I am using Nmap to do basic port scans for customers that requested them. The Nmap GUI “Zenmap” offers some profiles to choose the appropriate options for the scan. But when using a mere ssh session, these profiles are not given.
On the Internet, there are many good and detailed examples on how to use Nmap, such as here or here. However, I mostly need a simple and standard Nmap command for my basic scans. Here I list the command that I am using by default as a short memo for myself: 
nmap -Pn -sS -sU -A -oN FILENAME HOSTNAME
Options
I am using the following options:
- -Pn: to omit the ICMP echo request ping before scanning a host. Often, ports are opened while ping is blocked.
- -sS: for the default TCP SYN scan
- -sU: for an additional scan of UDP
- -A: to enable several scan options, such as OS detection, host detection, etc.
- -oN FILENAME: save the output to FILENAME
- [optional] -T2: for a slower scan rate. This option can be omitted if a faster rate is necessary. When using Nmap over night, I am using -T2 for IDS evasion. OR:
- [optional] -T4: for a faster scan rate
- [optional] -p 1-65535: to scan all ports and not only “the 1000 most popular used ones”
- HOSTNAME: the name or IP address of the target
And don’t forget to run Nmap a second time with the “-6″ option for IPv6!
Finally, this is the link to the Nmap port states (open, closed, filtered, …).
Sample Output
This is an example output of such a scan (IPv4 only):
# Nmap 6.47 scan initiated Wed Dec 17 10:42:01 2014 as: nmap -Pn -sS -sU -A -oN testoutput lx.webernetz.net Nmap scan report for lx.webernetz.net (80.154.108.239) Host is up (0.054s latency). Not shown: 995 closed ports, 994 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) 80/tcp open ssh (protocol 2.0) 123/udp open ntp NTP v4 | ntp-info: | version: 4 | processor: unknown | system: UNIX | refid: 188.40.99.69 |_ stratum: 3 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 139/udp open|filtered netbios-ssn 161/udp open snmp Cisco SNMP service |_snmp-hh3c-logins: TIMEOUT |_snmp-win32-shares: TIMEOUT 162/udp open|filtered snmptrap 445/udp open|filtered microsoft-ds 1701/udp open|filtered L2TP Network Distance: 10 hops TRACEROUTE (using port 111/tcp) HOP RTT ADDRESS 1 9.01 ms fritz.box (192.168.86.1) 2 74.30 ms rdsl-frnk-de80.nw.mediaways.net (213.20.56.15) 3 32.13 ms xmwc-frnk-de06-chan-20.nw.mediaways.net (213.20.251.73) 4 32.29 ms ae7-0.01.rmwc.99.fra.de.net.telefonica.de (62.53.0.109) 5 49.95 ms 213.140.50.124 6 50.15 ms 80.150.168.5 7 54.62 ms f-sa1-i.F.DE.NET.DTAG.DE (62.154.14.225) 8 50.48 ms f-eb1-i.F.DE.NET.DTAG.DE (62.154.16.234) 9 50.69 ms 0180506-1-1-gw.F.DE.NET.DTAG.DE (80.148.112.46) 10 50.94 ms 80.154.108.239 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done at Wed Dec 17 10:58:52 2014 -- 1 IP address (1 host up) scanned in 1020.86 seconds
© Image Sketch by Mareike Weber – Kunst und so