Enumeration is key <3
The oaf scan :
sudo nmap -A -p- <ip> --script vuln
Top 10 tcp ports scan :
sudo nmap <ip> --top-ports=10
Discover hosts with ICMP within an internal network (if the client machines ignore ICMP packets, then this command will not work) :
sudo nmap 192.168.1.0/24 -sn -oA tnet --packet-trace --reason | grep for | cut -d" " -f5
ICMP with a list of IP addresses provided by the client (hosts.lst) :
sudo nmap 192.168.1.0/24 -sn -oA tnet -iL hosts.lst --packet-trace --reason | grep for | cut -d" " -f5
TCP scan, if accuracy is your priority (e.g. for network mapping) :
sudo nmap 192.168.1.0/24 --disable-arp-ping -Pn -n --reason -sT
Fast scan :
sudo nmap 10.129.2.0/24 -F -oN tnet.default
TCP-SYN scan (furtive scan) :
sudo nmap -sS 192.168.1.0/24
-n --disable-arp-ping --reason -Pn
UDP scan :
sudo nmap -sU 192.168.1.0/24
-n --disable-arp-ping --reason -Pn
sudo nmap 192.168.1.10 -p- -sV -O -v
If you want to understand how a target's firewall blocks you (in the case of filtered ports):
sudo nmap 192.168.1.10 -p 21 --packet-trace -n --disable-arp-ping -Pn
Sometimes it may be convenient to create an HTML report of the network for the client:
sudo nmap 192.168.1.0/24 --disable-arp-ping -Pn -n --reason -sT -p- -v -oA target
xsltproc target.xml -o target.html
Windows = 128 Linux = 64
- Nmap