there are some really good examples of stealth scanning in the man pages - there are various parameters you can apply to the scans. Check them all out to make your own scan but this is the one I like to use:
nmap -sS -O 192.168.0.0-253
EXAMPLES
Here are some examples of using nmap, from simple and normal to a little more complex/esoteric. Note that actual numbers and some actual domain names are used to make things more concrete. In their place you should substitute addresses/names from your own network. I do not think portscanning other networks is illegal; nor should portscans be construed by others as an attack. I have scanned hundreds of thousands of machines and have received only one complaint. But I am not a lawyer and some (anal) people may be annoyed by nmap probes. Get permission first or use at your own risk.
nmap -v target.example.com
This option scans all reserved TCP ports on the machine target.example.com . The -v means turn on verbose mode.
nmap -sS -O target.example.com/24
Launches a stealth SYN scan against each machine that is up out of the 255 machines on class "C" where target.example.com resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and the OS detection.
nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
Sends an Xmas tree scan to the first half of each of the 255 possible 8 bit subnets in the 198.116 class "B" address space. We are testing
whether the systems run sshd, DNS, pop3d, imapd, or port 4564. Note that Xmas scan doesn’t work on Microsoft boxes due to their deficient TCP stack. Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.
nmap -v --randomize_hosts -p 80 *.*.2.3-5
Rather than focus on a specific IP range, it is sometimes interesting to slice up the entire Internet and scan a small sample from each slice. This command finds all web servers on machines with IP addresses ending in .2.3, .2.4, or .2.5 find more interesting machines
starting at 127. so you might want to use "127-222" instead of the
first asterisks because that section has a greater density of interest-
ing machines (IMHO).
host -l company.com | cut -d -f 4 | ./nmap -v -iL -
Do a DNS zone transfer to find the hosts in company.com and then feed the IP addresses to nmap. The above commands are for my GNU/Linux box. You may need different commands/options on other operating systems.
|