Nmap

Nmap is an active recon tool used for host, port, OS, and service discovery

Usage

nmap [switches] <address/network>

example: sudo nmap -T4 -sS -p T:80 -iL /home/student/Desktop/Hosts

This specific example runs an nmap Syn scan using Aggressive (T4) speed, checking only for the 80/tcp port to be open, using the list of hosts found in /home/student/Desktop/Hosts

Helpful Switches

-T(0-5): Changes the speed of the scan with T5 being the fastest

-sS, -sA, -sF: SYN, ACK, and FIN scans respectively

-Pn: Treats all hosts as online and skips host discovery, useful if ICMP is blocked

-p: Specifies the ports to search for. Can be used like -p80, -p T:80, -p1-10000, etc.

-sV: Searches for services running on the host

-O: Enables Operating System discovery

osscan-limit: Limits the amount of Operating System probing

max-os-tries: Specifies the number of times to try guessing the OS

-iL: Lets you specify a file to read hosts from rather than typing them all out

Tips / Issues

Often times you need to use sudo to run these commands

-T4 is a good scan speed for remote connection

The Pn switch is a great way to find more hosts by bypassing host discovery

Make sure to set the osscan-limit flag and max-os-tries to 3 when doing OS discovery

Useful Links

Nmap Kali Page

Nmap Switches Cheatsheet

fping

fping is a simple active recon tool used to discover hosts by ICMP ping

Usage

fping [options] [targets]

example: fping -g 192.168.4.240/28

This pings all hosts on the 192.168.4.240/28 network

Tips / Issues

This tool is very basic, and may not discover all hosts because it is only doing ICMP discovery, and that may be blocked

Remember to use the -g switch when providing a network to ping

Useful Links

fping man page