One of the first considerations when contemplating a port scan is deciding what techniques to use. Nmap offers about a dozen such methods and this section provides a brief summary of them. Full coverage comes in the next chapter. Only one scan method may be used at a time, except that UDP scan (-sU) may be combined with any one of the TCP scan types. As a memory aid, port scan type options are of the form -s<C>, where <C> is a prominent character in the scan name, usually the first. The one exception to this is the deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix) or if IPv6 targets were specified.

Nmap's port registration file (nmap-services) contains empirical data about how frequently each TCP or UDP port is found to be open. This data was collected by scanning tens of millions of Internet addresses, then combining those results with internal scan data contributed by large enterprises. By default, Nmap scans the 1,000 most popular ports of each protocol it is asked to scan. Alternatively, you can specify the -F (fast) option to scan only the 100 most common ports in each protocol or --top-ports to specify an arbitrary number of ports to scan.

When none of these canned port sets suit your needs, an arbitrary list of port numbers can be specified on the command-line with the -p option. The syntax of the -p option can be complex, and is best described with examples.

Port scanning is often the most time consuming part of an Nmap scan (which might also include OS detection, version detection, and NSE scripts). While Nmap tries to be quick and efficient by default, manual optimization often helps. Nmap offers dozens of options for tailoring scan intensity and speed to match your exact needs. This section lists the most important options for optimizing port scan times. Options which take an amount of time are in seconds by default, or you may append ms (milliseconds), s (seconds), m (minutes), or h (hours) to the value. For further details on any of these options, see the section called “Timing and Performance”. A much more thorough treatment, with examples and best-practices for improving Nmap performance is available in Chapter 6, Optimizing Nmap Performance.

Nmap offers the ability to write its reports in its standard format, a simple line-oriented “grepable” format, or XML. These reports are enabled with the -oN (normal), -oG (grepable), and -oX (XML) options. Each option takes a filename, and they may be combined to output in several formats at once. Several options are also available to increase output verbosity. This section lists the most important output-related options and how they apply to port scanning. For further details on any of these options, see the section called “Output”. A much more thorough treatment of output options and formats, with many examples, is available in Chapter 13, Nmap Output Formats.

Nmap offers many options for sneaking past IDSs undetected or evading firewall rules. For an overview, see the section called “Firewall/IDS Evasion and Spoofing”. For a comprehensive look at firewall and IDS evasion techniques, along with practical examples, see Chapter 10, Detecting and Subverting Firewalls and Intrusion Detection Systems.

To scan a single host (or a few of them), simply add their names or IP addresses to the end of your Nmap command line. Nmap also has a structured syntax to make scanning large networks easy. You can give Nmap a file listing targets, or even ask Nmap to generate them randomly. This is all described in the section called “Specifying Target Hosts and Networks”.

Here are some options that can be quite handy even though they don't fit into specific categories. The descriptions focus on how each option relates to port scanning. See the Chapter 15, Nmap Reference Guide for more comprehensive coverage of each option.