One of the first steps to perform when we are pentesting is related to footprinting. In this phase what we typically do after having gathered information about the target is performing network scanning and enumeration. One of the most famous tool to perform network analysis and service discovery is nmap. In this document I will try to explain the basic concepts behind a network mapper and the varying types of analysis that can be performed. Although many pentesters out there are sticking to just a single (or a couple) of nmap commands, we will find out that depending on the situation, there may be various tunings that can be applied. These tunings can help us in order to:
- gather more information;
- be stealthier;
- bypass firewalls;
- devise advanced analysis techniques;