Previously, I noted some basic scan techniques which are great for understanding and basic overview.
These are some advanced scanning techniques for nmap to run and try out. Nmap, (by default) performs a basic TCP scan on each target system.
You must have sudo privileges to run these commands.
TCP SYN Scan
nmap -sS [target] | nmap -sS 10.10.1.48
The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents many systems from logging a connection attempt from your scan.
TCP Connect Scan
nmap -sT [target] | nmap -sT 10.10.0.1
The TCP Connect Scan is a simple probe that attempts to directly connect to the remote system without using any stealth
nmap -sU [target] | nmap -sU 10.10.0.1
While TCP is the most commonly used protocol, many network services (like DNS, DHCP, and SNMP) still utilize UDP. When performing a network audit, it’s always a good idea to check for both TCP and UDP services to get a more complete picture of the target host/network.
TCP NULL Scan
nmap -sN [target] | nmap -sN 10.10.1.1
This scan causes Nmap to send packets with no TCP flags enabled. Sending NULL packets to a target is a method of tricking a firewalled system to generate a response but not all systems respond.
TCP FIN Scan
nmap -sF [target] | nmap -sF 10.10.1.1
This is another method of sending unexpected packets to a target in an attempt to produce results from a system protected by a firewall.
nmap -sX [target] | nmap -sX 10.10.1.1
This scan sends packets with URG, FIN, and PSH, and flags activated. This has the effect of “lighting the packet up like a Christmas tree” and can occasionally solicit a response from a firewalled system.
Custom TCP Scan
--scanflags [flag(s)] [target] | nmap --scanflags SYNURG 10.10.1.1 | nmap --scanflags FINACK
TCP ACK Scan
nmap -sA [target] | nmap -sA 10.10.1.1
The -sA option can be used to determine if the target system is protected by a firewall. When performing a TCP ACK scan, Nmap will probe a target and look for RST responses. If no response is received the system is considered to be filtered. If the system does return an RST packet, then it is labeled as unfiltered. (Its only purpose is to determine whether or not the system is filtering ports.)
IP Protocol Scan
nmap -sO [target] | nmap -sO 10.10.1.1
The IP protocol scan displays the IP protocols that are supported on the target system.
Send Raw Ethernet Packets
nmap --send-eth [target] | nmap --send-eth 10.10.1.51
Enabling this option instructs Nmap to bypass the IP layer on your system and send raw ethernet packets on the data link layer. This can be used to overcome problems with your system’s IP stack.
Send IP Packets
nmap --send-ip [target] | nmap --send-ip 10.10.1.1
The –send-ip option instructs Nmap to use IP packets while scanning. Enabling this option forces Nmap to scan using the local system’s IP stack instead of generating raw ethernet packets.
:Advanced scanning techniques for nmap. I have heavily referred the Nmap book for explanations because they are the simplest.