Nmap is without a doubt the best free network security scanner. An nmap command that is very useful for mapping out all hosts on a subnet is displayed below:
nmap -sS -sV -O 192.168.0.0/24
The meaning of the options is:
- -sS. This tells nmap to use a SYN scan on host ports.
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections.
- -sV. This switch tells Nmap to attempt to find the service and version information of the ports it finds open.
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The
nmap-service-probesdatabase contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS