So, now making notecards for the commands and tools mentioned in the last post. Tonight was iptables and some nmap. Funny thing; the SANS 401.3 book (p2-37) says that the default run for a sweep would be –sP (probe scan), and that this is an ICMP ‘ping sweep’. Well, looking at the SANS nmap cheat sheet it says the default probe is TCP 80,443 and ICMP. Guess what it actually is? [For nmap version 6.40] ICMP 8,0, TCP SYN to 443 and TCP ACK to 80, finally an ICMP 13,0 (timestamp request). There is also a reverse lookup (DNS) unless you use the -n switch.  You get the same result for a host or a range. The exception is if you are scanning a host (or a range) on your local subnet. In that case you get ARP requests only (well, you also get a reverse name lookup unless you use the –n option). Sometimes you need to just play with this stuff and figure it out for yourself. . . I was a bit surprised at the ACK to 80, but I’m sure Fyodor has a good reason for that.

[update]  The nmap man page has this in detail.  I hadn’t bothered to look.  Note to self: Keep those man pages handy!