I’m a big fan of nmap‘s --top-ports option, which gives you the ability to leverage Fyodor’s latest Internet research on open ports on the Internet.
Basically, he scanned most of the Internet and determined which ports are usually open, and he built lists of the top ports for use within nmap. So now instead of saying:
nmap -p 1-10000 $target
…to hopefully get “most” of the ports you’re looking for, you can instead say:
nmap --top-ports 1000 $target
…which yields dramatically faster and more accurate results.
From the website:
93% in just 1,000 ports. Nice.
Anyway, the --top-ports option by default launches a TCP scan, and figuring out how to do both a TCP and a UDP scan at the same time isn’t intuitive for everyone. All you do is preceed your scan with the -s option, combined with the type of scans you want to do.
So, for both TCP and UDP, it’d be:
nmap -sTU --top-ports
That’s it. Here are the options I like to use for a basic scan:
nmap -vv -O -P0 -sTUV –top-ports 1000 -oA target $target
Which does all of the following:
get the operating system
tcp, udp, and version information
top 1,000 TCP and UDP ports
output in nmap, greppable, and XML format
As a special bonus for those wanting to use tcpdump to capture your scan traffic, you can just add --packet-trace to your scan to see the actual packets that leave and exit your box from right within nmap.