Commands
Ping scans / Host discovery scans
ARP scan
TCP SYN scan
ICMP scan
UPD scan
TCP ACK scan
Some scanning techniques
Basic scan
It uses basic TCP SYN (-sS) scan by default.
Scan for only listing hosts
Ports scan
Specify port ranges
Specify the particular ports
Specify entire ports
Specify the most popular ports
Scan for detections
OS detection
Service and daemon versions detections
All scan
(Performs overall OS detection, service detection, version detection, script scanning and traceroute)
Scans with timing templates
It determines how aggressively or stealthily the scan should be performed.
-T0 (Paranoid)
This template is the slowest and is designed to avoid triggering intrusion detection systems.
-T1 (Sneaky)
This template is slower than the default and is also intended to avoid detection, but not as cautious -T0.
-T2 (Polite)
This timing template is more reliable in certain situations where network conditions are unstable.
-T3 (Normal)
This is the default timing template which is generally considered a good balance between speed and reliability.
-T4 (Aggressive)
This template speeds up the scan significantly compared to -T3, often scanning more aggressively and with fewer delays.
-T5 (Insane)
This is the fastest timing template and is designed for networks where you have permission to scan aggressively and quickly. It can overwhelm some networks and is less stealthy than slower templates.
Example usage:
Scanning from file
The file.txt consists a list of targets as:
Other scanning techniques
Spoofing the scan
Spoofing can be done to to make the scan appear as if coming from the other source IP address instead of your own IP address.
Using decoys for scan
Decoys can be used to make the scan appear as if coming from multiple source IP addresses in addition to your IP address.
Example:
We can use RND to generate a random IP address.
Scanning with fragmented packets
The Nmap packets for scanning can be fragmented to bypass the detection by Firewall and IDS using -f option.
The -f option fragments the IP packets into multiple of 8 bytes.
The -ff or -f -f option will fragment the Ip packets into multiple of 16 bytes.
Eg. If the size of IP packet is 24 bytes, then using -f will divide the packet into 3 packets of 8 bytes each. Similarly, using -ff will divide that packet into 2 packets of size 16 bytes and 8 bytes, where second packet's size is the remaining size.
Further, if you prefer to increase the size of your packets to make them look innocuous, you can use the option --data-length NUM, where num specifies the number of bytes with random data you want to append to your packets. The random data does not affect the functionality of the scan but modifies the packet’s structure.
--mtu option can also be used in Nmap to manually specify the Maximum Transmission Unit (MTU) for packets, which is the largest unfragmented size of a packet that can be transmitted over a network.
Example:
Idle/Zombie scan
To overcome the limitations of spoofing that works only in specific newtork setups, idle or zombie scan can be used, where zombie is the idle system connected to the network that you can communicate with.
Eg.
Saving nmap outputs
In normal format
Save your scan in normal format by using -oN FILENAME where N stands for normal.
Example:
The output file will be in the format MACHINE_IP_scan.nmap
In grepable format
Save your scan in normal format by using -oG FILENAME where N stands for normal.
The normal output is 21 lines, where grepable output is only 4 lines.
Example:
The output file will be in the format MACHINE_IP_scan.gnmap
In XML fomat
Save your scan in normal format by using -oX FILENAME where N stands for normal.
The XML format would be most convenient to process the output in other programs.
Example:
The output file will be in the format MACHINE_IP_scan.xml
Last updated