host enum
- host discovery
- scan network range
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5 - official nmap guide https://nmap.org/book/host-discovery-strategies.html
- scan network range
- host and port scanning
- top 10 ports
sudo nmap 10.129.2.28 --top-ports=10 - trace the packets
sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping - tcp connect
sudo nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT - open udp ports
sudo nmap 10.129.2.28 -F -sU
- top 10 ports
- saving the results
- save results in all formats
sudo nmap 10.129.2.28 -p- -oA target - convert xml to html
xsltproc target.xml -o target.html
- save results in all formats
- service enumeration
- service scan with stats updates
sudo nmap 10.129.2.28 -p- -sV --stats-every=5s
- service scan with stats updates
- nmap scripting engine
- using scripts
nmap <target> --script <script-name>,<script-name>like--script vuln
- using scripts
- performance
bypass security measures
- firewall and ids/ips evasion
- decoy scan to evade IPS blocking subnet
-D RND:5 - using a different address
sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0 - dns proxy
--dns-server <ns>,<ns> - scan from another source port
-v -sV -p- -Pn -n --disable-arp-ping --source-port 53 - connect from a different source port too
nc -nv -p 53 10.129.99.171 50000
- decoy scan to evade IPS blocking subnet