Network DNS Sweeping
nmap -sL - Does not send packets to hosts. Attempts to resolve
hostnames via DNS only.
Network Sweeping
nmap
-P<probe type>
N - Don't Ping
B - Default (ICMP Echo, SYN 443, ACK 80, ICMP Timestamp)
E - ICMP Echo Request (type 8)
S <ports> - TCP SYN <ports>
P - ICMP Timestamp Only
M - ICMP address mask request
P - ARP
ping6
ping6 -I <interface> ff02::1 - local subnet broadcast
ping6 -I <interface> ff02::2 - IPv6 router neighborhood discovery
-sn = sweep network
hping3
By default sends TCP packets to port 0 with no flags set. Can send
ICMP, TCP, UDP to any port with any comination of flags specified.
Operating System Fingerprinting
nmap -O
xprobe2
Service Version Scanning
THC amap
nmap -sV -sC --script=<scripts>
nmap -A (nmap -O -sV -sC --traceroute)
Network Scanning
nmap
-sS SYN scan (stealth)
--packet-trace display packet summary
runtime interaction
p packet trace
d debugging info
v verbosity
(Shift undo setting)
-T timing
Speeds 0-5
--host_timeout time limit per host
--max_rtt_timeout probe timeout
--min_rtt_timeout min probe wait time
--initial_rtt_timeout starting timeout value
--max_parallelism simultaneous probes
--scan_delay min wait between probes
-P<X> Probe (Sweep) Type
N - Don't Ping
B - Default (ICMP Echo, SYN 443, ACK 80, ICMP Timestamp)
E - ICMP Echo Request (type 8)
S <ports> - TCP SYN <ports>
P - ICMP Timestamp Only
M - ICMP address mask request
P - ARP
--trace-route
--script=<scripts or script filter> i.e. "smb* and safe"