NMAP:

  • HOST DISCOVERY
  • TCP SCAN
  • UDP SCAN
  • PROTOCOL SCAN
  • PORT SCAN
  • SERVICE DETECTION
  • OS FINGERPRINTING

Host Discovery :

-------------------
Ping Scan [Active]:
-------------------

nmap -sP [IP_ADDRESS]                   


nmap -PE -sn -n [NET_BLOCK]                | EX: nmap –PE –sn -n 10.50.96.0/23


nmap -sL -n [NET_BLOCK]                    | Returns a list of LIVE hosts 


nmap -sP -PP [IP_ADDRESS]                  | Use Ping with time stamp option


nmap -sP -PM [IP_ADDRESS]                  |  User ping with netmask option


nmap -PS [IP address] -sn disable-arp-ping | PS for SYN scan 


----------------------
No Ping Scan [Active]:
----------------------

nmap -Pn -n [IP_ADDRESS]


nmap -P0 -n [IP_ADDRESS]



-----------------------
Ping Scan [Passive] :
-----------------------

nmap -sP -T sneaky [IP_ADDRESS]                | [1] SNEAKY Passive Scan


nmap -sP -T paranoid  [IP_ADDRESS]             | [0] PARANOID Passive Scan

Extra commands:

nmap --disable-arp-ping IP_address | disable arp scans to run ICMP

nmap --send-ip IP_address |disable arp scan to run ICMP

nmap -PS[portNumbrt] [IP address] -sn disable-arp-ping | PS for SYN scan for specific port


nmap -sS -p- | -p- scans all ports from 1-65535

nmap -sA IP_Address -p portNumber | the scan determines the firewall rule sets, and what ports are filtered



nmap -iL hosts.list 192.168.90.8 -sS -p 80,21,23 --randomize-hosts | scan use random hosts list

nmap -iL hosts.list 192.168.90.8 -sS -p 80,21,23 --randomize-hosts -T 2 | T for delay scan.lower number, slow scan

Port Scanning:

TCP Scan:
TCP Connect [FULL] [Active]:
--------------------

nmap -sT -n [IP_ADDRESS]



TCP SYN [Half Open] [Active]:
-----------------------------

nmap -sS -n [IP_ADDRESS]            | Half Open Scan



TCP Stealth Scan [Passive]:
-----------------------------

nmap -sS -n [IP_ADDRESS]            | Half Open Scan


nmap -sF -n [IP_ADDRESS]            | Finish Scan


nmap -sX -n [IP_ADDRESS]            | Christmas Scan


nmap -sN -n [IP_ADDRESS]            | Null Scan
UDP Scan:
nmap -n -sS -sU -p53 IP_address     | DNS SCAN on port 53

Protocol Scan:
nmap -sO -n [IP_ADDRESS]            | displays the protocols running on the target machine
OS Fingerprint 
nmap -O -v  IP_address                            | OS finger printing scanning  that help identify [zombie hosts]


nmap --script smb-os-discovery -p 445 192.168.2.3 | SMB OS discovery [OS Fingerprinting]
Service Detection:
nmap -sV IP_address                                |       probing services on the ports

NMAP Scripts

nmap --script-help  "smb*" and discovery          |  search nmap for specific script | EX:smb


nmap --script-updatedb                             | update the NSE scripts


nmap --script-help whois-domian                    | for understanding the script functionality 


nmap --script whois-domain foocampus.com -sn       | General whois lookup for recon phase


nmap --script smb-os-discovery -p 445 192.168.2.3  |  SMB OS discovery 


nmap --script smb-enum-shares -p 445 192.168.2.3   | Enumerate SMB shares 


nmap  --script auth 192.168.2.3                    |  run all authentication scripts to check for vulnerabilities


nmap --script default  192.168.2.3                 |  This scan mostly for OS fingerprinting, Workgroups and NetBIOS


nmap -script=smb-enum-shares 192.168.9.33          | retrieves information about the users and passwords


nmap -script=smb-enum-users 192.168.2.33           |  Checks the users that are connected on the session


nmap -script=smb-brute 192.168.3.44                | bruteforece the username and passsword

Firewall Evasion:

nmap -sT --mtu   [IP_address]    | Fragment the packets

nmap -sV --mtu   [IP_address]    | Fragment the packets

nmap -sS -T[0-5] [IP_address]    |  Timing the scan 0 is sneak and 5 is insane



nmap -sS -D [Decoy#1], [Decoy#2], [Decoy# 3], [Attacker IP] [Target machine]    | decoy the


nmap -sS [IP_address] -p port1, port2, port3, port4 --max-retries 1  |  if the host does not respond, do not retry


nmap -sS --source-port portNumber IP_address                         | directing traffic to specific ports


nmap -sS -g [portNumber] --source-port [portNumber] [IP_address]


nmap -sS 192.168.2.1 -Pn -n -p 80 --disable-arp-ping 


nmap 192.168.2.1 -f  -Pn -n -p 80 --disable-arp-ping 


nmap 192.168.2.1 -f  -Pn -n -p 80 --disable-arp-ping  --data-length 100


nmap 192.168.2.1 -f  -f -Pn -n -p 80 --disable-arp-ping


nmap -D RND:10 -sS 192.168.2.1 -Pn -n -p 80 --disable-arp-ping


nmap -sS --data-length 10 -p 21   192.168.50.3   | modify packet header


nmap --spoof-mac apple 192.168.90.8 -p 80 -Pn --disable-arp-ping -n  | mac spoofing 


nmap --spoof-mac 0  192.168.90.8 -p 80 -Pn --disable-arp-ping -n   | random mac spoofing  


nmap --spoof-mac 00:11:22:33:44:55  192.168.90.8 -p 80 -Pn --disable-arp-ping -n | custom mac address

Idle Scan

nmap --script ipidseq 192.169.8.3 -p 135


nmap -O -v 192.169.8.3 -p 135

** Use open port too speedify the scan 

nmap -sI  192.169.8.2:135 192.168.8.4 -p 23 -Pn --packet-trace


nmap -n -P0 -sI [IP_ADDRESS:PortNumber] [Target_IP]

NMAP & HPING [Idle Scan]

hping3 -S -r [zombie IP] [Target IP] -p [zombie port]


nmap -S [zombie IP] [Target IP] -p [Target port] -Pn -n -e [Interface] --disable-arp-ping


** check the IP ID if it is incremental by 2(open), or by 1 (close)


nmap -n -P0 -sI [Zombie_IP] [Target_IP]

results matching ""

    No results matching ""