nmap has a quite a few options, but you’ll use just a few of them for the most part.
One of our preferred nmap options is -sS. This runs a stealth TCP scan
that determines whether a specific TCP-based port is open. Another preferred option is -Pn, which tells nmap not to use ping to determine whether a system is running; instead, it considers all hosts “alive.” If you’re performing Internet based penetration tests, you should use this flag, because most networks don’t allow Internet Control Message Protocol (ICMP), which is the protocol that ping uses. If you’re performing this scan internally, you can probably ignore this flag.
Now let’s run a quick nmap scan against our target machine using
both the -sS and -Pn flags.
As you can see, nmap reports a list of open ports, along with a description
of the associated service for each.
For more detail, try using the -A flag. This option will attempt advanced
service enumeration and banner grabbing, which may give you even more
details about the target system. For example, here’s what we’d see if we were
to call nmap with the -sS and -A flags, using our same target system: