Nmap

Scan Network Range

--reason (Host and port state reasons). Shows the reason each port is set to a specific state and the reason each host is up or down.

ARP ping scan

Basic IP range scan

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

Scanning IP list

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

ICMP reply scan

sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping

Service discovery

By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default.

we disable the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping).

sudo nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

Cheat sheet

Scanning Options

Nmap Option	Description
10.10.10.0/24	Target network range.
-sn	Disables port scanning.
-Pn	Disables ICMP Echo Requests
-n	Disables DNS Resolution.
-PE	Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace	Shows all packets sent and received.
--reason	Displays the reason for a specific result.
--disable-arp-ping	Disables ARP Ping Requests.
--top-ports=<num>	Scans the specified top ports that have been defined as most frequent.
-p-	Scan all ports.
-p22-110	Scan all ports between 22 and 110.
-p22,25	Scans only the specified ports 22 and 25.
-F	Scans top 100 ports.
-sS	Performs an TCP SYN-Scan.
-sA	Performs an TCP ACK-Scan.
-sU	Performs an UDP Scan.
-sV	Scans the discovered services for their versions.
-sC	Perform a Script Scan with scripts that are categorized as "default".
--script <script>	Performs a Script Scan by using the specified scripts.
-O	Performs an OS Detection Scan to determine the OS of the target.
-A	Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5	Sets the number of random Decoys that will be used to scan the target.
-e	Specifies the network interface that is used for the scan.
-S 10.10.10.200	Specifies the source IP address for the scan.
-g	Specifies the source port for the scan.
--dns-server <ns>	DNS resolution is performed by using a specified name server.

Output Options

Nmap Option	Description
-oA filename	Stores the results in all available formats starting with the name of "filename".
-oN filename	Stores the results in normal format with the name "filename".
-oG filename	Stores the results in "grepable" format with the name of "filename".
-oX filename	Stores the results in XML format with the name of "filename".

Performance Options

Nmap Option	Description
--max-retries <num>	Sets the number of retries for scans of specific ports.
--stats-every=5s	Displays scan's status every 5 seconds.
-v/-vv	Displays verbose output during the scan.
--initial-rtt-timeout 50ms	Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms	Sets the specified time value as maximum RTT timeout.
--min-rate 300	Sets the number of packets that will be sent simultaneously.
-T <0-5>	Specifies the specific timing template.

Firewall and IDS/IPS Evasion

Decoys

10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5

Scan by Using Different Source IP

10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS Proxying

10.129.2.28 -p 50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Connect to the Filtered Port

ncat -nv --source-port 53 10.129.2.28 50000