Nmap Port Scanning
Scan for alive hosts
$ nmap -sn $ip/24
$ nmap -vvv -sn $ip/24If you want little faster
$ nmap -sn -n $ip/24 > ip-range.txtScan specific IP range
$ nmap -sP 10.0.0.0-100Auto Recon
autorecon 10.10.10.3Initial Scan TCP
nmap -sC -sV -O -oA initial 10.10.10.3Full Scan TCP Full Scan TCP
Comprehensive nmap scans in the background to make sure we cover all bases.
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3Full Scan UDP
nmap -sU -O -p- -oA nmap/udp 10.10.10.3Normal Scan
nmap -A $ipScan specific machine
Scan common port
$ nmap -A -oA filename $ip/24The command:
Scan 1024 most common ports
Run OS detection
Run default nmap scripts
Save the result into
.nmap,.gnmapand.xmlFaster
Fast scanning
Scan 100 most common ports
nmap -F $ipQuick TCP Scan
nmap -sC -sV -vv -oA quick $ipQuick UDP Scan
nmap -sU -sV -vv -oA quick_udp $ipFull TCP Scan
nmap -sC -sV -p- -vv -oA full 10.10.10.10Port knock
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ip; doneScan deeply
Scanning more deeply:
$ nmap -v -p- -sT $ip
Example:
$ nmap -v -p- -sT 10.0.1.0/24This command:
Scan all 65535 ports with full connect scan
Take very long time
Print out straigt away instead of having to wait until end of the scan
Tips:
Scanning this takes a long time, suggest to leave the scan running overnight, when you're sleep or move on to different box in the meantime.
Maximum scan delay
The –max-scan-delay is used to specify the maximum amount of time Nmap should wait between probes.
nmap -sC -sV $ip -oN initial -v --max-scan-delay=10Maximum Retries
–max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.
nmap -p21-25$ip --max-retries 0Scan for specific port
$ nmap -p T:80,443,8080 $ip/24Use -T: specifies TCP ports. Use -U: for UDP ports.
Scan for unused IP addresses and store in text file
$ nmap -v -sn $ip/24 | grep down | awk '{print $5}' > filename.txtOther option
nmap -sV -sC -v -oA output $ipUDP scan
Scanning this might slow and unreliadble
$ nmap $ip -sU
Example:
$ nmap 10.11.1.X -sUTop ports
To save time and network resources, we can also scan multiple IPs, probing for a short list of a an common ports. For example, let’s conduct a TCP connect scan for the top twenty TCP ports with kw Ma the --top-ports option and enable OS version detection, script scanning, and traceroute with -A:
nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txtScan targets from a text file
Create a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file):
192.168.1.144
192.168.1.179
192.168.1.182Run this nmap command with -iL
nmap -iL list-of-ips.txtOnetwopunch.sh
Grab the latest bash script
git clone https://github.com/superkojiman/onetwopunch.git
cd onetwopunchCreate a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file):
192.168.1.144
192.168.1.179
192.168.1.182Then, run the script and tell it to read our txt file and perform TCP scan against each target.
./onetwopunch.sh -t ip-range.txt -p tcpSo, the idea behind the script to generate a scan of 65,535 ports on the targets. The script use unicornscan to scan all ports, and make a list of those ports that are open. The script then take the open ports and pass them to nmap for service detection.
AutoRecon
Last updated