Scanning

Scanning tools Cheatsheat

Nmap

Scan all ports

nmap 192.168.1.1 -p-
┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:08 IST
Nmap scan report for demo.ine.local (192.233.140.3)
Host is up (0.000028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
6421/tcp  open  nim-wan
41288/tcp open  unknown
55413/tcp open  unknown
MAC Address: 02:42:C0:E9:8C:03 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds

Service detection

nmap 192.168.1.1 -sV
┌──(root㉿INE)-[~]
└─# nmap -Pn -sV -p 80 demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 11:02 IST
Nmap scan report for demo.ine.local (10.5.31.252)
Host is up (0.0021s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds

Faster scan with aggressive scan and on all ports (best of CTFs)

nmap -T5 -A -p- --min-rate=500 10.129.187.71

Useful Flags

  • -v to show the current results with scan

  • -A Enables OS detection, version detection, script scanning, and traceroute

  • -sV Probe open ports to determine service/version info

  • -sC Default script sets

  • --script vuln To test for vulnerabilities

  • -sU UDP scan

Scan if Ping/ ICMP is blocked

nmap -Pn demo.ine.local

UDP Scan

┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p 1-250 -sU                                                                                                                                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:16 IST
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 29.92% done; ETC: 19:20 (0:02:53 remaining)
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 30.32% done; ETC: 19:20 (0:02:52 remaining)
Nmap scan report for demo.ine.local (192.119.106.3)
Host is up (0.00011s latency).
Not shown: 247 closed udp ports (port-unreach)
PORT    STATE         SERVICE
134/udp open|filtered ingres-net
177/udp open|filtered xdmcp
234/udp open|filtered unknown
MAC Address: 02:42:C0:77:6A:03 (Unknown)

Nmap scripts

scripts can be found at fol location

ls -la /usr/share/nmap/scripts

Getting Help about the scripts

Running complete category of scripts

┌──(root㉿INE)-[~]
└─# nmap demo.ine.local -p 134 -sUV --script=discovery                                                                                                                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-04 19:23 IST
Pre-scan script results:
| broadcast-igmp-discovery: 
|   10.1.0.1
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.106
|     Description: All-Snoopers (rfc4286)
|   192.119.106.1
|     Interface: eth1
|     Version: 2
|     Group: 224.0.0.106
|     Description: All-Snoopers (rfc4286)
|_  Use the newtargets script-arg to add the results as targets
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter

Running all scripts belonging to a name

mmartiger_1@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 00:53 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00021s latency).

PORT     STATE SERVICE     VERSION
3306/tcp open  nagios-nsca Nagios NSCA
| mysql-brute: 
|   Accounts: 
|     root:<empty> - Valid credentials
|_  Statistics: Performed 45010 guesses in 5 seconds, average tps: 9002.0
|_mysql-databases: ERROR: Script execution failed (use -d to debug)
|_mysql-dump-hashes: ERROR: Script execution failed (use -d to debug)
| mysql-empty-password: 
|_  root account has empty password
| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.26-0ubuntu0.20.04.1
|   Thread ID: 13
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, SupportsTransactions, Speaks41ProtocolOld, LongPassword, DontAllowDatabaseTableColumn, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, FoundRows, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: YTSgMfqvx\x0F\x7F\x16\&\x1EAeK>0
|_  Auth Plugin Name: caching_sha2_password
|_mysql-users: ERROR: Script execution failed (use -d to debug)
|_mysql-variables: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:00:00:00:00:00 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds

Enumerating OS details with nmap script over smb

sudo nmap --script smb-os-discovery.nse 192.168.18.110

Enumerate NetBios

nmap -sV -v --script nbstat.nse 192.168.18.110

DNS service discovery

nmap --script=broadcast-dns-service-discovery zonetransfer.me

DNS brute force

nmap -T5 -p 53 --script dns-brute zonetransfer.me

common services DNS records

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='zonetransfer.me'"

Avoiding Firewall

Fraqmentation

nmap -Pn -sS -sV -p80,445,3389 -f 10.4.27.83

  • -Pn: (Firewall Bypass) Tells nmap to skip the ping test. It assumes the host is online. This is crucial for scanning hosts that are configured to block pings (which is very common).

  • -sS: (Stealth Scan) This is a "TCP SYN Scan." It's called "stealthy" because it doesn't complete the full TCP connection, which makes it less likely to be logged by applications. It's the default (and most popular) scan type when running nmap as root.

  • -sV: (Service & Version Scan) This is the enumeration part. Instead of just reporting a port as "open," it probes that port to determine the exact service and software version (e.g., Microsoft Windows RDP or Apache httpd 2.4.41).

  • -p80,445,3389: (Targeted Ports) This is what makes the scan focused. You are only checking these three specific ports, which are strong indicators of a Windows machine:

    • 80: Standard port for HTTP (Web Server).

    • 445: The modern port for SMB (Windows File Sharing).

    • 3389: The standard port for RDP (Remote Desktop Protocol).

  • -f: (Firewall Evasion) This tells nmap to fragment its packets. It splits the scan probes into smaller pieces, which can sometimes confuse or bypass simple firewalls and Intrusion Detection Systems (IDS).

mtu (Maximum transmitted Unit)

nmap -Pn -sS -sV -p80,445,3389 --mtu 24 10.4.27.83

  • nmap: The tool.

  • -Pn: Assumes the host is online (skips the ping test).

  • -sS: Uses a stealthy TCP SYN scan.

  • -sV: Performs a service and version scan.

  • -p80,445,3389: Scans only these three common Windows ports.

  • --mtu 24: This is the new flag.

    • It sets the Maximum Transmission Unit (MTU) for the packets to 24 bytes.

    • This forces nmap to break its scan probes (which are larger than 24 bytes) into multiple, tiny fragments.

    • Important: The value (like 24) must be a multiple of 8. So, 8, 16, 24, 32, etc., are all valid.

  • 10.4.27.83: Your target IP address.

example evasion

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D 10.10.23.1,10.10.23.2 10.4.27.83

  • -Pn -sS -sV -p445,3389 -f: This is the base of your previous scan: a fragmented stealth scan for Windows services (SMB and RDP) that bypasses ping-blocking firewalls.

The New Evasion Techniques:

  • --data-length 200: (Evade Packet Inspection)

    • This is a clever technique. It tells nmap to add 200 bytes of random data to the end of its scan packets.

    • Why? Simple firewalls and IDS often have "signatures" to detect scans. They might be looking for a default nmap SYN packet, which has a specific, small size. By adding 200 bytes of junk data, you make your packet a non-standard length, which can cause it to "slip by" simple filters that are not advanced enough to look deeper.

  • -D 10.10.23.1,10.10.23.2: (Evade Source IP-Blocking)

    • This is a Decoy Scan, one of nmap's most powerful evasion features.

    • It makes the target think it is being scanned by multiple IP addresses at once.

    • nmap will send scan packets where the "source" IP is spoofed to be 10.10.23.1 or 10.10.23.2. It also sends packets from your real IP (which is hidden in this "crowd" of decoys).

    • Why? If the target's security admin sees alerts, they will see scan traffic from 3 different IPs (the 2 decoys + you). This makes it much harder for them to determine which IP is the real attacker and which ones are just noise.

  • 10.4.27.83: This is your actual target.

PreviousHost DiscoveryNextNmap Alternatives

Last updated