----------LIVE-HOST-DISCOVERY---------- 12:37 PM 11/3/2025 | --------------------------------------- Enumerating targets • nmap -sl == a SIMPLE LISTING of every ip it scans • nmap -sn == NO follow on PORT SCAN • nmap -F == Fast, decrese from top 1000 ports to top 100 • nmap -r == use a random order instead of numerical ARP Enumeration •{nmap -PR $IP/24} OR {arp-scan $IP/24} == ARPSCAN instead of a pingscan (by default) ICMP Enumeration • nmap -PE $IP/24 == uses ICMP ECHO request • nmap -PP $IP/24 == uses ICMP TIMESTAMP requests • nmap -PM $IP/24 == uses ICMP MASK QUERIES requests TCP and UDP Enumeration • nmap -PS$PORT $IP == TCP SYN Ping • nmap -PA$PORT $IP == TCP ACK Ping • nmap -PU $IP == UDP Ping • massscan $IP -p == specifing a port/ports Reverse-DNS Lookup • nmap -n == NO DNS lookup (NEVER use DNS) • nmap -R == query dns even for offline hosts (ALWAYS use DNS) • nmap --dns-servers == specifing the which DNS server ----------Basic-Port-Scans---------- 1:34 PM 11/3/2025 | ------------------------------------ How many port states does Nmap consider? A: 6 NMAP Port states • Open: a service is listening • Closed: no service is listening, but is not blocked by a firewall • Filtered: blocked by a firewall, unknown if the port it open or closed(BLOCKED) • Unfiltered: undetermined, altho the port is not blocked (Encountered when using nmap -sA • Open|Filtered: cannot determine whether the port is open or filtered. • Closed|Filtered: cannot decide whether a port is closed or filtered. TCP Flags • URG: Urgent flag • ACK: Acknowledgment flag • PSH: Push flag • RST: Reset flag • SYN: Sync flag • FIN: Finished flag TCP Connect Scan • nmap -sT $IP == syn,synack,ack,rst TCP Syn Scan • nmap -sS $IP == syn,synack,rst (Default scan when running nmap as root) UDP Scan • nmap -sU $IP == OPEN=UDP packet,NO RESPONSE | CLOSED=UDP packet,ICMP Type3,Code3 Fine-Tuning Scope and Preformance • nmap -p == specifing port/ports • nmap -T<0-5> == scan timming 0=slow 5=fastest • nmap --top-ports <1-9999> == change how many of the top ports it checks • nmap --max-rate 10 == will not send more then 10 packets per second (also --min-rate 10) • nmap --min-parallelism 64 == will run at least 64 probes in parrallel ----------Avanced-Port-Scans---------- 3:03 PM 11/3/2025 | -------------------------------------- TCP Null, FIN, Xmas • nmap -sN == NULL scan, sends a packet with no flags, (all six bits are set to 0) If no response then the port is open. If a RST,ACK is sent back then the port is closed. • nmap -sF == FIN scan, sends a packet with the FIN flag, If no response then the port is open. If a RST,ACK is sent back then the port is closed. • nmap -sX == XMAS scan, seands a packet with the FIN,PSH,URG flags If no response then the port is open. If a RST,ACK is sent back then the port is closed. These scans are used when scanning a target behind a STATELESS FIREWALL (non-stateful) (stateless firewalls check packets for connection attemts with the SYN flag sets TCP Maimon Scan • nmap -sM == Maimon scan (rarely used, open and closed ports give the same response on modern systems) TCP ACK, Window, and Custom Scan • nmap -sA == ACK scan, sends packet with the ACK flag (USEFULL FOR WHEN THE HOST IS BEHIND A FIREWALL) this scan will show you which ports are/are not filtered • nmap -sW == Window scan, similar but better than the ACK scan • nmap --scanflags == Custom scan, you are able to set idividual flags Spoofing and Decoys • nmap -e NET_INTERFACE -Pn -S SPOOFED_IP $IP == SPOOFING the source IP, -e specifes the interface, you must also disable ping scan using -P, and -S for spoofing The attacker needs to monitor the network traffic to analyze the replies. • nmap --spoof-mac SPOOFED_MAC $IP == MAC SPOOFING, only when on the same subnet. • nmap -D DECOYIP1,DECOYIP2,RND,RND,ME $IP == Using Decoys, (DECOYIP1=a specifed IP, RND= generates a random IP, ME=you) Fragmented Packets • A traditional firewall inspects packets at least at the IP level and the transport layer header • A intrusion detection system (IDS) inspects packets for behavioural patterns or content signatures. An IDS also looks at the data contents in the transport layer for malicios patterns. This could make you use fragmented packets. • nmap -f == fragmenting packets, (-ff will split data into 16 byte-fragments, instead of 8) • nmap --mtu # == another way to change the default value Idle/Zombie scan • nmap -sI ZOMBIE_IP $IP == IDLE scan, the ZOMBIE_IP must be and "idle" host. Getting more Details • nmap --reason == provides more details it's conclusions • nmap <-v,-vv,-vvv> == the diffrent levels of verboseness • nmap <-d,-dd> == debugging details EXTRA • nmap --source-port PORT_NUM == specify the source port # • nmap --data-length NUM == append random data to reach the given length ----------Post-Port-Scans---------- 4:38 PM 11/3/2025 | ----------------------------------- Service Detection • nmap -sV == Service detection • nmap -sV --version-intensity <0-9> == 0=lightest, 9=hardest (--version-light =2, --version-all =9) OS Detection and Traceroute • nmap -O == OS Detection • nmap -O --osscan-guess == Guess OS more aggressively • nmap --traceroute == traceroute (or tracert in Windows) Nmap Scripting Engine (NSE) • located in "/usr/share/nmap/scripts" • also support for scripts in Lua • nmap --script=SCRIPT_NAME == choose a script from the *.nse location • nmap --script "SCRIPT_NAME" == same as above • nmap -sC == run the basic scripts Saving the Output • Three main formats (.nmap, .gnmap, .xml) • nmap -oN FILE_NAME == Normal = .nmap • nmap -oG FILE_NAME == Grepable = .gnmap • nmap -oX FILE_NAME == XML = .xml