The idea with nmap is that you can perform a sophisticated scan of a system looking for open port just like an attacker might. How you differentiate between the types of users is apparently an open problem. With nmap, you can perform scans of ports directly, or you can attempt devious scan methods as might be used by a nefarious, good-for-nothing system cracker. It will allow you to tighten up your defenses and avoid problems. Using nmap can be a complicated process, including a serious investigation of different methods of extracting useful data for further treachery.
The nmap syntax has the following form:
Scan Type |     | Meaning |
---|---|---|
-sT |     | A tcp connect scan. nmap attempts to connect to ports with a
TCP connect. Easily detectable by the scanned host.
|
-sS |     | A SYN packet is sent and if a response is received, the
half-open connection is immediately send an RST. Harder
to detect by the scanned host.
|
-sF -sX -xN |     | These are the Stealth FIN, Xmas Tree and Null scans. Each
uses different flags, but all work by sending a FIN packet to
ports. By definition, closed port respond with an RST.
Harder yet to detect by the scanned host, but doesn't work on
Microsoft Windows because they didn't follow the standard.
|
-sP |     | A ping scan will each address on the network given to determine
which hosts are up.
|
-sU |     | Scan for open UDP ports on a host.
|
-sO |     | Determine which IP protocols are in use on a host.
|
-sA |     | An ACK scan to determine what firewall rulesets are being used.
An ACK sent to a port will response with an RST if unfiltered.
|
-sW |     | Probe the TCP window size at each port to determine if they
are open ports and if they are filtered or unfiltered.
|
-sR |     | Try to determine if open ports are RPC ports and if so,
what program is running there.
|
-sT |     | Use a TCP connect scan.
|
-b ftp-relay-host |     | Try to bounce ftp packets off of servers. |
nmap has a long list of options, so only a small portion will be listed here, generally just to give a flavor for the things allowed. The man page for nmap gives a complete description and is very well done.
Option |     | Meaning |
---|---|---|
-PO |     | Don't ping before scanning them
|
-O |     | Activate host identification
|
-I |     | Do a reverse ident scan.
|
-o logfilename |     | Where to log the results of the scan
|
-iL inputfilename |     | Where to read the specification for the targets for a scan.
|
-p port-ranges |     | Ports to be scanned in the form -p N or -p N-P or some combination.
|
Targets can be specified as hosts names, IP addresses or as network addresses (ip/mask).
nmap -v somehost.somenetwork.org
Scans all reserved TCP ports on the target with verbose mode on.
nmap -sS somehost.somenetwork.org/24
Initiates a stealth SYN scan against all hosts on the class C network
given.
nmap -sX -p 22,23,53 host1.net.org host2.net.org host3.net.org
Initiates a Christmas Tree scan for ports 22, 23 and 53 on the three
hosts shown.