nmap

nmap -sL -n 10.10.12.13/29

nmap -sL -n 10.10.0-255.101-125

The -PR command will only scan for ARP scan.

(Remember to add -sn if you don’t want to follow that with a port scan.)

• Tryhackme nmap live host discovery

nmap -PR -sn $IP/24

The -PE command will only scan using ICMP echo request (ICMP Type 8)

(Remember to add -sn if you don’t want to follow that with a port scan.)

sudo nmap -PE -sn $IP/24

The -PP option tells Nmap to use ICMP timestamp requests. (ICMP Type 13)

sudo nmap -PP -sn 10.10.68.220/24

The -PM option tells Nmap to use address mask queries (ICMP Type 17)

sudo nmap -PM -sn $IP/24

The -PS option will use TCP SYN ping.

sudo nmap -PS -sn $IP/24

The -PA option will use ACK flag set

sudo nmap -PA -sn 10.10.68.220/24

The -PU option will use UDP packet to check if the host is online

sudo nmap -PU -sn $IP

The -sT option will establish the 3-way handshake of TCP

nmap -sT -oN nmap-connect 10.10.245.44

The -sS option will use the half-open or stealth scan

sudo nmap -sS -oN nmap-syn 10.10.202.54

The -sU will scan for the UDP ports and -F will enable fast mode it will scan fewer ports

sudo nmap -sU -F -oN nmap-udp 10.10.110.233

The -sN option will sent a TCP packet with all six flag bits are set to zero

sudo nmap -sN -oN nmap-null 10.10.97.213

The -sF option will only send the fin flag bit

sudo nmap -sF -oN nmap-fin 10.10.97.213

The -sX option or the xmas scan will use the fin/ack flag

sudo nmap -sX -oN nmap-xmass 10.10.97.213

The -sM option will also use fin/ack flag

• It exploits a vulnerability in some older Unix systems, causing them to respond with a RST (reset) packet if the port is closed, rather than ignoring the packet as expected.

sudo nmap -sM -oN nmap-maimon 10.10.97.213

The -sA option will use the ACK flag

sudo nmap -sA -oN nmap-ack 10.10.19.144

The -sW option or Window Scan uses the ACK flag

sudo nmap -sW -oN nmap-window 10.10.19.144

This will give you a spoof IP address

• where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address.

sudo nmap -S SPOOFED_IP 10.10.13.210
nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.243.16

The -sI will use the Idle scan or Zombie Scan

nmap -sI 10.10.5.5 $victimIP

Custom Scan

sudo nmap --scanflags URGACKPSHRSTSYNFIN 10.10.13.210

Decoy Scan

nmap -D DECOY_IP,ME 10.10.13.210

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

The -O option will detect the operating system of the system

sudo nmap -O -oN nmap-os 10.10.121.80

The -oN option will save the current nmap scan to a file

sudo nmap -oN nmap $IP

The -oX option will save the current nmap scan as a XML file

sudo nmap -oX nmap $IP

The -oS option will save the current nmap scan as a Script Kiddie file

sudo nmap -oS nmap $IP

The -oG option will save the current nmap scan to a grepable format

sudo nmap -oG nmap $IP

The -iL options will read the ips in the list provided

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Just scanning multiple IP at a time

sudo nmap -sn -oA tnet 10.129.2.18 10.129.2.19 10.129.2.20| grep for | cut -d" " -f5

sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5

Just using the vuln script

nmap 10.129.223.9 -p 80 -sV --script vuln

Showing the time out

sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

• -T 0 / -T paranoid

• -T 1 / -T sneaky

• -T 2 / -T polite

• -T 3 / -T normal

• -T 4 / -T aggressive

• -T 5 / -T insane

sudo nmap 10.129.2.0/24 -F -oN tnet.T5 -T 5

The -S option will be using different IP

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

Using DNS as source port

# This first one gonna show the port is filtered
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace

# This second one gonna show the port is open since we have the source IP as 53/DNS
sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

# Then we can verify this
ncat -nv --source-port 53 10.129.2.28 50000

Enumerating NFS protocol with nse

sudo nmap 10.129.14.128 -p111,2049 -sV -sC
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

Enumerating SMTP protocol with nse

sudo nmap 10.129.14.128 -p25 --script smtp-open-relay -v

Enumerating MySQL protocol with nse

sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Will bruteforce for SID in Oracle TNS

sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute

Enumerating IPMI protocol with nse checking version

sudo nmap -sU --script ipmi-version -p 623 ilo.inlanfreight.local

Enumerating Rsync with nse

nmap -sV --script "rsync-list-modules" -p <PORT> <IP>

Enumerating RDP with nse

nmap -sV -sC 10.129.201.248 -p3389 --script rdp*