Lab2.2 NMAP Scans - adamcunningham9990/SEC335-Journal GitHub Wiki
Nmap
Nmap is an active recon tool used for host, port, OS, and service discovery
Usage
nmap [switches] <address/network>
example: sudo nmap -T4 -sS -p T:80 -iL /home/student/Desktop/Hosts
This specific example runs an nmap Syn scan using Aggressive (T4) speed, checking only for the 80/tcp port to be open, using the list of hosts found in /home/student/Desktop/Hosts
Helpful Switches
-T(0-5)
: Changes the speed of the scan with T5 being the fastest
-sS, -sA, -sF
: SYN, ACK, and FIN scans respectively
-Pn
: Treats all hosts as online and skips host discovery, useful if ICMP is blocked
-p
: Specifies the ports to search for. Can be used like -p80, -p T:80, -p1-10000, etc.
-sV
: Searches for services running on the host
-O
: Enables Operating System discovery
osscan-limit
: Limits the amount of Operating System probing
max-os-tries
: Specifies the number of times to try guessing the OS
-iL
: Lets you specify a file to read hosts from rather than typing them all out
Tips / Issues
Often times you need to use sudo
to run these commands
-T4
is a good scan speed for remote connection
The Pn
switch is a great way to find more hosts by bypassing host discovery
Make sure to set the osscan-limit
flag and max-os-tries
to 3 when doing OS discovery
Useful Links
fping
fping is a simple active recon tool used to discover hosts by ICMP ping
Usage
fping [options] [targets]
example: fping -g 192.168.4.240/28
This pings all hosts on the 192.168.4.240/28 network
Tips / Issues
This tool is very basic, and may not discover all hosts because it is only doing ICMP discovery, and that may be blocked
Remember to use the -g
switch when providing a network to ping