My Notes Hub
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking Fundamentals
    • 🐧Linux Fundamentals
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
    • 🗃️Other Useful Concepts
      • Regular Expressions (RegEx)
  • 🧰Tools
    • Nmap
    • Nessus
    • Ffuf
    • Hydra
    • John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • Irked
      • Nibbles
      • Brainfuck
      • Lame (Check)
    • 🗃️Proving Grounds
      • 🐧Linux
        • Stapler
        • eLection
        • Loly
        • Blogger
        • Potato
        • Amaterasu
        • Exfiltrated
        • Pelican
        • Astronaut
        • Cockpit
        • Levram
        • Extplorer
        • LaVita
        • pc
        • Scrutiny
        • Zipper
        • Flu
      • 🪟Windows
        • Algernon
        • AuthBy
  • 📋Cheat Sheets
    • Penetration Testing Cheat Sheet (In Progress)
  • 🪪Certificates
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Just Do Formatting)
        • Vulnerability Scanning (Check)
        • File Transfers (Continue Here)
        • Using the Metasploit Framework
        • Web Information Gathering
        • Shells & Payloads
      • Exploitation & Lateral Movement
        • Attacking Common Services (Just Do Formatting)
        • Password Attacks (TBC)
        • Active Directory Enumeration & Attacks (TBC)
      • Web Exploitation
        • Using Web Proxies (Check)
        • Attacking Web Applications With Ffuf (Check)
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
        • Web Attacks (Check)
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation (TBC)
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
    • Old Active Directory
Powered by GitBook
On this page
  • Introduction
  • Live Host Enumration
  • Port Scanning
  1. Tools

Nmap

Introduction

  • Nmap is an industry-standard tool for mapping networks, identifying live hosts, and discovering running services.

  • In Nmap, you can provide targets in four different ways:

    • List: For example, <IP Address 1> <IP Address 2> <IP Address 3>

    • Range: For example, <IP Address Range> (i.e., 192.168.1.0-255)

    • Subnet: For example, <IP Address/Subnet Mask> (i.e., 192.168.1.0/24)

    • File: For example, -iL <File Name>

  • The command -sL <Target> Shows you the list of targets without scanning them.

Live Host Enumration

  • Nmap can discover live hosts in three ways:

    • Local Network (Ethernet): When a privileged user scans targets on a local network, Nmap uses ARP requests.

    • Outside the Local Network (Privileged User): When a privileged user scans targets outside the local network, Nmap uses:

      • ICMP echo requests

      • TCP ACK (acknowledge) packets to port 80

      • TCP SYN (synchronize) packets to port 443

      • ICMP timestamp requests

    • Outside the Local Network (Unprivileged User): When an unprivileged user scans targets outside the local network, Nmap resorts to a TCP three-way handshake by sending SYN packets to ports 80 and 443.

  • The command nmap -sn <Targets> is used to scan for live hosts without performing port scans.

ARP scan is possible only if you are on the same subnet as the target systems.

Port Scanning

  • A server provides network services and adheres to specific network protocols. For simplicity, ports can be classified into two basic states:

    • Open: A service is listening on the port.

    • Closed: No service is listening on the port.

  • Nmap defines the following six port states:

    • Open: A service is actively listening on the specified port.

    • Closed: No service is listening on the specified port, although the port is accessible (i.e., it is reachable and not blocked by a firewall or other security appliances).

    • Filtered: Nmap cannot determine if the port is open or closed because the port is not accessible. This is usually due to a firewall preventing Nmap from reaching the port or blocking the responses.

    • Unfiltered: The port is accessible, but Nmap cannot determine if it is open or closed. This state is often encountered when using an ACK scan (-sA).

    • Open|Filtered: Nmap cannot determine whether the port is open or filtered.

    • Closed|Filtered: Nmap cannot decide whether the port is closed or filtered.

sudo nmap -sC -sV -O -oA <Output Directory> <IP Address> - Start with this command to enumerate the first few ports. (-sC for default scripts, -sV for version enum, -O for OS enum)

sudo nmap -sC -sV -O -p- -oA <Output Directory> <IP Address> - Scan all the ports, run this command after the initial scan because it takes a long time.

nmap --script vuln -oA <Output Directory> <IP Address> - Runs vulnerability scripts.

nmap -sU -oA <Output Directory> <IP Address> - Scan for the top UDP ports only.

PreviousToolsNextNessus

Last updated 1 month ago

🧰