NMAP Commands

Flags:

-p- = Scan all ports

-A = Agressive Scan

-sV = Version Detection

-Pn = Do not ping target hosts

-sC = Scripting engine

-T1 --> 5 = Type of scan

-o = Output to file (-oN, -oX, -oA) 

-n = Never do DNS

-R = Always do DNS resolve

NMAP HTTP Information:

nmap --script=http-headers <ip>

Gather page titles from HTTP services     

nmap --script=http-title <ip>

Find web apps from known paths             

nmap --script=http-enum <ip>

Scan types:

-sA      ACK scan

-sF       FIN scan

-sI       IDLE scan

-sL       DNS scan (a.k.a. list scan)

-sN     NULL scan

-sO      Protocol scan

-sP      Ping scan

-sR      RPC scan

-sS      SYN scan

-sT      TCP connect scan

-sU      UDP Scan

-sW     Windows scan

-sX      XMAS scan

-b "FTP relay host"  FTP bounce scan

Host Discovery:

-PI       ICMP ping

-Po     No ping

-PS      SYN ping

-PT      TCP ping

Evading Firewalls:

-f  = Fragment packets

--mtu <value> = Set mtu value of packets

-S <ip add> = Spoof source address

--data-length = append random data to sent packets

--spoof-mac <mac> = spoof mac address

MasScan

Download: https://github.com/robertdavidgraham/masscan -Credit to Robert David Graham

Default:

- only does Syn scan

- does not ping hosts

- no dns resolution

Syntax:

masscan <ip> <port>