- nmap –iflist
- nmap -F (fast scan)
- nmap -sn (ping scan)
- nmap -Pn (don’t ping)
- nmap -T5 (super fast)
- nmap -p- (all ports)
- nmap -A (versions and extra)
- nmap -v (verbose)
- nmap -sV (port info)
- nmap -sL (reverse lookup)
- nmap -oN output.txt, -oG (grep), -oX (XML)
- nmap 192.168.1.2-254 –exclude ip
- nmap –reason (gives ttl)
- nmap –open (only display open ports)
- nmap -p T:464 (scan only 464 via TCP)
- nmap –packet-trace
- nmap -v -sS -f -T 5 IP: -f=tiny fragments, -T=time settings
- nmap –script vuln IP
- nmap –scan-delay <timer> or nmap -Tn <0-5> (0 being slowest)
- nmap –randomize-hosts
- nmap -d (decoy)
- Can use wildcards in the IPs, and commas to seperate last octets
- if blocked by a firewall via ICMP, you can use -sA IP, NMAP can look through a non-request from IPV4 and still tell us that a device exists at this location.
- -PS This command sends an empty TCP packet with the SYN flag set. This suggests to the remote system that you are attempting to connect but if the port is open it will send respond to the three-way handshake. (nmap -PS80,21,443)
- -PA The following command is similar to the -PS command but uses the ACK flag in the three-way handshake. The purpose is to acknowledge data over a supposed connection where none exists. Responding hosts then send back an RST flag giving away their presence.
- nmap -sP -PU Ping scans are used to determine if a host is responding and can be considered online. UDP ping scans have the advantage of being capable of detecting systems behind firewalls with strict TCP filtering leaving the UDP traffic forgotten. The following command assists with tracking UDP pings used for bypassing firewalls and filters that only screen TCP traffic.
Hping
hping3 -d 100 -S -p 21 –rand-source –flood IPaddr
PowerShell
(1..254) | % {$ip=”10.0.0.$_”; (test-connection -computername “$ip” -quiet -count 1)}
Command Prompt
for /l %i in (1,1,254) do @ping -n 1 -w 100 10.0.0.%i | find /I “reply”