What computers are online? What services/ports in what versions are online/open?

over poorly or not so poorly documented LANs you can get an overview by using nmap.

yum install nmap; # centos/redhat
apt-get install nmap; # debian/ubuntu

# get a quick overview over the LAN-network (this is pretty fast, 2seconds even on wifi)

nmap -sP -PA21,22,25,3389 192.168.0.*

# this is the detailed scan

nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA networkscan-result-nmap-%D

# it takes a lot of time… so please be patient and come back later (3 cups coffee kind of later X-D)

also: the resulting xml is not well viewable inside a browser, you need to


xsltproc networkscan-result-nmap-030118.xml -o networkscan-result-nmap-030118.html

Results: for nmap detailed scan fritzbox 7170

nmap detailed scan fritzbox 7170

nmap detailed scan fritzbox 7170

These options are described in later chapters, but here is a quick summary of them.


Enables the efficient TCP port scanning technique known as SYN scan. Felix would have added a U at the end if he also wanted to do a UDP scan, but he is saving that for later. SYN scan is the default scan type, but stating it explicitly does not hurt.

Requests that Nmap scan every port from 1-65535. This is more comprehensive than the default, which is to scan only the 1,000 ports which we’ve found to be most commonly accessible in large-scale Internet testing. This option format is simply a short cut for -p1-65535. Felix could have specified -p0-65535 if he wanted to scan the rather illegitimate port zero as well. The -p option has a very flexible syntax, even allowing the specification of a differing set of UDP and TCP ports.
-PE -PP -PS80,443 -PA3389 -PU40125

These are all host discovery techniques (ping types) used in combination to determine which targets on a network really available and avoid wasting a lot of time scanning IP addresses that are not in use. This particular incantation sends ICMP echo request and timestamp request packets; TCP SYN packet to ports 80 and 443; TCP ACK packets to port 3389; and a UDP packet to port 40,125. If Nmap receives a response from a target host to any of these probes, it considers the host to be up and available for scanning. This is the most effective six-probe combination that we’ve found in large-scale empirical testing for host discovery against targets over the Internet. It is more extensive than the Nmap default, which is -PE -PS443 -PA80 -PP. In a pen-testing situation, you often want to scan every host even if they do not seem to be up. After all, they could just be heavily filtered in such a way that the probes you selected are ignored but some other obscure port may be available. To scan every IP whether it shows an available host or not, specify the -Pn option instead of all of the above. Felix starts such a scan in the background, though it may take many hours to complete.

This shortcut option turns on Advanced and Aggressive features such as OS and service detection. At the time of this writing it is equivalent to -sV -sC -O –traceroute (version detection, Nmap Scripting Engine with the default set of scripts, remote OS detection, and traceroute). More features may be added to -A later.

Adjusts timing to the aggressive level (#4 of 5). This is the same as specifying -T aggressive, but is easier to type and spell. In general, the -T4 option is recommended if the connection between you and the target networks id reasonably fast and reliable.
-oA avatartcpscan-%D

Outputs results in every format (normal, XML, grepable) to files named avatartcpscan-. where the extensions are .nmap, .xml, and .gnmap respectively. The gives the month, day, and year in a format like 073010. All of the output formats include the start date and time, but Felix likes to note the date explicitly in the filename. Normal output and errors are still sent to stdout[4] as well.

These are the Avatar Online netblocks discussed above. They are given in CIDR notation, but Nmap allows them to be specified in many other formats. For example, could instead be specified as

Since such a comprehensive scan against more than a thousand IP addresses could take a while, Felix simply starts it executing and resumes work on his Yagi antenna. An couple hours later he notices that it has finished and takes a peek at the results. Example 1.2 shows one of the machines discovered.