{"id":530,"date":"2018-09-09T12:20:57","date_gmt":"2018-09-09T12:20:57","guid":{"rendered":"https:\/\/d1m0.com\/?p=530"},"modified":"2018-09-09T12:20:57","modified_gmt":"2018-09-09T12:20:57","slug":"nmap-scaning-basics-pt2","status":"publish","type":"post","link":"https:\/\/d1m0.com\/?p=530","title":{"rendered":"Nmap scaning basics pt2"},"content":{"rendered":"

TARGET SPECIFICATION:
\nCan pass hostnames, IP addresses, networks, etc.
\nEx: scanme.nmap.org, microsoft.com\/24, 192.168.0.1; 10.0.0-255.1-254
\n-iL : Input from list of hosts\/networks
\n-iR : Choose random targets
\n\u2013exclude : Exclude hosts\/networks
\n\u2013excludefile : Exclude list from file<\/p>\n

HOST DISCOVERY:
\n-sL: List Scan \u2013 simply list targets to scan
\n-sn: Ping Scan \u2013 disable port scan
\n-Pn: Treat all hosts as online \u2014 skip host discovery
\n-PS\/PA\/PU\/PY[portlist]: TCP SYN\/ACK, UDP or SCTP discovery to given ports
\n-PE\/PP\/PM: ICMP echo, timestamp, and netmask request discovery probes
\n-PO[protocol list]: IP Protocol Ping
\n-n\/-R: Never do DNS resolution\/Always resolve [default: sometimes]
\n\u2013dns-servers : Specify custom DNS servers
\n\u2013system-dns: Use OS\u2019s DNS resolver
\n\u2013traceroute: Trace hop path to each host<\/p>\n

SCAN TECHNIQUES:
\n-sS\/sT\/sA\/sW\/sM: TCP SYN\/Connect()\/ACK\/Window\/Maimon scans
\n-sU: UDP Scan
\n-sN\/sF\/sX: TCP Null, FIN, and Xmas scans
\n\u2013scanflags : Customize TCP scan flags
\n-sI : Idle scan
\n-sY\/sZ: SCTP INIT\/COOKIE-ECHO scans
\n-sO: IP protocol scan
\n-b : FTP bounce scan<\/p>\n

PORT SPECIFICATION AND SCAN ORDER:
\n-p : Only scan specified ports
\nEx: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
\n\u2013exclude-ports : Exclude the specified ports from scanning
\n-F: Fast mode \u2013 Scan fewer ports than the default scan
\n-r: Scan ports consecutively \u2013 don\u2019t randomize
\n\u2013top-ports : Scan most common ports
\n\u2013port-ratio : Scan ports more common than <\/p>\n

SERVICE\/VERSION DETECTION:
\n-sV: Probe open ports to determine service\/version info
\n\u2013version-intensity : Set from 0 (light) to 9 (try all probes)
\n\u2013version-light: Limit to most likely probes (intensity 2)
\n\u2013version-all: Try every single probe (intensity 9)
\n\u2013version-trace: Show detailed version scan activity (for debugging)<\/p>\n

SCRIPT SCAN:
\n-sC: equivalent to \u2013script=default
\n\u2013script=: is a comma separated list of
\ndirectories, script-files or script-categories
\n\u2013script-args=: provide arguments to scripts
\n\u2013script-args-file=filename: provide NSE script args in a file
\n\u2013script-trace: Show all data sent and received
\n\u2013script-updatedb: Update the script database.
\n\u2013script-help=: Show help about scripts.
\n is a comma-separated list of script-files or
\nscript-categories.<\/p>\n

OS DETECTION:
\n-O: Enable OS detection
\n\u2013osscan-limit: Limit OS detection to promising targets
\n\u2013osscan-guess: Guess OS more aggressively<\/p>\n

TIMING AND PERFORMANCE:
\nOptions which take

FIREWALL\/IDS EVASION AND SPOOFING:
\n-f; \u2013mtu : fragment packets (optionally w\/given MTU)
\n-D : Cloak a scan with decoys
\n-S : Spoof source address
\n-e : Use specified interface
\n-g\/\u2013source-port : Use given port number
\n\u2013proxies : Relay connections through HTTP\/SOCKS4 proxies
\n\u2013data : Append a custom payload to sent packets
\n\u2013data-string : Append a custom ASCII string to sent packets
\n\u2013data-length : Append random data to sent packets
\n\u2013ip-options: Send packets with specified ip options
\n\u2013ttl : Set IP time-to-live field
\n\u2013spoof-mac : Spoof your MAC address
\n\u2013badsum: Send packets with a bogus TCP\/UDP\/SCTP checksum<\/p>\n

OUTPUT:
\n-oN\/-oX\/-oS\/-oG : Output scan in normal, XML, s|: Output in the three major formats at once
\n-v: Increase verbosity level (use -vv or more for greater effect)
\n-d: Increase debugging level (use -dd or more for greater effect)
\n\u2013reason: Display the reason a port is in a particular state
\n\u2013open: Only show open (or possibly open) ports
\n\u2013packet-trace: Show all packets sent and received
\n\u2013iflist: Print host interfaces and routes (for debugging)
\n\u2013log-errors: Log errors\/warnings to the normal-format output file
\n\u2013append-output: Append to rather than clobber specified output files
\n\u2013resume : Resume an aborted scan
\n\u2013stylesheet : XSL stylesheet to transform XML output to HTML
\n\u2013webxml: Reference stylesheet from Nmap.Org for more portable XML
\n\u2013no-stylesheet: Prevent associating of XSL stylesheet w\/XML output<\/p>\n

MISC:
\n-6: Enable IPv6 scanning
\n-A: Enable OS detection, version detection, script scanning, and traceroute
\n\u2013datadir : Specify custom Nmap data file location
\n\u2013send-eth\/\u2013send-ip: Send using raw ethernet frames or IP packets
\n\u2013privileged: Assume that the user is fully privileged
\n\u2013unprivileged: Assume the user lacks raw socket privileges
\n-V: Print version number
\n-h: Print this help summary page<\/p>\n","protected":false},"excerpt":{"rendered":"

TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com\/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts\/networks -iR : Choose random targets \u2013exclude : Exclude hosts\/networks \u2013excludefile : Exclude list from file HOST DISCOVERY: -sL: List Scan \u2013 simply list targets to scan -sn: Ping Scan \u2013 disable port scan -Pn: …<\/p>\n

Continue reading ‘Nmap scaning basics pt2’ »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,4],"tags":[],"class_list":["post-530","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking"],"_links":{"self":[{"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/posts\/530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/d1m0.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=530"}],"version-history":[{"count":1,"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/posts\/530\/revisions"}],"predecessor-version":[{"id":531,"href":"https:\/\/d1m0.com\/index.php?rest_route=\/wp\/v2\/posts\/530\/revisions\/531"}],"wp:attachment":[{"href":"https:\/\/d1m0.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d1m0.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/d1m0.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}