Port Scanning

Prerequisites ==> Learn all the common flags in nmap :)

nmap -sn <IP> -vv     // Host Discovery

nmap -p 53 <IP>-254 -oN nmap.log     // DNS server discovery

nmap --top-ports 10 <IP>        // Checks the top 10 open ports, add | grep to get a filtered result.

nmap -p- --min-rate 10000 -T4 <IP>    // Mainly used in Port Knocking concept, reveals all hidden ports by sending packets in a min rate.

nmap -p <PORTS> -A -sCV -T4 <IP> -oN nmap.log    // The final script scan to get all necessary information inorder to enumerate.

Fragment Scan ==> IP fragmentation in networking is a method to present large data grams into chunks. It is mainly used to bypass or create difficulty to some IDS to detect what is happening.

nmap -sS <IP> -Pn --disable-arp-ping -n -p <PORTS>

If we observe this in Wireshark, we can notice a simple SYN packet was sent and in return we obtained SYN-ACK packets.

nmap -f <IP> -n -p <PORTS> -Pn --disable-arp-ping --data-length 48 -sS

If we watch this in Wireshark, Our SYN-TCP scan would be displayed in the end before that all our fragmented packets would be displayed (IPv4), Each packet is of 72 bytes and our nmap scan divides each packet data length into 8 bytes (Since we've used the -f flag), So applying basic mathematics we get to know only 9 packets would be shown (72 divided by 8) including the TCP packets.

Some reputed organization's IDS blocks all nmap scans, So it's very important to switch between the tools !

hping3 -S -f -p <PORTS> <IP> -c 1    // Even hping3 supports fragmentation scan.

Using Decoy scans to bypass Firewalls

nmap -D RND:10 <IP> -sS -p <PORTS> -Pn --disable-arp-ping -n    // Generates random number of decoys.

Scanning all 65535 ports

massscan -p1-65535,U:1-65535 --rate=1000 <IP> -e tun0 > ports

ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'))

nmap -Pn -sV -sC -p$ports <IP>