Port scanning is not explicitly illegal but it may throw up some red flags depending on who you scan and how aggreessive you are.
Firewalls and IDS may end up with logs of the IP that initiated the scan so remember that.
I do not claim to be any type of network or Nmap expert.
None of this was tested for any kind of DNS or IP leaks so I recommend that you do not try this on any network that you do not own or have written permission to test.
If you do this to a machine or network that is not owned by you or have written permission to test and get into legal trouble it is not my problem.
I accept no responsibility for what you may do with this information.
Now that that is out of the way.
I can’t say that I know for sure but I would put money on it that any serious professional pentester or network security admin starts their assements with this tool.
There just isn’t anything I have found or heard of that can compare to the many options it has.
Nmap is a tool everyone should learn how to use.
Don’t just blow it off as a silly port scanner.
Here is an example scan that I did on a test machine that I have.(don’t get excited it can’t connect to the internet)
I needed the MAC for some settings in my router.
I figured I’ll just do a -A scan without thinking about how the machine is setup.
For reference I use this all the time because scrolling through man pages gets annoying,
-A: Enable OS detection, version detection, script scanning, and traceroute
nmap -A xxx.xxx.x.xxx
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-21 23:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 4.05 seconds
So I tweaked the options a bit
Some of them were just ridiculous and besides I could have got up and went in the other room to find the MAC but that’s no fun.
nmap -A -n -Pn -sS -f -r --host-timeout 2m --min-parallelism 10 xxx.xxx.x.xxx
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-21 23:23 EDT
Nmap scan report for xxx.xxx.x.xxx
Host is up (0.012s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
xxx/tcp open xxxxx xxxxxxxxxxxxxxxxxxxxx
xxx/tcp open xxxxx xxxxxxxxxxxxxxxxxx
xxxx/tcp open xxxxx xxxxxxxxxxxxxxxxxx
|_http-title: Service Unavailable
xxxxx/tcp open xxxxx xxxxxxxxxxxxxxxxxxxx
MAC Address: xx:xx:xx:xx:xx:xx (MAC vendor)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone(too funny it isn’t a phone)
Network Distance: 1 hop
Service Info: OS: xxxxxxx
Host script results:
|_smb2-security-mode: SMB: Couldn’t find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
HOP RTT ADDRESS
1 11.73 ms xxx.xxx.x.xxx
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.54 seconds
Less than 2 minutes.
You may notice that it found open ports yet told me it couldn’t find at least one open and one closed.
I don’t quote understand this but I may be because the open ports were from the version scan about the services that it found.
Going to have to research this more.
So now I know I have quite a but of information about this machine.
Now if this had been an actual target this is very good information to start with.
In my opinion this shows how important of a tool Nmap is to learn.
There is much much more and much more that I do not know yet about Nmap.
If you’re are curious about anything or don’t understand something in this post or about Nmap I encourage you to reply.
Although I may not know the answer I most likely can help point you to it.