I'm studying nmap now on a website and I didn't understand something. When I'm trying to use nmap to scan ports with this command:
sudo nmap -sS x.x.x.x.
I get this:
Nmap scan report for x.x.x.x
Host is up (0.011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp filtered domain
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp filtered microsoft-ds
But when I'm trying to use the -S command like this:
sudo nmap -sS x.x.x.x -S x.x.x.x -e eth0 -Pn
I get this:
Nmap done: 1 IP address (0 hosts up) scanned in 1.53 seconds
Why am I not getting open ports with the -S option but when I'm using the -sS/-sT option I'm getting the ports shown?
When do you usually use the -S option?
this is a detailed explain for that options and when you read them you will understand why you getting no results on your scan i hope you find this answer helpful -S <IP_Address> (Spoof source address)
In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.
Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e option and -Pn are generally required for this sort of usage. Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce useful reports.
-e (Use specified interface)
Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot.
-Pn (No ping)
This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. So if a /16 sized network is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. Default timing parameters are used, which may result in slower scans. To skip host discovery and port scan, while still allowing NSE to run, use the two options -Pn -sn together.
For machines on a local ethernet network, ARP scanning will still be performed (unless --disable-arp-ping or --send-ip is specified) because Nmap needs MAC addresses to further scan target hosts. In previous versions of Nmap, -Pn was -P0 and -PN.