← notes


All things nmap - a network scanning tool.




• get your own ip address with ip addr show

All things NMAP

now, we have some ip addresses to play with! here are some general notes regarding nmap:
nmap -sn -> discover live hosts (other active things). ping sweep.
nmap -> scan the 1000 most common ports
nmap -p- -> scan all 65,535 ports
nmap -sv -sc -> get service versions
- nmap -sv -> get banner information for some service
nmap -O -> get os version of target
nmap -a -> aggressive scan. get os, version detection, script scanning, and traceroute
nmap -ss -> stealth syn scan
nmap -su -> scan for open udp ports (as opposed to tcp)
nmap -ox output.xml -> save scan result
-> spoof some address

timing templates

-t0 -> paranoid, super slow and stealthy
-t1 -> sneaky
-t2 -> polite, gives more prio to device limitations
-t3 -> normal
-t4 -> aggressive. generally recommended if you have a connection faster than dial up.
-t5 -> insane, fastest scan timing. you'll miss shit and you'll be caught.

going from domain to scanning

whois -h whois.arin.net n [service] -> gets a range of IPs to scan
• ping the web server for latency est.
dig @dns-nameserver webserver.com. any dig through DNS records

tricks and notes

-sL -> finds reverse DNS entries that resolve to some address
-sS -> SYN scan. this is the default, but it's ok to mention explicitly.
-p- -> requests Nmap scans every port from 1-65535
-PS22,80,113,33334 -PA80,113,21000 -PU19000 -PE -> sends TCP syn to 22,80,113,33334, TCP ack to 80,113,21000, UDP to 19000, and ICMP echo.
-A -> advanced and aggressive form. equivalent to -sV -sC -O --traceroute
oA -> output things
• could instead be specified as
• IANA specifies official ports, but this isn't always followed.
• some nmap tools: unspecific.com/nmap/
-p80 -> looking for web ports only
• host enumeration -> the process of identifying all hosts on a network
• running nmap -sS -PS80 -iR 0 -p 80 is kinda cute for locating random servers
host -t ns [domain.com] -> gets the name servers serving the domain
-sP -> only perform a ping scan. no further testing whatsoever.
-PS -> TCP SYN Ping (-PA is ack, -PU is UDP)
--source-port -> sets a constant source port. helps with rule checking shit.
oA,oN, oG, oX are output options.
host -t ns [domain.com] -> gets the name servers for
--reason -> indicates what exactly the probe responded to
• for UDP ports, you want to try to target 53 (DNS port) and some arbitrarily high numbered port (e.g., 34444) to target shit firewalls with bad range proofs.
• a set of ping options that'll catch the vaaast number of hosts: -PE -PA -PS21,23,23,25,80,113,31339 -PA80,113,443,10042, and adding in --source-port 53 migth also work.
• by default, nmap just scans and classifies the 1000 most commonly used TCP ports on the target
• ports are a software abstraction.
-6 - IPv6 scanning!
nmap -p80 -oG logs -> scan network for open web ports, and put that shit in a nice file, "logs," which is searchable by grep
• a faster version of the above which optimizes reverse DNS resolution: nmap -T4 -PN -p80 --max-rtt-timeout 200ms --initial-rtt-timeout 150ms --min-hostgroup 512ms -oGlogs
- in order to watch logs, we can run watch -n 5 "cat logs | grep -E 'open'"
-sO - determines which IP protocols are supported by target machines. not necessarily a port scan...
-sC -> run default scripts