Network Enumeration

Ping Sweep

# Ping Sweep For Loop on Linux
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# Ping Sweep For Loop Using CMD
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
# Ping Sweep Using PowerShell
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
# Scan network range for open port 445
for i in $(seq 1 254); do nc -zv -w 1 172.16.5.$i 445; done
# Ping Sweep metasploit
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23

Scan Network Range

sudo nmap 10.10.0.0/24 -sn -oA tnet | grep for | cut -d" " -f5
sudo nmap -v -sn 10.10.2.1-253 -oG sweep.txt ; grep Up sweep.txt | cut -d " " -f 2

Convert nmap XML report to HTML

xsltproc target.xml -o target.html

ACK-Scan

sudo nmap 10.10.0.1 -p 21 -sA -Pn -n

Scan by Using Decoys

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n -D RND:5

Scan by Using Different Source IP

sudo nmap 10.10.0.1 -S 10.129.2.200 -e tun0 -Pn -n --disable-arp-ping --packet-trace

SYN-Scan From DNS Port

sudo nmap 10.10.0.1 -p22 -sS --source-port 53 -Pn -n --disable-arp-ping

Scanning Options

Nmap Option

Description

10.10.10.0/24

Target network range.

-sn

Disables port scanning.

-Pn

Disables ICMP Echo Requests

-n

Disables DNS Resolution.

-PE

Performs the ping scan by using ICMP Echo Requests

--packet-trace

Shows all packets sent and received.

--reason

Displays the reason for a specific result.

--disable-arp-ping

Disables ARP Ping Requests.

--top-ports=1000

Scans top ports that have been defined as most frequent.

-F

Scans top 100 ports.

-sS

Performs an TCP SYN-Scan.

-sA

Performs an TCP ACK-Scan.

-sU

Performs an UDP Scan.

-sV

Scans the discovered services for their versions.

-sC

Perform a Script Scan with scripts that are categorized as "default".

--script <script>

Performs a Script Scan by using the specified scripts.

-O

Performs an OS Detection Scan to determine the OS of the target.

-A

Performs OS Detection, Service Detection, and traceroute scans.

-D RND:5

the number of random Decoys that will be used to scan the target.

-e eth0

Specifies the network interface that is used for the scan.

-S 10.10.10.200

Specifies the source IP address for the scan.

-g 53

Specifies the source port for the scan.

--dns-server <ns>

DNS resolution is performed by using a specified name server.

Output Options

Nmap Option

Description

-oA filename

Stores the results in all available formats.

-oN filename

Stores the results in normal format.

-oG filename

Stores the results in "grepable" format.

-oX filename

Stores the results in XML format.

Performance Options

Nmap Option

Description

--max-retries <num>

Sets the number of retries for scans of specific ports.

--stats-every=5s

Displays scan's status every 5 seconds.

-v/-vv

Displays verbose output during the scan.

--initial-rtt-timeout 50ms

Sets the specified time value as initial RTT timeout.

--max-rtt-timeout 100ms

Sets the specified time value as maximum RTT timeout.

--min-rate 300

Sets the number of packets that will be sent simultaneously.

-T <0-5>

Specifies the specific timing template.

PreviousInformation GatheringNextProtocols & Services

Last updated