-sS stealth scan faster & slient
-sT 3way hand shake connect scan
-sU udp scan (can use with -sS)
-sn sweeping {ip.1-254}
-p specify port
-A version detection/script scan/traceroute
--top-ports=# (scan top # common ports)
-O os fingerprinting
-sV service banner (+ -sT + -A)
--open (opened port only)
-sC run with default script
-oG {filename} save scan results in grep format
-Pn directly scan machine w/o pinging
--top-ports=20
Common step-up scans
Quick enumeration
sudo nmap -sS -p- {ip} -vv -Pn --open -Pn
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63
proxychains nmap --top-ports=20 -sT -Pn 10.5.5.20
Deep enumeration
sudo nmap -sV -p{interested,port,#} -sC {ip} -O -sT -Pn -vv
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.2.20 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.20 (Ubuntu)
Scripts
Location: /usr/share/nmap/scripts
Search: ls -l /usr/share/nmap/scripts/{searchterm}*
Use: Add the parameter --script {scriptname} or {service}* for running all script matched
No Nmap approach
#Winfor /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul &&echo10.5.5.%iisup.#Linuxfor i in {1..254} ;do (ping-c1-w20010.2.2.$i |grep"bytes from"&) ;done
Enum from pivoting machine to next target machine
#!/bin/bashhost=10.5.5.11for port in {1..65535}; dotimeout.1bash-c"echo >/dev/tcp/$host/$port"&&echo"port $port is open"doneecho"Done"#enumport.sh
Autorecon
sudo $(whichautorecon) ip-v--dirbuster.threads50#through tunneling machine to recon subnetsudoproxychains $(whichautorecon) subnetip-v--proxychains
