Scanning (Nmap)

Network scanning is where you will identify active hosts, open ports on live hosts, services, operating systems, system architecture and vulnerabilities.

Nmap

Nmap is differently the go to option if possible for network scanning.

My default aggressive command for full coverage is:

nmap -A -p- -v -T4 -sU $ip | tee nmap.log

Some times with the -Pn flag as well.

Below is some nice cheat sheets.

Target Specification

SWITCH

EXAMPLE

DESCRIPTION

nmap 192.168.1.1

Scan a single IP

nmap 192.168.1.1 192.168.2.1

Scan specific IPs

nmap 192.168.1.1-254

Scan a range

nmap scanme.nmap.org

Scan a domain

nmap 192.168.1.0/24

Scan using CIDR notation

-iL

nmap -iL targets.txt

Scan targets from a file

-iR

nmap -iR 100

Scan 100 random hosts

-exclude

nmap -exclude 192.168.1.1

Exclude listed hosts

Host discovery

TECHNIQUE

COMMAND

RESPONSE

DESCRIPTION

UDP Ping Scan

nmap -sn -PU <TARGET IP>

UDP response - Host is active Error messages (host unreachable or TTL exceeded) - Host is inactive

Detects systems behind firewalls with strict TCP filtering

ICMP ECHO Ping Scan

nmap -sn -PE <TARGET IP>

ICMP ECHO reply - Host is active No response - Host is inactive

Useful for locating active devices or determine if ICMP messages passes through a firewall Disadvantage: Does not work on Windows-based networks

TCP SYN Ping Scan

nmap -sn -PS <TARGET IP>

ACK response - Hos is active No response - Host is inactive

Does not create a connection. Logs are usually not recorded at the system or network level

ARP Ping Scan

nmap -sn -PR <TARGET IP>

ARP response - Host is active No response - Host is inactive

ARP is layer 2 protocol so discovery requires to be on same sub-network Very efficient

NSE Scripts

SWITCH

EXAMPLE

DESCRIPTION

-sC

nmap 192.168.1.1 -sC

Scan with default NSE scripts. Considered useful for discovery and safe

-script default

nmap 192.168.1.1 -script default

Scan with default NSE scripts. Considered useful for discovery and safe

-script

nmap 192.168.1.1 -script=banner

Scan with a single script. Example banner

-script

nmap 192.168.1.1 -script=http*

Scan with a wildcard. Example http

-script

nmap 192.168.1.1 -script=http,banner

Scan with two scripts. Example http and banner

-script

nmap 192.168.1.1 -script "not intrusive"

Scan default, but remove intrusive scripts

-script-args

nmap -script snmp-sysdescr -script-args snmpcommunity=admin 192.168.1.1

NSE script with arguments

Useful NSE Script Examples

COMMAND

DESCRIPTION

nmap -Pn -script=http-sitemap-generator scanme.nmap.org

http site map generator

nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000

Fast search for random web servers

nmap -Pn -script=dns-brute domain.com

Brute forces DNS hostnames guessing subdomains

nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1

Safe SMB scripts to run

nmap -script whois* domain.com

Whois query

nmap -p80 -script http-unsafe-output-escaping scanme.nmap.org

Detect cross site scripting vulnerabilities

nmap -p80 -script http-sql-injection scanme.nmap.org

Check for SQL injections

Firewall / IDS Evasion and Spoofing

Switch

Example

Description

-f

nmap 192.168.1.1 -f

Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters

-mtu

nmap 192.168.1.1 -mtu 32

Set your own offset size

-D

nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1

Send scans from spoofed IPs. Can also just be -D RND:10 for 10 random IP

-D

nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

Above example explained

-S

nmap -S www.microsoft.com www.facebook.com

Scan Facebook from Microsoft (-e eth0 -Pn may be required)

-g

nmap -g 53 192.168.1.1

Use given source port number

-proxies

nmap -proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1

Relay connections through HTTP/SOCKS4 proxies

-data-length

nmap -data-length 200 192.168.1.1

Appends random data to sent packets

Timing and Performance

SWITCH

EXAMPLE

DESCRIPTION

-T0

nmap 192.168.1.1 -T0

Paranoid (0) Intrusion Detection System evasion

-T1

nmap 192.168.1.1 -T1

Sneaky (1) Intrusion Detection System evasion

-T2

nmap 192.168.1.1 -T2

Polite (2) slows down the scan to use less bandwidth and use less target machine resources

-T3

nmap 192.168.1.1 -T3

Normal (3) which is default speed

-T4

nmap 192.168.1.1 -T4

Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network

-T5

nmap 192.168.1.1 -T5

Insane (5) speeds scan; assumes you are on an extraordinarily fast network

PreviousFoot-printingNextEnumeration

Last updated