Nmap / Masscan / Autorecon
General
-sS stealth scan faster & slient
-sT 3way hand shake connect scan
-sU udp scan (can use with -sS)
-sn sweeping {ip.1-254}
-p specify port
-A version detection/script scan/traceroute
--top-ports=# (scan top # common ports)
-O os fingerprinting
-sV service banner (+ -sT + -A)
--open (opened port only)
-sC run with default script
-oG {filename} save scan results in grep format
-Pn directly scan machine w/o pinging
--top-ports=20Common step-up scans
Quick enumeration
sudo nmap -sS -p- {ip} -vv -Pn --open -Pn
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63Deep enumeration
Scripts
Location: /usr/share/nmap/scripts
Search: ls -l /usr/share/nmap/scripts/{searchterm}*
Use: Add the parameter --script {scriptname} or {service}* for running all script matched
No Nmap approach
Enum from pivoting machine to next target machine
Autorecon
Last updated