red-team discovery at layer 4 (tcp & udp ports)

playing with nmap

top 10 vs full-rangetop 10 vs full-range

it’s top 1000 by default otherwise e.g.

--top-ports 10
-p0-65535

checking by SYN/ACK by default

but to cope with open|filtered, there’s TCP Window Scan (-sW).

nmap -sW ...

see what ports an MX or outbound MTA offers

nmap -Pn -p 25,465,587 SMTP_SERVER

see what ports a IMAP server offers

nmap -Pn -p 143,993 IMAP_SERVER