As with most scanning requirements, Nmap has an option that simplifies and streamlines the process of performing TCP stealth scans:

1. To perform TCP stealth scans with Nmap, the -sS option should be used with the IP address of the host that is to be scanned:

2. In the example provided, a SYN scan was performed on the TCP port 80 of the specified IP address. Similar to the technique explained with Scapy, Nmap listens for a response and identifies the open ports by analyzing the TCP flags that are activated in any responses received. We can also use Nmap to perform scans on multiple specified ports by passing a comma-delimited list of port numbers, as follows:

3. In the example provided, a SYN scan was performed on the ports 21, 80, and 443 of the specified target IP address. We can also use Nmap to scan a sequential series of hosts by indicating the first and last port numbers to be scanned, separated using dash notation:

4. In the example provided, a SYN scan was performed on the TCP ports 20 through 25. In addition to providing us with the ability to specify the ports to be scanned, Nmap also has a preconfigured list of 1,000 commonly used ports. We can perform a scan on these ports by running Nmap without supplying any port specifications:

5. In the example provided, the 1,000 common ports defined by Nmap were scanned to identify a large number of open ports on the Metasploitable2 system. Although this technique is effective in identifying most services, it might fail to identify obscure services or uncommon port associations.

6. If a scan is to be performed on all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length. Moreover, each bit can retain a value of 1 or 0. As such, there are 2¹⁶, or 65,536, possible TCP port addresses. For the total possible address space to be scanned, a port range of 0 to 65535 needs to be supplied, as follows:

7. In the example provided, all of the 65,536 possible TCP addresses were scanned on the Metasploitable2 system. Take note of the fact that more services were identified in this scan than were identified in the standard Nmap 1,000 scan. This is evidence of the fact that a full scan is always best practice when attempting to identify all of the possible attack surface on a target. Nmap can also be used to scan TCP ports on a sequential series of hosts, using dash notation:

8. In the example provided, a SYN scan of the TCP port 80 was performed on all of the hosts within the range of addresses specified. Although this particular scan was only performed on a single port, Nmap also has the ability to scan multiple ports and ranges of ports on multiple systems simultaneously. Additionally, Nmap can also be configured to scan hosts based on an input list of IP addresses. This can be done using the -iL option and then specifying either the filename, if the file exists in the execution directory, or the path of the file. Nmap then cycles through each address in the input list and performs the specified scan against that address: