nmap -v 95.111.13.111 -sU -p 1000-1200

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-09 07:24 CDT
Initiating Ping Scan at 07:24
Scanning 95.111.13.111 [4 ports]
Completed Ping Scan at 07:24, 0.03s elapsed (1 total hosts)
Initiating UDP Scan at 07:24
Scanning d1m0.com (95.111.13.111) [201 ports]
Discovered open port 1194/udp on 95.111.13.111
Not shown: 200 closed ports
PORT STATE SERVICE
1194/udp open openvpn

Spoofing & Decoy Scan

When we are scanning machines that are not ours, we often want to hide our IP (our identity). Obviously, every packet must contain our source address or else the response from the target system will not know where to return to. Nmap allows us to use decoy IP addresses so that it looks like many IP addresses are scanning the target.

We can do this by using the -D switch, such as:

nmap -sS 192.168.89.191 -D 10.0.0.1,10.0.0.2,10.0.0.4

Evading Firewalls

Many firewalls and routers block or drop the ICMP (echo request, echo reply) ping. This is meant to obscure the presence of the hosts behind the firewall and protect against a possible DoS using the ping packet.To get around firewalls and routers that block or drop the ping, we need to suppress nmap’s default behavior of sending out that initial ping and get past the firewall that is blocking us. We can do this by using the -P0 switch:

nmap -sS -P0 192.168.3.10

Reason

Note in the output from the UDP scan above that some ports are reported as open/filtered. This indicates that nmap cannot determine whether the port is open or it is filtered by a device such as a firewall.

nmap -sU --reason 192.168.3.10

Using a List

Many times we want to scan a list of IP addresses and not an entire subnet. We can use any text editor and create a list of IP addresses and “feed” it to nmap. Here, I am using Leafpad, which is built into Kali (any text editor will work), to put together a list of IP addresses I want to scan.

nmap -iL scanlist.txt