Scanning
Nmap
What I do most of the time when scanning
Some of the most frequent nmap commands I use
Command
Description
nmap -sn 192.168.1.1/24 -oA initialScan
Scan the subnet and output to all formats with the name initialScan
grep "Up" initialScan.gnmap | awk {'print $2'} >> hostsAlive.txt
Look for hosts that are UP within our initialScan.gnmap and print just the IP to hostsAlive.txt
nmap -A -T4 -iL hostsAlive.txt
Aggressive Scan from hostsAlive list
Common switches
Some common nmap switches
Switch
Example
Description
-sS
nmap 192.168.1.1 -sS
TCP SYN port scan (Default)
-sT
nmap 192.168.1.1 -sT
TCP connect port scan (Default without root privilege)
-sU
nmap 192.168.1.1 -sU
UDP port scan
-sn
nmap 192.168.1.1/24 -sn
Disable port scanning. Host discovery only.
-Pn
nmap 192.168.1.1-5 -Pn
Disable host discovery. Port scan only.
Port Specification
Switches for scanning different ports
Switch
Example
Description
-p
nmap 192.168.1.1 -p 21-100
Port scan for port x
-p-
nmap 192.168.1.1 -p-
Port scan all ports
--top-ports
nmap 192.168.1.1 --top-ports 2000
Port scan the top 2000 ports
Service and Version Detection
Switches for scanning for different services and version detection
Switch
Example
Description
-sV
nmap 192.168.1.1
Attempts to determine the version of the service running on port
-A
nmap 192.168.1.1 -A
Enables OS detection, version detection, script scanning, and traceroute
-O
nmap 192.168.1.1 -O
Remote OS detection using TCP/IP stack fingerprinting
Enumeration
To be continued
fping
Scan subnet for alive hosts
fping -a -q -g 172.16.33.108/24
Resources
Last updated
Was this helpful?