Nmap

Nmap [1 - Target Specification] [2 - Host Discovery] [3 - Scan Technique] [4 - Port Specification] 
//Optional [5 - SERVICE/VERSION DETECTION] [6 - SCRIPT SCAN] [7 - OS DETECTION] [8 - TIMING AND PERFORMANCE] [ 9 - FIREWALL/IDS EVASION AND SPOOFING] [10 - OUTPUT]

EXAMPLE:-
--------------------
Save scan(place at end)
server_assets_pingsweep.nmap

Scan port 80 on the target system:
nmap 192.168.0.1 –p 80

Scan (Fast) the most common ports:
nmap –F 192.168.0.1

To scan all ports (1 – 65535):
nmap –p– 192.168.0.1

nmap -p- -sV -sS -T4 target
Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick".

nmap -v -sS -A -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sS -A -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.

nmap -v -sV -O -sS -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.

nmap -v -p 1-65535 -sV -O -sS -T4 target
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.

nmap -p80 -sV -oG - --open 192.168.1.1/24 | grep open 
Scan for web servers and grep to show which IPs are running web servers 

nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt 
Generate a list of the IPs of live hosts

nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txt 
Append IP to the list of live hosts

ndiﬀ scanl.xml scan2.xml 
Compare output from nmap using the ndiﬀ 

xsltproc nmap.xml -o nmap.html 
Convert nmap xml files to html files 

grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less Reverse sorted list of how o en ports turn up
Reverse sorted list of how o en ports turn up

1 - Target Specification:-

Scan a single IP
--------------------
nmap 192.168.1.1

Scan specific IPs
--------------------
nmap 192.168.1.1 192.168.2.1 

Scan a range
--------------------
nmap 192.168.1.1-254 

Scan a domain
--------------------
nmap scanme.nmap.org

Scan using CIDR notation
--------------------
nmap 192.168.1.0/24 

Scan targets from a file
--------------------
nmap -iL targets.txt 

2 - Host Dicovery:-

-sL No Scan. List targets only
-sn Disable port scanning
-Pn Disable host discovery. Port scan only
-PS22-25,80 TCP SYN discovery on port x. Port 80 by default
-PA22-25,80 TCP ACK discovery on port x. Port 80 by default
-PU53 UDP discovery on port x. Port 40125 by default
-PR ARP discovery on local network
-n Never do DNS resolution

3 - Scan Technique:-

-sS TCP SYN port scan (Default
-sT TCP connect port scan (Default without root privilege
-sU UDP port scan
-sA TCP ACK port scan
-sW TCP Window port scan
-sM TCP Maimon port scan

4 - Port Specification:-

-p 21 Port scan for port x
-p 21-100 Port range
-p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p- Port scan all ports
-p http,https Port scan from service name
-F Fast port scan (100 ports)
--top-ports 2000 Port scan the top x ports

5 - SERVICE/VERSION DETECTION:-

-sV --version-intensity// nmap 192.168.1.1 -sV --version-intensity "1-9" Intensity level 0 to 9. Higher number increases possibility of correctness
-sV --version-light nmap 192.168.1.1 -sV "BLANK/--version-light/--version-all"
-A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute

6 - SCRIPT SCAN:-

-sC Scan with default NSE scripts. Considered useful for discovery and safe
--script default Scan with default NSE scripts. Considered useful for discovery and safe
--script="banner" Scan with a single script. Example banner
--script="http","banner" Scan with two scripts. Example http and banner
--script=http* Scan with a wildcard. Example http
--script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments

7 - OS DETECTION:-

-O Remote OS detection using TCP/IP stack fingerprinting
-A Enables OS detection, version detection, script scanning, and traceroute

8 - TIMING AND PERFORMANCE:-

Switch Example Description
-T0 Paranoid (0) Intrusion Detection System evasion
-T1 Sneaky (1) Intrusion Detection System evasion
-T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 Normal (3) which is default speed
-T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network

9 - FIREWALL/IDS EVASION AND SPOOFING:-

-f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
--mtu 32 Set your own oﬀset size
-D 192.168.1.101,decoy-ip1 Send scans from spoofed IPs
-S nmap -S www.microso .com www.facebook.com Scan Facebook from Microso  (-e eth0 -Pn may be required)
-g nmap -g 53 192.168.1.1 Use given source port number 
--proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 Relay connections through HTTP/SOCKS4 proxies 
-length 200 192.168.1.1 Appends random data to sent packets

10 - OUTPUT

-oN normal.file Normal output to the file normal.file
-oX xml.file XML output to the file xml.file
-oG grep.file Grepable output to the file grep.file
-oA results Output in the three major formats at once 
-oG - Grepable output to screen. -oN -, -oX - also usable
-oN file.file --append-output Append a scan to a previous scan file
-v Increase the verbosity level (use -vv or more for greater eﬀect) 
-d Increase debugging level (use -dd or more for greater eﬀect)
--reason Display the reason a port is in a particular state, same output as -vv 
--open Only show open (or possibly open) ports 
--packet-trace Show all packets sent and received 
--iflist Shows the host interfaces and routes
--resume results.file Resume a scan