first step - host is up second step - host is running
nmap 192.168.1.1-10
if no host discovery options: Nmap sends an
- ICMP echo request (ping)
- TCP SYN packet to port 443
- TCP ACK packet to port 80
- ICMP timestamp request
exceptions: ARP (for ipv4) and Neighboor discovery (for ipv6) scans which are used for any targets on local ethernet network
Default scan without parametrs - syn scan
nmap [ip] -v
No scan at all. Do a reverse DNS resolution to learn their names. You can find interesting information just from their name nmap [ip] -sL
nmap iR 300 -sL
nmap iR 300 -sn
nmap iR 10 -Pn -v
nmap [ip] -PS22-25, 80, 113, 1050, 35000 -v
nmap [ip] -PA22-25, 80, 113, 1050, 35000 -v
nmap [ip] -PU53 -v
nmap [ip] -PO1,2,4
nmap [ip] -PR
nmap [ip] -sL --dns-server [ip1,ip2...]
nmap [ip] -sL --system-dns [ip1,ip2...]
nmap [ip] -sn --tracerout
Start after discovery stage. Use when needed port scan and know what kind of services are used. Most of scan types are available to privileged users.
SYN scan. Never complete TCP scan. Often referred to as a half open scan, because don't open a full TCP connection. If no response is received after several retransmissions, the port is marked as filtered. Work against any compliante TCP stack
nmap [ip] -sS -v
nmap [ip] -sT -v
DNS 53 ICMP 161/162 DHCP 67/68 Generally slower and difficult. UDP scans work by sending a UDP packet to every targeted port
nmap [ip] -sU -v
-With combination
nmap [ip] -sU -v -sS
nmap [ip] -sU -v -sV
nmap [ip] -sA -v
nmap [ip] -sW -v
NULL, FIN and Xmas SCAN. Advantage to these scan types is that they can possibly sneak through certain non stateful firewalls
nmap [ip] -s.. -v
nmap [ip] -sO -v
nmap [ip] -v -p 21-1000
nmap [ip] -p-65535 -v
nmap [ip] -p0- -v
nmap [ip] -v --top-ports 2000
nmap [ip] -v --top-ports 2000 --exclude-ports 80,21,5353,139-9000
nmap [ip] -v -p U: 53, 111, 137, 5353, T:21-25, 80, 139, 8080 -sU -sS
nmap [ip] -v -p http,https,ftp
nmap [ip] -v -F
nmap [ip] -v -F