NMAP

Scanning The Network

nmap -sn 192.168.1.1-254 -vv -oA hosts
netdiscover -r 192.168.1.1/24

Scanning a Host

sudo nmap -sV -sT -A 10.11.1.7 -v

The above command scans the system for all important ports and it is not a comprehensive scan. A few additions can be made to the above command to

--min-rate 10000 - This will ensure that nmap sends more than 10K packets per second. This is useful when the scan is too slow

-oA output.txt - This will redirect the output to a file name output.txt

-T<number> - This is used to control the speed and covertness of the scan. T0 will be slow and stealthy while T5 will be fast and obvious

-p- - This triggers a scan of all 65536 ports of the host

-p <port number> - This can be used to scan a specific port of a host. This can be modified to scan a range by including 1-1024 or a bunch of ports such as 80,443,139,445

-Pn - This does a no ping scan and is useful against systems that have disabled ping to not be visible during a scan

Scanning hosts for a certain service

nmap -p 53 192.168.1.1-254 -vv

This command scans the network for systems with DNS running

Fast Scan of Network

Nmap can sometimes take a long time to sweep through a network or scan a specific host. Under circumstances that you have to conduct a quick scan one of the following tools can be used, however the number of false positives and false negatives can be high.

rustscan -a 10.129.191.222 --ulimit 5000

Masscan is another tool to conduct a quick scan. This can be downloaded from github and installed. The command to run the scan,

./masscan 198.134.112.244 -p443

Last updated