# NMAP ### Scanning The Network ``` nmap -sn 192.168.1.1-254 -vv -oA hosts netdiscover -r 192.168.1.1/24 ``` ### Scanning a Host ``` sudo nmap -sV -sT -A 10.11.1.7 -v ``` The above command scans the system for all important ports and it is not a comprehensive scan. A few additions can be made to the above command to \--min-rate 10000 - This will ensure that nmap sends more than 10K packets per second. This is useful when the scan is too slow -oA output.txt - This will redirect the output to a file name output.txt -T\ - This is used to control the speed and covertness of the scan. T0 will be slow and stealthy while T5 will be fast and obvious -p- - This triggers a scan of all 65536 ports of the host -p \ - This can be used to scan a specific port of a host. This can be modified to scan a range by including 1-1024 or a bunch of ports such as 80,443,139,445 -Pn - This does a no ping scan and is useful against systems that have disabled ping to not be visible during a scan ### Scanning hosts for a certain service ``` nmap -p 53 192.168.1.1-254 -vv ``` This command scans the network for systems with DNS running #### Fast Scan of Network Nmap can sometimes take a long time to sweep through a network or scan a specific host. Under circumstances that you have to conduct a quick scan one of the following tools can be used, however the number of false positives and false negatives can be high. ``` rustscan -a 10.129.191.222 --ulimit 5000 ``` Masscan is another tool to conduct a quick scan. This can be downloaded from github and installed. The command to run the scan, ``` ./masscan 198.134.112.244 -p443 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.particle42.com/network-enumeration/nmap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.