Nmap is a tool generally used for remote network discovery, but can be used on the forensics side of things as well. Some Nmap uses include determining what hosts are available on a network, finding open ports on a system, performing a traceroute, DNS resolution, and detecting operating system and services used.
There are many parameters Nmap can use:
- -sV : probe open ports to find service information
- -p : specify which ports to scan
- -sU : UDP scan
- -sN : TCP Null scan
- -sn : Ping scan, no ports
- -Pn : skip host discovery, scan all possible hosts
- -O : enable OS detection
- -v : verbose
- -A : OS detection, version detection, script scanning, and traceroute
- -T4 : scan with faster execution
Nmap man page.
Nmap is a useful forensics tool in that you can determine what ports on a system are open and what services are running.
Some useful Nmap flag combinations:
- nmap -A -T4 [ip_address] – service/OS detection with port scan
- nmap -sP [ip_address_range] – scan network with ping only scan
Sans has published a handy Nmap cheat sheet.