1. Basic Host Discovery
Scans the target host using default settings. Identifies open ports and basic service information.
Scans an entire subnet to discover live hosts and open ports.
Performs a ping scan only. Identifies which hosts are alive without scanning ports.
2. Port Scanning Techniques
Scans a specific port on the target.
Scans a range of ports.
Scans all 65,535 TCP ports. Useful for deep enumeration.
nmap 192.168.1.10
nmap 192.168.1.0/24
nmap -sn 192.168.1.0/24
nmap -p 80 192.168.1.10
nmap -p 1-1000 192.168.1.10
nmap -p- 192.168.1.10
Scans the top 100 most common ports.
3. TCP Scan Types
Performs a TCP SYN scan (half-open scan). Fast and stealthy. Requires root privileges.
Performs a full TCP connect scan. Used when SYN scan is not permitted.
ACK scan used to detect firewall rules and filtering behavior.
4. UDP Scanning
Scans UDP ports. Slower but necessary for services like DNS, SNMP, and DHCP.
Targets specific UDP services.
5. Service & Version Detection
Detects service versions running on open ports.
nmap --top-ports 100 192.168.1.10
nmap -sS 192.168.1.10
nmap -sT 192.168.1.10
nmap -sA 192.168.1.10
nmap -sU 192.168.1.10
nmap -sU -p 53,161 192.168.1.10
nmap -sV 192.168.1.10
Performs aggressive version detection for higher accuracy.
6. Operating System Detection
Attempts to identify the target operating system based on TCP/IP fingerprinting.
Forces Nmap to guess the OS even when detection is uncertain.
7. Aggressive Scan (All-in-One)
Runs OS detection, version detection, script scanning, and traceroute.
Useful for quick but noisy reconnaissance.
8. Nmap Scripting Engine (NSE)
Runs default safe scripts for enumeration.
Runs vulnerability detection scripts.
Enumerates directories and files on web servers.
nmap -sV --version-intensity 9 192.168.1.10
nmap -O 192.168.1.10
nmap -O --osscan-guess 192.168.1.10
nmap -A 192.168.1.10
nmap --script default 192.168.1.10
nmap --script vuln 192.168.1.10
nmap --script http-enum 192.168.1.10
Enumerates SMB shares on Windows systems.
9. Firewall & Evasion Techniques
Skips host discovery. Useful when ICMP is blocked.
Fragments packets to evade simple firewalls.
Adds random data to packets to bypass IDS detection.
Slows scan timing to reduce detection.
10. Output Formats (Very Important)
Saves output in normal text format.
Saves grepable output for scripting.
Saves output in XML format for tools and reporting.
nmap --script smb-enum-shares 192.168.1.10
nmap -Pn 192.168.1.10
nmap -f 192.168.1.10
nmap --data-length 50 192.168.1.10
nmap -T2 192.168.1.10
nmap -oN scan.txt 192.168.1.10
nmap -oG scan.gnmap 192.168.1.10
nmap -oX scan.xml 192.168.1.10
Saves output in all formats at once.
11. Timing Templates
Paranoid mode. Extremely slow and stealthy.
Aggressive and fast. Commonly used in labs and internal scans.
Very aggressive. Likely to trigger alerts.
nmap -oA fullscan 192.168.1.10
nmap -T0 192.168.1.10
nmap -T4 192.168.1.10
nmap -T5 192.168.1.10

Comentários
Postar um comentário