Last modified: Tuesday, 30-January-2001 04:13:05 PDT

Network Reconnaissance Techniques
(Latest version:
  1. Introduction

  2. Finding machines that are up on the network

  3. Determining the ports that are open

  4. Determining network architecture

  5. Locating Firewall Misconfigurations

  6. Optimizing your scan for speed

  7. Optimizing your scan for stealth

  8. Example scan To make this more concrete, here is an example TCP scan (hostname sanitized):
    amy~#nmap -p- -sR -I -O
    Starting nmap V. 2.52 by ( )
    Interesting ports on (
    (The 65514 ports scanned but not shown below are in state: closed)
    Port       State       Service (RPC)           Owner
    21/tcp     open        ftp                     root
    22/tcp     open        ssh                     root
    23/tcp     open        telnet                  root
    25/tcp     open        smtp                    mail
    80/tcp     open        http                    http
    110/tcp    open        pop-3                   root
    111/tcp    filtered    sunrpc                  
    113/tcp    open        auth                    root
    220/tcp    filtered    imap3                   
    443/tcp    open        https                   http
    512/tcp    filtered    exec                    
    513/tcp    filtered    login                   
    514/tcp    filtered    shell                   
    515/tcp    filtered    printer                 
    516/tcp    filtered    videotex                
    517/tcp    filtered    talk                    
    518/tcp    filtered    ntalk                   
    635/tcp    filtered    unknown                 
    939/tcp    open        (status V1)             root
    2049/tcp   filtered    nfs                     
    3600/tcp   open        unknown                 root
    TCP Sequence Prediction: Class=random positive increments
                             Difficulty=4797787 (Good luck!)
    Sequence numbers: 702A7726 70243971 7059255D 70F3C86B 710DC518 704EBFEE
    Remote operating system guess: Linux 2.1.122 - 2.2.14
    Nmap run completed -- 1 IP address (1 host up) scanned in 467 seconds

    What could be done Better?

  9. Final Notes and Warnings