Nmap

NMAP(Network Mapper)is a free and open source utility for network discovery and security auditing.

Scan Types

-sT: TCP
-sS: SYN
-sA: ACK
-sU: UDP
-sR: RPC
-sP: ICMP
-sn: Disable port scan, usually for ping scanning

I usually use these commands, but the bad sides are time consuming and huge amount of requests.

nmap -sS -sV -Pn -vv -p- -A -T4 -O <target>
nmap -sS -sC -sV -oA <NAME>.tcp <target> -v
nmap -sU -sS -sC -sV -oA <NAME>.udp <target> -v

Output

-oN <File>
-oX <XML File>
-oG <filespec>

Grep Reference

-T Options

  • -T0: One port at a time.

  • -T1: 15 seconds RTT.

  • -T2: 0.4 seconds between each requests. Comparing with default option, it uses less bandwidthes and makes less pressures to the servers.

  • -T3: Default options, this includes thread scanning.

  • -T4: If the server is capable, it increases the scanning speed accrodingly.

  • -T5: It sacrifies the accuracy in exchange of the maximum scanning speed.

Tips

  • --host-timeout: usually set to 18000
  • --scan-delay: usually set to 1000
  • -S: set source address for obsecurity
  • Output Beautify
sudo apt install xsltproc
xsltproc -o ip.htm beautiful.xsl ip.xml

nmapAutomator

./nmapAutomator <target> All

AutoRecon

autorecon <IP>/CIDR

Yujian

Yujian High Speed Port Scanner (Code: czne).

ATTENTION: default threading is too high.

Masscan

Features

  • The fastest scanner in the worlds. It is capable to scan all the ports in 3 minutes.
  • Comparing with Nmap, it is much faster. It uses asynchronous transmission and stateless scanning.
  • A complete TCP connection is not established. A RST packet will be sent once it receives a SYN/ACK packet. (Exception for --banners option)
  • Nmap needs to record the status of TCP/IP, and the TCP/IP connection that OS can handle at the same time is only up to about 1500.
masscan --ping 28.41.0.0/16 --rate 1000000 # Ping scans for probing
masscan -iL tmp_scanip_list.tmp -p1-65535 -Pn -v --randomize-hosts --banners -ox result.xml --rate 100000
  • It may encounter device interferences, so that there are too many port are open.

Advanced Options

  • --adapter-ip: set the source IP address
  • --adapater-port: set the source port
  • --adapter-mac: set the source MAC address
  • --router-mac: set the gateway MAC address
  • --exclude: set IP blacklists to prevent from scanning
  • --excludefile: set IP blacklists from a file
  • --includefile, -iL: scan specific IPs from a file
  • --wait: set wait time after each packet sent, default 10 seconds.

Online Port Scanning