kali:~# nmap -sA 192.168.122.1 -p 22

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-14 10:30 IST
Nmap scan report for meru.mycompany.com (192.168.122.1)
Host is up (0.00038s latency).
PORT   STATE    SERVICE
22/tcp filtered ssh


root@kali:~# nmap -sA 192.168.100.1 -p 22

Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-14 10:37 IST
Nmap scan report for 192.168.100.1
Host is up (0.00092s latency).
PORT   STATE      SERVICE
22/tcp unfiltered ssh