Simple Scans:

My Favorite CTF Scan: (Balance of info to speed for small IP sets) -A runs aggressive NSE scripts and can be taken off to speed up the scan. nmap -sCVT -vv -A -p- 10.10.10.29 NSE Vuln Scripts: nmap --script vuln 10.11.1.10 Quick TCP Scan nmap -sC -sV -vv -oA quick 10.10.10.10 Quick UDP Scan nmap -sU -sV -vv -oA quick_udp 10.10.10.10 nmap -sU -sS -vv 10.10.10.10

Top 20 port scan:

Ports can be edited in /usr/share/nmap/nmap-services to fit your needs.

#nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt

Nmap Live Host Sweep: # nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt # grep Up ping-sweep.txt | cut -d " " -f 2 DNS Host sweep: # nmap -sT -p53 172.16.5.1,5,6,10 Sweeping specified ports: # nmap -p 80 10.11.1.1-254 -oG web-sweep.txt # grep open web-sweep.txt |cut -d" " -f2 or #nmap -A -p80 --open 10.11.1.0/24 -oG nmap-scan_10.11.1.1-254 #cat nmap-scan_10.11.1.1-254 | grep 80 | grep -v "Nmap" | awk '{print $2}'

Large CIDR Scans

#nmap -sn 172.16.64.0-255 -oG discovery.nmap

#cat discovery.nmap | grep Host | awk '{print $2}' > IPs.txt

#nmap -sCVT -Pn -A -iL IPs.txt -oN portmaps.nmap

#nmap -sV -T4 -Pn --open -p- -iL IPs.txt -oN allports.nmap

Port knock ex: (knocks on 7k, 8k, 9k) for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done

Flags:

-O OS fingerprinting (uses ttl and tcp windows sizes)

-sV banner grabbing/version detection. Check the help screen if you want to more aggressively banner grab with additional -sV arguments

-sT Connect scan

-sS syn scan (DEFAULT IF NOTHING IS SPECIFIED)

-sU UDP scan

-sA ack scan. scans firewall behavior (statefullness, filtering). Host responding with RST to our ACKs are considered unfiltered and those that don't are filtered. When we see the unfiltered response it means there are likely no fw rules in place for that port.

-sO IP proto scan. This is not a port scan. Rather than enumerating the port field in the packets it enumerates the 8bit protocol field. This scans to see what protocols are enabled for a host. this will look for ICMP protocol unreachable messages rather than the port unreachable messages of a icmp port scan.

-sI idle scan(zombie scan) //utilizes a zombie on the network and we look at the packet fragmentation id number to do scans. read below

-A aggressive NSE service scripts, takes a long time, and triggers alerts

--open for sweeps to only return info on open ports

-sn live host identification scan

-n no host lookup, faster and quieter for internals

-b ftp bounce scan. This stealth scan is a way to hide the true scanning source. lets us do port scans from vulnerable ftp servers on the network utilizing the ftp PORT command.

-f turns on fragmentation (see "staying quiet") //for a syn scan the mtu here is 42 bytes

--mtu like fragmentation but we can also specify the mtu size. (must be multiple of 8)

--source-port or -g is a port spoof

--max-retries if we get a time out how many times do we send the same packet

-oG save scan results in grep format

-oN normal output to file

-oG grepable output to file

RFC compliant scans:

This depends on networks that follow this compliance as there are certain rules as to what to do with odd packets seen on the network. We then can make assumptions about the hosts we are scanning based on what they do with the packets. This is NOT a stealth technique and will likely trigger rules because of how odd the packets are. But it is a good last resort to look for live hosts/services. Also OS for windows/cisco/ibm may have different results for these scans along with various firewall rules that can affect results.

-sN tcp null scan. No flag bits are set in the header.(all 0)

-sF FIN scan. Only sets the fin bit

-sX xmass tree scan. Sets the fin, psh, urg flags.