SCANNING

PENETRATION TESTING NOTES

#WH0AMI>
ABHISHEK KUMAR SINGH
C3RTIFI3D 3THICAL H4CK3R
NEW DELHI - INDIA
[email protected]
https://in.linkedin.com/in/abhishek-kumar-singh-142129241

Importance of Scanning in Penetration Testing

Scanning is an essential phase in penetration testing because
it allows testers to:

Map the Attack Surface:

By identifying open ports, services, and versions, testers can understand the available attack
surface and the potential vulnerabilities that can be exploited.

Identify Misconfigurations:
Improper configurations, such as unnecessary open ports or outdated services, can be identified
during scanning and can lead to vulnerabilities that can be exploited.

Prioritize Exploits:
Scanning helps identify which vulnerabilities are present in the target system, allowing testers to
prioritize which ones to exploit based on risk or ease of exploitation.

Prepare for Exploitation:

Successful scanning provides the necessary information to move to the exploitation phase, where
weaknesses discovered during scanning are actively targeted.
1/121
SCANNING TYPES
In the context of penetration testing, active scanning and passive scanning are two different
approaches used to gather information about a target system, network, or application. Each method
has its strengths and weaknesses, and they are often used together during the reconnaissance
phase of a penetration test.

1. Active Scanning
Active scanning involves directly interacting with the target system by sending probes or requests to
it. These interactions generate network traffic that can be detected by security mechanisms such as
firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS). The goal of active
scanning is to gather detailed information about the target, such as open ports, services, versions,
and other vulnerabilities.

Characteristics of Active Scanning:

Direct Interaction:
The tester actively communicates with the target system to gather information.
Can Be Detected:
Since it involves sending probes and requests to the target, active scanning typically generates
network traffic that can be monitored and detected.
Accurate Information:
Active scans tend to provide more accurate and comprehensive results because they directly query
the target system.
Examples of Active Scanning:
Port scanning, vulnerability scanning, OS fingerprinting, version detection.

Tools for Active Scanning:

Nmap: A popular tool for scanning open ports, detecting services, and performing OS fingerprinting.
Nessus: A vulnerability scanner that actively probes systems to detect known vulnerabilities.
OpenVAS: Another vulnerability scanner that actively scans systems for vulnerabilities.
Nikto: A web server scanner that actively checks for vulnerabilities in web applications.
Example of Active Scanning with Nmap:

nmap -p 1-65535 -sV -O <target_ip>

-p 1-65535: Scans all ports on the target.
-sV: Detects service versions.
-O: Performs OS detection.
This type of scan generates traffic that can be detected by the target’s network monitoring systems.

Advantages of Active Scanning:

Detailed Results:
Active scanning typically gives more granular information about the target system.
Identification of Vulnerabilities:
Active scanning can identify weaknesses in the target system, such as unpatched software or open
ports that are vulnerable to exploitation.

Disadvantages of Active Scanning:

Detectability:
Because it generates traffic, active scanning can be detected by the target, potentially triggering
2/121
alarms or blocking further scans.
Risk of Disruption:
Active scans can sometimes interfere with the normal operation of the target system, especially if
they involve aggressive probing or vulnerability exploitation.

2. Passive Scanning
Passive scanning involves gathering information about the target without directly interacting with it.
Instead of sending requests or probes to the target, passive scanning relies on listening to and
observing traffic that is already present on the network. This could include monitoring DNS queries,
network traffic, or other publicly available data sources. Passive scanning is stealthier than active
scanning because it doesn't generate network traffic that can be detected by the target.

Characteristics of Passive Scanning:

No Direct Interaction:
Passive scanning does not involve actively sending requests to the target. It simply monitors
available network traffic or uses publicly accessible data.
Undetectable:
Since no direct probing is performed, passive scanning is typically undetectable by the target.
Limited Information:
The information gathered via passive scanning is often less detailed than that obtained through
active scanning. It may only provide high-level details like the presence of a specific service or
subdomains.

Examples of Passive Scanning:

DNS information gathering, traffic analysis, and observing network broadcasts.

Tools for Passive Scanning:

Wireshark: A network packet analyzer that can capture and inspect traffic without actively
interacting with the target.
Shodan: A search engine that allows you to find devices connected to the internet by analyzing
public network traffic.
p0f: A passive OS fingerprinting tool that can identify the operating system of a target based on the
traffic it generates without direct probing.
dnsrecon: A tool for gathering DNS information, including subdomains, by querying DNS servers.
Example of Passive Scanning with Wireshark:
Using Wireshark, you can capture packets on the network to identify active systems, services, and
potential vulnerabilities without directly interacting with the target.

Start capturing packets on the network.

Look for specific protocols, such as HTTP, DNS, or SMB, to identify services running on devices.
Analyze the traffic for sensitive information, such as usernames, IP addresses, or application details.
Advantages of Passive Scanning:
Stealth: Passive scanning is undetectable by the target because it does not generate any network
traffic.
No Risk of Disruption: Since no active probes are sent, passive scanning is less likely to interfere with
the normal operations of the target system.
Good for Initial Reconnaissance: Passive scanning can provide valuable information without raising
suspicion, which is useful in the early stages of a penetration test.
Disadvantages of Passive Scanning:

3/121
Limited Scope:
Passive scanning provides less detailed information because it relies on external observations rather
than directly probing the target.
Requires Access to Network Traffic:
Passive scanning often requires access to the target's network traffic or external data sources, such
as public-facing websites or DNS records, which may limit its effectiveness in some scenarios.
May Not Detect All Vulnerabilities:
Passive scanning cannot actively detect certain types of vulnerabilities (e.g., open ports or
misconfigurations that would be identified through active probing).

Active Scanning is typically used when you need detailed, specific

information about the target, such as identifying open ports, services, or
vulnerabilities. It is useful when the target is not highly monitored or
when stealth is not a primary concern. Active scanning is an essential
phase in many penetration tests when you need to actively probe for
weaknesses that can be exploited.

Passive Scanning is useful when stealth is required, or when the goal is

to gather general information without alerting the target. It is ideal for
reconnaissance and identifying high-level information such as open
services, subdomains, or exposed infrastructure. Passive scanning can be
performed while minimizing the risk of detection, making it valuable in
early-stage testing or situations where you need to avoid drawing
attention.

IN THIS SECTION WE WILL LEARN ACTIVE

SCANNING...............................................................
.....

4/121
TARGET SPECIFICATION
1. SCAN SINGLE IP:
nmap <ip>

2. SCAN SPECIFIC IPs:

nmap <ip> <ip>

5/121
3. SCAN A NETWORK RANGE:
nmap 192.168.10.20-30

6/121
4. SCAN A DOMAIN:
nmap <domain>
nmap scanme.nmap.org

5. SCAN USING CIDR NOATION:

nmap <ip>/CIDR
nmap 192.168.10.0/24
7/121
6. SCAN TARGETS FROM A FILE:
nmap -iL <filename>
nmap -iL scan.txt
8/121
7. SCAN RANDOM HOSTS:
nmap -iR <n>
nmap -iR 100

THIS WILL SCAN 100 RANDOM HOSTS.

8. EXCLUDE LISTED HOSTS:

nmap --exclude ip <ip>/24
nmap --exclude 192.168.1.55 192.168.1.0/24
The --exclude option allows you to skip certain hosts or ranges in a scan.
You can exclude multiple IPs or IP ranges by separating them with
commas.

9. PORT SCAN FOR PORT <X>:

nmap <ip> -p <port number>

10. SCAN PORT RANGE:

nmap <ip> -p 21-60

9/121
DONT BE CONFUSED WHAT IS msf ,i have added my target
machine ip in /etc/hosts as host.

11. PORT SCAN UNSING MULTIPLE TCP/UDP PORTS:

nmap <ip> U:53,T:21-25,80

12. SCAN ALL PORTS:

nmap <ip> -p-

13. PORT SCAN FROM A SERVICE NAME:

nmap <ip> -p http,https
10/121
14. FAST PORT SCAN (TOP 100 PORTS):
nmap <ip> -F

11/121
15. PORT SCAN THE TOP X PORTS:
nmap <ip> --top-ports 2000

12/121
16. LEAVING OFF INITIAL PORT IN RANGE MAKES
THE SCAN START AT PORT 1:
nmap <ip> -p- 65535

17. NMAP HELP SECTION:

nmap -h
nmap --help

13/121
14/121
15/121
16/121
TIMING TECHNIQUES
1. PARANOID IDS EVASION:
Attackers can adjust the timing of their attack packets (delaying or spreading out the attack over
time) to avoid triggering the IDS. By sending low-volume or spaced-out malicious packets, they may
avoid detection in a system that looks for high-volume, burst-like activities.
nmap -T0 <ip>

2. SNEAKY IDS EVASION:

The goal is to execute the attack in such a way that it doesn't raise suspicion, appears normal, or
blends with legitimate traffic patterns over time.
nmap -T1 <ip>

3. POLITE IDS EVASION:

It slows down the scan to avoid overwhelming the target or triggering alarms. A slower scan has a
smaller chance of triggering IDS or IPS systems that may be set to detect rapid port scans or traffic
spikes.
nmap -T2 <ip>

4. NORMAL IDS EVASION:

This option strikes a balance between scan speed and stealth, making it an ideal choice for cases
where you want a reasonably fast scan without overwhelming the target system or being too
stealthy to the point of being overly slow.
nmap -T3 <ip>

5. AGGRESSIVE OR SPEED SCAN :

nmap -T4 <ip>

How -T4 Works:

Aggressive Timing Template (-T4):
Nmap sends probes with fewer timeouts between packets and retries, making the scan faster.
The scan is aggressive enough that it can lead to a higher chance of detection, especially in well-
secured networks.
A higher volume of packets in a short amount of time can be flagged by IDS/IPS systems as
suspicious.

6. INSANE SPEED SCAN:

The -T5 option in Nmap sets the timing template to "Insane", which is the fastest and most
aggressive timing template available. This mode prioritizes speed above all else, performing a very
rapid scan, but it significantly increases the likelihood of detection by IDS (Intrusion Detection
Systems) and IPS (Intrusion Prevention Systems), as well as causing a higher load on the target
system.
nmap -T5 <ip>

7. GIVE UP ON TARGET AFTER THIS LONG:

In Nmap, the --host-timeout <time> option allows you to set a timeout for how long Nmap will wait
for a response from a target host during the scan. If Nmap does not receive a response from the host

17/121
within the specified time frame, it will stop scanning that host and move on to the next one. This is
useful for speeding up scans when targeting hosts that may be slow or unresponsive.
nmap -- --host-timeout <time> <ip>
nmap --host-timeout 30s <target-ip>
EXAMPLE INPUT: 1s, 4m , 2h

8. SPECIFIES PROBE ROUND TRIP TIME:

nmap --min-rtt-timeout/--max-rtt-timeout/initial-rtt-timeout
<time> <ip>
nmap --min-rtt-timeout 100ms --max-rtt-timeout 1s --initial-
rtt-timeout 200ms <target-ip>
EXAMPLE INPUT: 1s, 4m , 2h

18/121
Here’s a breakdown of each option:

1. --min-rtt-timeout <time>
Description: This option sets the minimum amount of time Nmap will wait for a response from the
target. If the round-trip time (RTT) to the target is shorter than this value, Nmap will still wait for at
least this duration.
Usage: Useful to prevent Nmap from assuming the network is faster than it is, or to avoid triggering
rate limits on remote systems.
Example: --min-rtt-timeout 100ms means Nmap will wait at least 100 milliseconds for each
response.
2. --max-rtt-timeout <time>
Description: This option sets the maximum amount of time Nmap will wait for a response. If the RTT
is greater than this value, Nmap will still wait no longer than the specified timeout.
Usage: Useful to limit how long Nmap will wait for a response, preventing extremely long delays if a
host is very slow or unresponsive.
Example: --max-rtt-timeout 1s means Nmap will wait no longer than 1 second for a response from
the target.
3. --initial-rtt-timeout <time>
Description: This option sets the initial RTT timeout value, which is used to estimate the RTT at the
start of the scan. Nmap uses this value to start the scan and adjusts dynamically based on network
conditions as the scan progresses.
Usage: Useful for fine-tuning how aggressive the scan will be at the beginning, particularly if you
know the network is unusually slow or fast.
Example: --initial-rtt-timeout 200ms sets the starting timeout to 200 milliseconds.

9. PARELLEL HOST SCAN GROUP SIZE:

19/121
nmap --min-hostgroup/--max-hostgroup <size> <ip>
nmap --min-hostgroup 10 --max-hostgroup 50 <target-ip-
range>
EXAMPLE INPUT: 50; 1024

Here’s what each option does:

--min-hostgroup <size>: This option sets the minimum number of hosts to scan in
parallel. If the scan involves multiple hosts, Nmap will attempt to scan at least this
many hosts simultaneously. If the number of hosts to be scanned is smaller than the
specified value, Nmap will use that number of hosts for the scan.

--max-hostgroup <size>: This option sets the maximum number of hosts to scan
in parallel. If you're scanning a large number of hosts, this option controls how many
hosts Nmap will scan at once. A higher number can speed up the scan but may also
increase network load or detection risk.
20/121
10. PROBE PARELLELIZATION:
nmap --min-parellelism/--max-parellelism <numprobe> <ip>
nmap --min-parallelism 10 --max-parallelism 50 <target-ip>
EXAMPLE INPUT: 10; 1

Here’s what each option does:

--min-parallelism <num>: This option sets the minimum number of parallel

probes Nmap will send at a time. The default value is usually sufficient, but setting
this to a higher number can speed up the scan for large networks.

--max-parallelism <num>: This option sets the maximum number of parallel

probes. If you set this to a high number, Nmap will try to send this many probes
simultaneously, speeding up the scan but possibly increasing network load or getting
blocked by firewalls.

11. ADJUST DELAY BETWEEN PROBES:

In Nmap, the --scan-delay and --max-scan-delay options control the amount of time Nmap waits
between sending probes to the target. These settings are helpful for controlling scan speed, evading
detection, and avoiding overwhelming the target network. Let’s dive into each of these options:

1. --scan-delay <time>
Description: This option introduces a delay between sending probes to the same host. It is useful for
slowing down your scan to make it less likely to trigger Intrusion Detection Systems (IDS) or firewalls

21/121
that might flag rapid scanning.
Usage: You can specify a fixed delay between every probe sent, helping reduce the overall speed of
the scan. This can be useful for stealthier scans, especially on sensitive or well-secured networks.
Example: --scan-delay 1s would set a 1-second delay between probes sent to the same host.
2. --max-scan-delay <time>
Description: This option sets the maximum amount of time Nmap will
wait between probes. If you are using timing templates or have Nmap
adjust delays dynamically based on network conditions, this option
ensures that the maximum delay doesn’t exceed the set limit.
Usage: This is useful if you are trying to control the maximum delay during a scan that is being
adjusted dynamically. You can control how long Nmap waits between probes sent to the target.
Example: --max-scan-delay 2s would ensure that Nmap never waits more than 2 seconds between
probes during the scan.

--scan-delay 500ms: Nmap will wait 500 milliseconds between sending probes to the same host. This
will slow down the scan, reducing the risk of detection or overwhelming the target.
--max-scan-delay 2s: If Nmap dynamically adjusts the delay during the scan (based on network
conditions), the maximum delay will be limited to 2 seconds.

nmap --scan-delay/--max-scan-delay <time> <ip>

nmap --scan-delay 500ms --max-scan-delay 2s <target-ip>
EXAMPLE INPUT: 10ms, 2s, 4m, 5h

12. SPECIFY THE MAXIMUM NUMBER OF PORT SCAN

PROBE RETRANSMISSIONS:
In Nmap, the --max-retries <tries> option controls the maximum number of retries Nmap will
attempt when it doesn't receive a response from a target during a scan. This option is useful for fine-
tuning the scan behavior when network conditions are poor or when the target host is slow to
respond.

--max-retries <tries>: This option sets the maximum number of retries Nmap will attempt for each
probe if no response is received. If the target does not respond to a probe, Nmap will resend the
probe up to <tries> times before giving up on that particular probe.
<tries>: The <tries> argument specifies how many times Nmap will retry a probe if it doesn't
receive a response. The default value is typically 10 retries, but you can lower or increase it
depending on your needs.

nmap --max-retries <tries> <ip>

nmap --max-retries 3 <ip>

22/121
13. SEND PACKETS NO SLOWER THAN <NUMBER>
PER SECOND:
In Nmap, the --min-rate <number> option allows you to set the minimum rate at which packets (or
probes) are sent during a scan. This option is useful for controlling the scan speed, especially in
cases where you want to ensure a minimum rate of scan activity. By adjusting the rate, you can fine-
tune how aggressively Nmap scans the target.
nmap --min-rate <number> <ip>
nmap --min-rate 1000 <target-ip>
EXAMPLE INPUT: 100

23/121
14. SEND PACKETS NO FASTER THAN <NUMBER>
PER SECOND:
In Nmap, the --max-rate <number> option is used to control the maximum rate at which packets (or
probes) are sent during a scan. This option is useful for limiting the scan speed, which can help
reduce the likelihood of detection, prevent overwhelming the target network, or avoid triggering
security alarms.

nmap --max-rate <number> <ip>

nmap --max-rate 1000 <target-ip>
EXAMPLE INPUT: 100

24/121
25/121
HOST DISCOVERY
HOST DISCOVERY TECHNIQUES:
netdiscover

arp-scan -l

arp-scan <ip>/cidr

26/121
What Happens During a Ping Scan (-sn):
Nmap will send ICMP echo requests (ping) to check if the host is alive.
It may also use ARP requests (for local networks) or other probes to identify live
systems.
It does not scan any open ports on the target hosts; it simply checks their availability.

Ping Scan (-sn):

This is a simple host discovery technique that does not scan ports. It just attempts to
find out which hosts are up.
Example: nmap -sn 192.168.1.0/24

USED TO IDENTIFY ACTIVE HOSTS.

ARP PING
UDP PING
ICMP PING
TCP PING -----. SYN PING TCP && ACK PING TCP
IP PROTOCOL PING

1. ARP PING SCAN :

For local networks (LANs), Nmap can send an ARP request to discover
hosts. This method is generally more reliable than ICMP or TCP-based
pings on local networks.
27/121
REQUEST: ARP REQUEST PROBE
RESPONSE: ARP RESPONSE -----→ HOST IS ALIVE/ACTIVE
NO RESPONSE-------→ HOST IS INACTIVE
nmap -sn -PR <ip>

ADVANTAGE: MORE EFFICIENT AND ACCURATE THAN OTHER HOST DISCOVERY TECHNIQUES.
USEFUL FOR SYSTEM DISCOVERY WHERE OTHER ONE MAY NEED TO SCAN LARGE ADDRESS SPACE.

2. UDP PING SCAN:

Sends a UDP packet to a target port. If the port is open, it might reply with a UDP response.
nmap -sn -PU <ip>

REQUEST: UDP REQUEST

RESPONSE: UDP RESPONSE----→ HOST IS ALIVE/ACTIVE
ERROR MESSAGE---→ HOST NETWORK UNREACHABLE OR TTL EXCEEDED
HOST IS INACTIVE.

ADVANTAGE: DETECT SYSTEM BEHIND FIREWALLS WITH STRICT TCP FILTERING.

3. ICMP ECHO PING SCAN:

nmap -sn -PE <ip>

REQUEST: ICMP ECHO REQUEST

RESPONSE: ICMP ECHO REPLY ----→ HOST IS ALIVE/ACTIVE
NO REPLY ---→ HOST IS INACTIVE.

28/121
ADVANTAGE: USEFUL FOR LOCATING ACTIVE DEVICES:

4. ICMP ECHO PING SWEEP:

Sends an ICMP Echo Request (ping) to the target to see if the host is reachable.
This is a traditional "ping" scan.

nmap -sn -PE <ip> -------------→ (-sn) is used for host

discovery only it disble port scan

5. ICMP TIMESTAMP PING SCAN:

Sends an ICMP Timestamp Request to the target, which may return an ICMP Timestamp Reply if the
host is up.
nmap -sn -PP <ip>

6.ICMP ADDRESS MASK SCAN:

Sends an ICMP Netmask Request. If the host is up, it may respond with an ICMP Netmask Reply.
nmap -sn -PM <ip>

7. TCP SYN PING SCAN:

29/121
nmap -sn -PS <ip>

8. TCP ACK PING SCAN:

Sends a TCP ACK packet to a specified port. If the host is alive, it might respond with a RST packet.
nmap -sn -PA <ip>

9. IP PROTOCOL PING SCAN:

nmap -sn -PO <ip> --------→ May be this syntax is not available in recent version of nmap

10. ICMP PING SWEEP SCAN:

The command nmap -sn -PI <ip> is used to perform a "ping scan"
(-sn) with the ICMP Echo Request (-PI) to determine whether a host is
alive on a network. Let’s break it down:
-sn: This option tells Nmap to perform a ping scan. It will only discover whether the

30/121
target hosts are up (alive) without performing any port scanning. Essentially, Nmap will
skip the port scan phase and just check if the host is responding to certain types of
probes (such as pings).

-PI: This option specifies the use of ICMP Echo Request (ping) as the method for
discovering live hosts. It sends an ICMP Echo Request to the target, and if the host
responds with an ICMP Echo Reply, Nmap will consider the host to be "up."

<ip>: This is the target IP address (or range) that you want to check.

nmap -sn -PI <ip>

11. NMAP BASIC SCAN:

nmap <ip>

12. HPING3 ACK PING SCAN:

31/121
hping3 -A 80 <ip>

13. ICMP PING SCAN :

PING ONLY SCAN ----→
nmap -sn -sP <ip>

14.TCP SYN Ping (-PS):

Sends a TCP SYN packet to the target port. If the port is open, the target will reply with a SYN-ACK,
indicating the host is up.
This is useful in bypassing ICMP filtering on the network.

nmap -PS80 192.168.1.1 (ping on port 80)

nmap -sn -PS <IP>

15.TCP Window Ping (-PW):

Sends a TCP packet with a window size set to 0. If the target responds, it is considered to be up.

nmap -PW 192.168.1.1

16.IPv6 Neighbor Discovery (-PE6):

This technique uses the Neighbor Discovery Protocol (NDP) to send a Neighbor Solicitation message
to an IPv6 address to see if it is reachable.

32/121
IPv6 Neighbor Discovery Scan with nmap: You can use nmap to perform an IPv6 Neighbor Discovery
(ND) scan with the -6 option to specify an IPv6 scan and the -sn option for a "ping scan," which
discovers hosts in the network.

nmap -6 -sn 2001:db8::/64

Security Considerations with IPv6 ND:

Neighbor Spoofing:
Just like ARP poisoning in IPv4, attackers can exploit ND to perform man-in-the-middle (MITM) attacks
or Denial of Service (DoS) attacks by sending spoofed Neighbor Advertisements. This could mislead
devices to send traffic to an attacker rather than the intended destination.
ND Flooding:
An attacker could flood the network with Neighbor Solicitation and Neighbor Advertisement
messages to overload devices or disrupt communication.

Secure ND:
It's important to protect ND in IPv6 networks by using features like Secure Neighbor Discovery
(SEND), which uses cryptographic certificates to prevent spoofing and malicious activity.

Conclusion:
IPv6 Neighbor Discovery (ND) is a critical protocol for local network communication in IPv6. It
performs functions like neighbor identification, address autoconfiguration, and router discovery.
Tools like nmap can be used for ND-based discovery scans in IPv6 networks, making it easier to
identify active devices. However, like other network discovery protocols, ND can be vulnerable to
various types of attacks if not secured properly.

17. TCP SYN + ACK Ping (-PS and -PA):

A combination of TCP SYN and ACK pings may be used together to ensure more comprehensive
discovery by targeting multiple ports.

nmap -PS80,443 -PA443 192.168.1.1

33/121
18. USE FRAGMENTATION SCANNING AND EXAMINE
THE RESPONSE:
This option tells nmap to fragment the packets it sends. When the fragmentation option (-f) is
enabled:

The scan packets are broken into smaller fragments, which are then sent separately. This can be
useful to evade detection by firewalls and intrusion detection systems (IDS/IPS) that might not
reassemble fragmented packets, or it can confuse systems that rely on inspecting the full packet.

Note: Some networks and firewalls may block fragmented packets or reassemble them
and inspect them for suspicious activity. Fragment the packets to make the scan less
detectable by firewalls or intrusion detection systems.

nmap -sS -A -f <ip>

34/121
19. NO SCAN LIST TARGETS ONLY:
#nmap -sL <ip>

20. NEVER DO DNS RESOLUTION:

nmap -n -A <ip>

35/121
-n: This option tells Nmap to skip DNS resolution. Normally, Nmap resolves IP addresses to domain
names (if possible), but with -n, it won't perform that lookup. This can speed up the scan if DNS
resolution is unnecessary.

21. Force Reverse DNS Resolution

The -R option in Nmap is used for reverse DNS resolution. When you use -R with an IP address or
range, Nmap attempts to perform a reverse DNS lookup on the IP addresses it scans, meaning it tries
to resolve the hostname associated with the IP address.

nmap -R <IP>

36/121
What Happens When You Use -R?
Reverse DNS Lookup: For each IP address that Nmap scans, it will attempt to find the associated
domain name (if available) by performing a reverse DNS lookup.
Hostname Discovery: If a valid reverse DNS record exists for an IP, Nmap will display the
corresponding hostname alongside the IP address in its output.
Useful for Identification: This can help identify hosts by their domain names, especially if the target
IP belongs to an organization with associated reverse DNS records.

Key Points About -R Option:

Not Always Available: Reverse DNS lookups are only successful if the target IP has an associated PTR
(Pointer) record in DNS. If no reverse DNS entry is configured, Nmap will not return a hostname.
No Scan Type: The -R option only enables reverse DNS resolution, so you would still need to use
other scan options (like -p for port scanning) to gather more specific results.
Performance Considerations: Reverse DNS resolution can slightly slow down the scan, especially if
the DNS servers are slow or the number of IPs being scanned is large.

22. force Nmap to use the system’s DNS resolver

The --system-dns option in Nmap is used to force Nmap to use the system’s DNS resolver rather than
Nmap’s built-in DNS resolver. By default, Nmap uses its own DNS resolver for domain name lookups.

37/121
However, there may be cases where you want to rely on the DNS resolver that is configured on the
operating system (e.g., /etc/resolv.conf on Linux or system DNS settings on Windows) instead.

nmap --system-dns <target>

What Happens When You Use --system-dns?

Use System DNS: When you specify --system-dns, Nmap will query the DNS servers configured on
the system for name resolution, instead of using its own DNS resolution mechanism.
Consistency with System Configuration: This can be useful if you want to ensure that the DNS
resolution behavior matches the settings and DNS servers that are used by other applications or
services on the system.
May Help with Custom DNS Resolvers: If you’re using a custom DNS setup (for example, using a local
DNS server, VPN DNS, or corporate DNS servers), using the system’s DNS resolver might help you
resolve hostnames correctly as per those configurations.

23. specify custom DNS servers

The --dns-servers option in Nmap allows you to specify custom DNS servers that Nmap should use
for domain name resolution during the scan. By default, Nmap uses the DNS servers configured on
38/121
your system (e.g., those listed in /etc/resolv.conf on Linux or in system DNS settings on Windows).
However, with the --dns-servers option, you can explicitly tell Nmap which DNS servers to use for
resolving domain names.

nmap --dns-servers <dns_server_1>,<dns_server_2>,...

<target>

What Happens When You Use --dns-servers?

Custom DNS Resolution: Nmap will use the specified DNS servers for resolving domain names,
instead of the system's default DNS resolver. This can be useful in cases where you want to resolve
hostnames using a specific DNS server, such as a custom DNS server or a public DNS service.
Multiple DNS Servers: You can provide multiple DNS servers separated by commas. Nmap will use
the listed servers in the order provided.
Example:
If you want Nmap to use Google's public DNS servers (8.8.8.8 and 8.8.4.4), you would run:

nmap --dns-servers 8.8.8.8,8.8.4.4 example.com

In this example, Nmap will query Google's DNS servers for resolving example.com to an IP address,
rather than using the default DNS servers configured on your system.

When to Use --dns-servers:

Custom DNS Servers: If you need to resolve domain names using a specific DNS server (e.g., a
39/121
corporate DNS server, a specific resolver on a VPN network, or a public DNS service like Google DNS
or Cloudflare DNS).
Testing DNS Configuration: If you want to test how a target resolves domain names using different
DNS servers.
Bypass Local DNS Configurations: If your local DNS configuration is unreliable, you can force Nmap
to use more reliable or trusted DNS servers for resolution.

Summary of Key Options:

-sn: Ping scan (only check if hosts are up).
-PE: ICMP Echo Request.
-PP: ICMP Timestamp Request.
-PM: ICMP Netmask Request.
-PS: TCP SYN Ping.
-PA: TCP ACK Ping.
-PW: TCP Window Ping.
-PU: UDP Ping.
-PR: ARP Ping (Local network only).
-PE6: IPv6 Neighbor Discovery.
-Pn: Disable host discovery (assume all hosts are live).

==============================================================
==============================================================
==============================================================
==============================================================
==============================================================
==============================================================
==================================

HOST DISCOVERY USING HPING3

==============================================================
==============================================================
==============================================================
==============================================================
==============================================================
==============================================================
==================================

hping3 is a command-line tool that can be used to craft

custom network packets, making it a powerful alternative to
Nmap for host discovery and other network tasks. It is
especially useful for testing firewalls and identifying live

40/121
hosts by sending various types of packets (e.g., TCP, UDP,
ICMP) to a target.
Here are the key hping3 commands used for host discovery:
_____________________________________________________________________________________________
_____________________________________________________________________________________________
__________
1. ICMP Echo Request (Ping)
This method sends an ICMP Echo Request to a target to check if it responds with an ICMP Echo Reply,
indicating that the host is alive (similar to a regular "ping").

hping3 -1 <target_ip>

-1: This option tells hping3 to use ICMP (i.e., send an ICMP Echo Request).
<target_ip>: The IP address of the host you want to check.

Example:
hping3 -1 192.168.1.1
This will send an ICMP Echo Request to 192.168.1.1 and display the response if the host is alive.

_____________________________________________________________________________________________
_____________________________________________________________________________________________
__________

2. TCP SYN Ping (SYN Scan)

This sends a TCP SYN packet to a target port, and if the port is open, the host will reply with a SYN-
ACK packet, indicating the host is live. This method is useful if ICMP is blocked but TCP traffic is
allowed.

hping3 -S -p <port> <target_ip>

41/121
-S: This option sends a SYN packet (part of the TCP handshake).
-p <port>: Specify the target port to which the SYN packet will be sent.
<target_ip>: The IP address of the target.
Example:

hping3 -S -p 80 192.168.1.1
This will send a SYN packet to port 80 on 192.168.1.1. If the host is alive and the port is open, the host
will reply with a SYN-ACK packet.

==============================================================
===========================================================

3. TCP ACK Ping

This method sends a TCP ACK packet to a target. If the host is alive and a firewall is configured to
respond to unsolicited ACK packets, it may reply with an RST packet.

hping3 -A -p <port> <target_ip>

-A: This option sends a TCP ACK packet.

-p <port>: Specify the port to which the ACK packet will be sent.
<target_ip>: The IP address of the target.
Example:

hping3 -A -p 80 192.168.1.1

42/121
This will send a TCP ACK packet to port 80 of 192.168.1.1 and waits for an RST response, indicating
that the host is alive.

==============================================================
===========================================================

4. TCP FIN Scan (FIN Ping)

This method sends a TCP FIN packet to a target. Normally, closed ports will reply with an RST packet,
and open ports will ignore the packet. This technique can be useful for bypassing firewalls and other
security systems.

hping3 -F -p <port> <target_ip>

-F: This option sends a TCP FIN packet.

-p <port>: Specify the port to which the FIN packet will be sent.
<target_ip>: The IP address of the target.
Example:

hping3 -F -p 80 192.168.1.1

This sends a TCP FIN packet to port 80 on 192.168.1.1. If the host is alive, it may send an RST reply
for closed ports.

==============================================================
===========================================================

5. UDP Ping
This sends a UDP packet to a target port. If the port is open and the host responds with a UDP reply, it
indicates the host is alive.

hping3 -2 -p <port> <target_ip>

-2: This option specifies sending UDP packets.

-p <port>: The port on the target to send the UDP packet.
<target_ip>: The IP address of the target.

Example:

hping3 -2 -p 53 192.168.1.1

This sends a UDP packet to port 53 (DNS) on 192.168.1.1 and waits for a UDP reply to determine if the
host is alive.

43/121
==============================================================
===========================================================

6. RAW Packet Ping (ICMP Type 8, Code 0)

This method allows you to send custom raw ICMP Echo Request packets. This can be used to bypass
certain security systems that might block traditional ICMP Echo Requests.

hping3 --icmp --icmp-type 8 --icmp-code 0 -p 0 <target_ip>

--icmp: Use ICMP protocol.
--icmp-type 8: Set ICMP type to Echo Request (ping).
--icmp-code 0: Set ICMP code to 0, which is standard for Echo Request.
-p 0: Use port 0 for ICMP.
<target_ip>: The target host IP.

Example:

hping3 --icmp --icmp-type 8 --icmp-code 0 -p 0 192.168.1.1

This sends an ICMP Echo Request to 192.168.1.1.

==============================================================
===========================================================

7. Flooding for Host Detection

This sends a flood of packets (can be SYN, ACK, or others) to see if the target responds, helping to
identify whether the host is alive under traffic load.

hping3 --flood -S -p <port> <target_ip> --flood

This option sends packets as fast as possible, effectively flooding the target.
-S: Send a TCP SYN packet.
-p <port>: Specify the port to send packets to.
<target_ip>: The target IP.
Example:

hping3 --flood -S -p 80 192.168.1.1

This sends a flood of TCP SYN packets to port 80 of 192.168.1.1.

==============================================================
===========================================================

8. Traceroute-Like Host Discovery

You can also perform host discovery by tracing the path to a host using hping3. This can be useful for
network diagnostics.

hping3 --traceroute -p <port> <target_ip>

--traceroute: Perform a traceroute to the target.
-p <port>: Specify the port for the traceroute.
<target_ip>: The target IP.
Example:

44/121
hping3 --traceroute -p 80 192.168.1.1
This will perform a traceroute to 192.168.1.1 on port 80.

==============================================================
===========================================================

Summary of Common hping3 Commands for Host

Discovery:
ICMP Ping: hping3 -1 <target_ip>
TCP SYN Ping: hping3 -S -p <port> <target_ip>
TCP ACK Ping: hping3 -A -p <port> <target_ip>
TCP FIN Ping: hping3 -F -p <port> <target_ip>
UDP Ping: hping3 -2 -p <port> <target_ip>
Raw ICMP Ping: hping3 --icmp --icmp-type 8 --icmp-code 0 -p 0 <target_ip>
Flooding: hping3 --flood -S -p <port> <target_ip>
Traceroute: hping3 --traceroute -p <port> <target_ip>
hping3 is a flexible tool for host discovery, especially in environments
where traditional ICMP ping scans might be blocked or filtered.

45/121
PORT SCANNING
THE PORT SCANNING TECHNIQUES ARE
CATEGORIZED ACCORDING TO THE TYPE OF THE
PROTOCOL USED FOR COMMUNICATION.
1. TCP SCANNING --→ OPEN TCP SCANNING METHOD, STEALTH
TCP SCANNING METHOD, THIRD PARTY AND SPOOFED TCP
SCANNING METHOD
2. UDP SCANNING
3. SCTP SCANNING -----→ SCTP INIT SCANNING, SCTP COOKIE
ECHO SCANNING
4. SSDP SCANNING
5. IPV6 SCANNING

OPEN TCP SCANNING METHOD:--------------------------------------→

TCP CONNECT/FULL OPEN SCAN
STEALTH TCP SCANNING METHOD: -------→------------------------→
HALF OPEN SCAN , INVERSE TCP FLAG SCAN, ACK FLAG
PROBE SCAN
THIRD PARTY AND SPOOFED TCP SCANNING METHOD -------→
IDLE/IPID HEADER SCAN
INVERSE TCP FLAG SCAN --------------------------------------------→
XMASS SCAN, FIN SCAN, NULL SCAN, MAIMON SCAN
ACK FLAG PROBE SCAN ----------------------------------------------→
TTL BASED SCAN , WINDOWS SCAN

PORT SCANNING TECHNIQUES:

1. UDP SCAN: --------→ nmap -sU -vv <ip>

The scan will attempt to send UDP packets to ports on the target machine, and the
results will show which UDP ports are open or closed.
Since UDP does not involve a connection handshake, Nmap may not always receive a
response (especially if the target is filtering traffic or the UDP service is not running).

UDP Scan Output Details:

Open Ports: If Nmap receives a response from the target (e.g., ICMP port unreachable,
or any other UDP response), it will report the port as "open" or "open|filtered".

46/121
Closed Ports: If a "destination unreachable" message is returned from the target, the
port is considered closed.
Filtered Ports: If no response is received, the port is marked as "filtered," meaning a
firewall or other security device may be blocking the traffic.

Scan specific UDP ports:-----→ nmap -sU -vv -p 53,161

192.168.1.1
This would scan only UDP ports 53 (DNS) and 161 (SNMP).

Scan a range of UDP ports: -----→ nmap -sU -vv -p 1-1000

192.168.1.1
This would scan UDP ports in the range 1–1000

2. SCTP INIT SCAN:

nmap -sY -vv <ip>
SCTP INIT scan is a scanning technique used to detect open ports by initiating the
SCTP (Stream Control Transmission Protocol) association, which is somewhat
similar to how TCP SYN scans work, but for SCTP ports.
This scan sends an INIT chunk to the target. If the target port is open, it responds with
an INIT-ACK chunk. If the port is closed, it will respond with an ABORT chunk.
SCTP is not as widely used as TCP or UDP but can be found in some specific
environments like telecommunication networks, databases, and signaling protocols.
Root privileges may be required to send raw packets needed for the SCTP INIT scan.
You may need to run the command with sudo on Unix-like systems.
The scan may not be effective if the target doesn't use SCTP, as SCTP is less
common than TCP/UDP in many environments.

3. TCP CONNECT/FULL SCAN:

nmap -sT -vv <ip>
TCP Connect Scan is one of the most basic and reliable scanning techniques in Nmap.
Unlike other scanning methods like SYN scan, the TCP Connect scan completes the
full TCP handshake (SYN → SYN-ACK → ACK) with the target machine.
This scan works by trying to establish a complete connection to the target ports. If a
connection is successful (i.e., the port is open), the scan reports the port as open.
If the target port is closed, the operating system will respond with a RST (reset)
packet to indicate that the port is closed.
It is called a "Connect scan" because it uses the operating system's own networking
functions to establish the full connection, as opposed to other scans that manipulate
packets directly to avoid establishing full connections.

Root privileges are not required for a TCP Connect scan since the scan uses the
operating system's normal networking functions to establish connections.
47/121
Detection by firewalls and IDS: Since this scan completes the full TCP handshake, it
can be easily detected by firewalls or intrusion detection systems (IDS) as it
generates more noticeable traffic compared to stealthier scans like SYN scans (-sS).
This scan is often used when no other scanning methods are available, or when a
user does not have root/administrator privileges.

4. TCP STEALTH HALF OPEN SCAN:

nmap -sS -vv <ip>

48/121
TCP SYN Scan is one of the most commonly used scanning techniques because it is fast and stealthy
compared to other methods like the TCP Connect scan (-sT).
It works by sending a SYN packet (the initial packet in the TCP handshake) to the target ports.
Depending on the response, Nmap determines the state of the port:

Open port: If the port is open, the target will respond with a SYN-ACK packet, indicating
the port is open.
Closed port: If the port is closed, the target will respond with a RST (reset) packet.
Filtered port: If the port is protected by a firewall or if the response is not received, the
port is considered filtered.

Why "stealth"?:
Unlike the TCP Connect scan (-sT), which completes the full three-way handshake, a SYN scan only
sends the initial SYN packet and waits for a response. This minimizes the chance of detection
because the connection is never fully established.

Advantages:
Faster than the TCP Connect scan because it doesn't complete the handshake.
Less likely to be detected by intrusion detection systems (IDS) and firewalls since it doesn't complete
the connection.
Useful for evading detection in networks with strict monitoring.

Limitations:
Requires root/administrator privileges because raw packets are sent, which is not allowed for normal
user accounts.
Can still be detected by more advanced firewalls and intrusion detection systems that monitor for
incomplete or unusual traffic patterns.

When running nmap -sS -vv, the output might look like this:

Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-27 14:23 UTC

Initiating SYN Scan at 14:23
Scanning 192.168.1.100 [1000 ports]
Discovered open port 22/tcp on 192.168.1.100
Discovered open port 80/tcp on 192.168.1.100
Discovered open port 443/tcp on 192.168.1.100
Completed SYN scan at 14:23, 1000 ports scanned in 1.23 seconds
Nmap scan report for 192.168.1.100
Host is up (0.0053s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

Key Considerations:
Root Privileges: Since SYN scanning requires raw socket access to send SYN
packets, you may need to run this command as root (or with sudo on Unix-based
systems).
Firewall and IDS/IPS Detection: Although SYN scanning is less likely to be
detected than full connection scans, firewalls and intrusion detection systems (IDS/
IPS) may still detect this type of scan, especially if the target is specifically
49/121
configured to log unusual connection attempts.

5. SCTP COOKIE ECHO SCAN :

nmap -sZ -vv <ip>

50/121
SCTP INIT Scan is a type of scan used to detect open ports on a target system that
uses the SCTP (Stream Control Transmission Protocol).
SCTP is a transport-layer protocol, similar to TCP and UDP, but it is primarily used for
51/121
telecommunication systems and signaling protocols. While SCTP is not as widely
used as TCP or UDP, it may still be employed in some specialized networks.

The SCTP INIT scan works as follows:

It sends an SCTP INIT chunk to the target system on a specific port.

If the port is open, the target responds with an SCTP INIT-ACK chunk.
If the port is closed, the target responds with an SCTP ABORT chunk.
If the port is filtered (i.e., blocked by a firewall), there may be no response, or the response could be a
reset or unreachable message.

Why Use SCTP INIT Scan?

This scan is used when the target system is known to use SCTP (e.g., certain telecommunication
networks or signaling systems).
It is similar to a TCP SYN scan but for SCTP ports.
It may help evade detection in environments where other types of scans, such as TCP SYN or TCP
Connect scans, are more commonly detected by firewalls or intrusion detection systems.

Key Considerations:
Root Privileges:
Like other advanced Nmap scan types, the SCTP INIT scan may require root or administrator
privileges because it involves sending raw packets, which is restricted for normal user accounts.
On Unix-like systems (Linux/macOS), use sudo to run the command if necessary:

sudo nmap -sZ -vv 192.168.1.100

SCTP Availability:
This scan is only useful if the target system is running applications or services that use SCTP. If SCTP
is not supported or in use, the scan will not return meaningful results.
Detection by Firewalls/IDS:
Although SCTP INIT scan is generally stealthier than a full connection scan (like TCP Connect scans),
advanced firewalls or intrusion detection systems (IDS) might still recognize and log these types of
scans based on traffic patterns.

6. INVERSE TCP FLAG SCAN :

nmap -(-sF , -sN , -sX) -vv <ip>

Explanation of the Flags:

-sF (TCP FIN Scan):
The TCP FIN scan is a stealth scan that sends a FIN packet (typically used to close a connection) to
the target ports.
If the target port is open, the target will usually ignore the packet (since it's not expecting to close a
connection).
If the port is closed, the target will respond with a RST (reset) packet, indicating that the port is
closed.
This scan can sometimes bypass firewalls or intrusion detection systems (IDS) because it does not
initiate a normal connection, but it may not work on all systems, particularly those that are well
configured to detect such behavior.

52/121
-sN (TCP Xmas Scan):
The TCP Xmas scan works by sending a TCP packet with the FIN, URG, and PSH flags set, which is
known as a "Christmas tree" packet because all the flags are turned on (hence the name).
This scan can be used to detect open ports by observing the response behavior:
If the port is open, there will be no response from the target.
If the port is closed, the target will send a RST packet.
The Xmas scan is also considered a stealthy scan, but it can be easily detected if the target system is
well-configured.

-sX (TCP Xmas Scan):

The TCP Xmas scan is similar to -sN in that it sends packets with unusual flag combinations. It sets
the FIN, URG, and PSH flags.
It’s called the “Xmas tree” scan because of the analogy with turning all the lights on (all flags are set).
This scan may be effective in evading firewalls, but like the FIN scan, it is not foolproof and may be
blocked or logged.
The response to an open port is usually the absence of a reply, while a closed port will result in a RST
response.
-vv (Verbose Output):

Root privileges are generally required to send raw packets, so on Linux or macOS, you might need to
prepend sudo:

sudo nmap -sF -sN -sX -vv 192.168.1.100

Firewalls and IDS/IPS systems may detect these types of scans, even though they are considered
stealthy compared to more traditional scans like a TCP Connect scan (-sT).

7.XMASS SCAN:
nmap -sX -vv <ip>

53/121
Breakdown of the Command:
-sX (TCP Xmas Scan):
The TCP Xmas Scan gets its name because it sets all the TCP flags that are usually
used in the protocol. Specifically, it sends a TCP packet with the FIN, URG, and PSH
flags set.
These flags are typically used in normal communication but are not usually set all at
54/121
once. The combination of these flags makes the packet look unusual, like a
"Christmas tree" with all the lights on (hence the name).
How it works:
When this type of packet is sent to a port:
If the port is open: The target system usually does not respond (since it's not
expecting a FIN/URG/PSH combination).
If the port is closed: The target will typically respond with a RST (reset) packet to
indicate that the connection is not available.
If the port is filtered: The response may be dropped by firewalls or intrusion
prevention systems, making the port appear to be "filtered" (no response).

Why use it?:

The Xmas scan is a stealthy method of scanning because it does not follow the usual
TCP connection setup or teardown process (it doesn't initiate or close a connection in
the typical way).
It might bypass some simple firewalls or intrusion detection systems (IDS) that are
not configured to inspect this unusual packet flag combination.

Considerations:
Root Privileges: Like other advanced Nmap scans, the Xmas scan may require root or administrative
privileges because it sends raw packets. You might need to run the command as sudo on Linux/
macOS:

sudo nmap -sX -vv 192.168.1.100

Detection:
While the Xmas scan can be stealthier than traditional scans (like TCP connect scans), it is still
detectable by advanced firewalls, intrusion detection systems (IDS), or intrusion prevention systems
(IPS) that are specifically configured to look for unusual traffic patterns or malformed TCP flags.

Compatibility:
The Xmas scan might not work well on all systems. Some systems, especially modern ones, are
configured to discard such unusual packets, making the scan ineffective or causing false negatives
(the scan may report ports as filtered even if they are open).

Limitations:
The Xmas scan is not as commonly used or as effective on modern networks as it once was because
many systems are now designed to detect or block these types of scans.
If a firewall or IDS/IPS detects this traffic, the scan could be blocked, and the results may not be
accurate.

8. FIN SCAN:
nmap -sF -vv <ip>

55/121
The TCP FIN scan works by sending a TCP packet with the FIN (Finish) flag set to the target port. The
FIN flag is usually used to indicate that the sender has finished sending data and wants to terminate
the connection.
However, in the case of a scan, this flag is sent without initiating a proper TCP handshake, which can
help the scan evade detection by certain firewalls or intrusion detection systems (IDS) that might not
expect this kind of packet.
How it works:
If the port is open: The target system will ignore the FIN packet (since it's not expecting to close a
connection) and will not send any response.
If the port is closed: The target will typically respond with a RST (reset) packet, indicating that the
port is closed.
If the port is filtered: If there is a firewall or other filtering device between you and the target, you
may not receive any response, or the response could be an ICMP unreachable message.
This behavior makes the FIN scan a stealthy scan. It's not as obvious as a SYN scan or a TCP Connect
scan, which follow the normal TCP handshake process and are easier to detect.

56/121
Considerations:
Root Privileges:
As with many Nmap scans, the FIN scan may require root or administrative privileges because it
involves sending raw packets. On Linux or macOS, you might need to use sudo:

sudo nmap -sF -vv 192.168.1.100

Detection:
While the FIN scan is considered stealthier than other types of scans (like a SYN scan), it can still be
detected by advanced firewalls, intrusion detection/prevention systems (IDS/IPS), or even modern
operating systems.Some systems are configured to ignore unexpected FIN packets, or they may
block or log the attempt.

Firewalls and IDS/IPS:

Modern firewalls or intrusion detection systems might still detect and log a FIN scan, even though it is
less obvious than a traditional scan. The effectiveness of the FIN scan depends on the target
system’s configuration.
Some systems may respond to the unusual nature of a FIN scan by filtering the traffic or blocking it
entirely, causing the scan to miss open ports or report false positives.

When to Use the -sF Scan:

Stealthy reconnaissance: The FIN scan is often used in scenarios where a low profile is required and
where traditional scans like SYN or Connect scans might be detected.
Firewalls/IDS Evasion: It is useful in situations where you suspect the target may have a firewall or
IDS/IPS that is not configured to inspect packets with FIN flags.

9. NULL SCAN:
nmap -sN -vv <ip>

57/121
In Nmap, a Null Scan is a type of scan that sends a TCP packet with no flags set in the TCP header.
This scan is primarily used to evade detection because it doesn't follow the usual TCP protocol rules
for initiating or terminating connections. The Null Scan can help identify open ports by exploiting the
behavior of certain systems or firewalls.

How a Null Scan Works:

Null Packet:
The packet sent in a Null Scan has no flags set—meaning the TCP header has no SYN, ACK, FIN, PSH,
RST, or URG flags.
A typical TCP packet in the connection process uses these flags to control the state of a connection.
The Null Scan skips all of them.

Response Behavior:
The response to the Null Scan depends on the state of the target port:
If the port is open: The target system will ignore the packet. It won't respond to it because the packet
is not part of a legitimate connection request.
If the port is closed: The target system will usually send a RST (Reset) packet to indicate that the
connection is not available.
If the port is filtered: If there is a firewall or packet filter in between, the target may not respond or

58/121
could send an ICMP unreachable response.

Stealth:
The Null Scan is considered a stealthy scan because it doesn't initiate a full TCP handshake (no SYN/
ACK exchange), making it harder to detect by intrusion detection/prevention systems (IDS/IPS) that
are looking for more standard connection attempts.
It can bypass certain firewalls or packet filters that only look for normal connection requests but not
for unusual traffic like Null Scan packets.
Nmap Command for a Null Scan:
The Null Scan can be performed in Nmap with the -sN option:

nmap -sN <ip>

10. TCP MAIMON SCAN:

nmap -sM -vv <ip>

This option tells nmap to use the TCP Maimon scan. This scan type is a rare and
somewhat obscure scanning technique that attempts to exploit a quirk in the TCP
protocol stack. It's designed to send packets that are FIN-PSH (FIN + PUSH
flags) to the target. The goal is to elicit a response from the target without fully
establishing a connection. It's considered stealthy because it doesn’t complete the
handshake, but not all firewalls or intrusion detection systems are bypassed by it.

Important Considerations:
Stealth: The -sM scan can be somewhat stealthy because it doesn't complete the TCP handshake, but
it may still be detectable by advanced intrusion detection/prevention systems (IDPS).

59/121
Legality: Always make sure you have permission to scan a target. Unauthorized scanning of
networks and systems can be illegal.

11. ACK FLAG PROBE SCAN:

nmap -sA -vv <ip>

This option tells nmap to perform a TCP ACK scan. The purpose of this scan is to map out firewall
rules and determine whether a target is protected by a firewall or filtering device.

Here's how it works:

In a TCP ACK scan, nmap sends packets with the ACK flag set. These are similar to packets used to
acknowledge data in a TCP session.
The response (or lack thereof) provides clues about the state of the firewall or filtering device:
If the target responds with a RST (Reset) packet, it indicates that the port is not filtered (and is likely
open).
If the target does not respond (or sends an ICMP unreachable message), it suggests the port is
filtered (protected by a firewall).
This scan doesn't actually attempt to establish a connection to the target, so it is useful for mapping
firewall behavior and identifying which ports may be protected or unprotected.

Use Cases for the TCP ACK Scan:

Firewall detection: The ACK scan is useful for identifying whether a target is behind a firewall or
filtering device, without trying to determine which specific ports are open.
Stealth: The scan is stealthier than a full connection scan because it doesn’t attempt to fully
establish a TCP connection.

Important Considerations:
Firewalls and IDS/IPS: Modern firewalls and Intrusion Detection Systems (IDS) or Intrusion Prevention
Systems (IPS) might still detect and log these types of scans, though they are generally stealthier
60/121
than others.
Legal and Ethical: Always ensure that you have authorization to scan the network or system you're
targeting. Unauthorized scanning may violate laws and regulations.

12. TTL BASED ACK FLAG PROBE SCAN:

nmap -sA ttl 100 -vv <ip>

The command nmap -sA ttl 100 -vv <ip> combines a TCP ACK scan, with specific settings for TTL
(Time to Live), and increases verbosity. Let's break down each part of the command:

Components:
nmap: The tool for network discovery and security auditing, used to scan and identify hosts,
services, and vulnerabilities.

-sA: This specifies a TCP ACK scan. The ACK scan is used to map out firewall rules or determine if a
host is behind a firewall or filtering device. It works by sending TCP packets with the ACK flag set, and
the responses from the target can reveal whether ports are filtered or not.

Responses to an ACK scan:

RST (Reset): If the target sends a RST (reset) packet, it typically indicates that the port is open or
closed, but unfiltered.
No response or ICMP unreachable: If the target does not respond, it likely means that the port is
filtered by a firewall.
ttl 100: The TTL (Time to Live) is a value in the IP header that determines the maximum number of
hops (routers) a packet can traverse before being discarded. By setting ttl 100, you're explicitly

61/121
instructing nmap to send packets with a TTL of 100.

Why TTL matters:

Modifying the TTL can help to manipulate how the scan appears on the network or can sometimes be
used to obscure the origin of the scan. It could also be used to avoid detection by certain
intermediate devices (like firewalls or routers) that might drop packets with a TTL that doesn’t match
expected values.
Impact on Results: The TTL value doesn't directly impact the scan's goal (firewall detection) but may
affect how responses are seen or routed, particularly when passing through multiple network hops.
-vv: The -vv option increases the verbosity of the output. This will give you more detailed information
during the scan, including the state of each port, the packets being sent, and any issues
encountered.

<ip>: This is the target IP address that you are scanning. Replace <ip> with the actual IP address or
domain of the system you want to scan.

Example Command:

nmap -sA ttl 100 -vv 192.168.1.1

What This Command Does:

TCP ACK Scan (-sA): Sends TCP packets with the ACK flag to identify filtered ports (i.e., if the target is
behind a firewall).
TTL Set to 100 (ttl 100): Modifies the TTL of the sent packets to 100. This could affect routing and
detection depending on the network.
Verbose Output (-vv): Provides detailed information about the scan process, including responses,
flags, and any potential errors.

Use Cases:
Firewall and Filtering Detection: This scan is typically used to determine whether a firewall is in place
and which ports are filtered, without attempting to connect to services on those ports.
Manipulating Scan Characteristics: The TTL setting can be useful in cases where you want to modify
how the scan behaves in terms of routing or how intermediate devices like routers interpret the
packets.

Important Considerations:
Firewalls and IDS/IPS:
Although the ACK scan is relatively stealthy, modern firewalls or Intrusion Detection/Prevention
Systems (IDS/IPS) may still detect unusual TTL values, even if the scan itself is not immediately
visible.

Legality:
Always ensure that you have permission to scan the target system. Unauthorized scanning can be
illegal and may violate the Computer Fraud and Abuse Act (CFAA) or similar laws depending on your
location.

13. WINDOWS BASED ACK FLAG PROBE SCAN :

nmap -sA -sW -vv <ip>
The command nmap -sA -sW -vv <ip> performs a TCP ACK scan combined with a TCP Window scan,
with increased verbosity. Let’s break it down:

62/121
Components of the Command:
nmap: The command-line tool used for network discovery and security auditing. It helps to scan
hosts, services, and vulnerabilities on a network.

-sA: This is a TCP ACK scan.

In a TCP ACK scan, nmap sends TCP packets with the ACK flag set. This is used primarily to map out
firewall or filtering device behavior.
Responses to the scan:
RST (Reset): If the target responds with a RST (reset) packet, the port is typically unfiltered (open or
closed).
No response / ICMP unreachable: If the target doesn’t respond, or sends an ICMP unreachable
message, it suggests the port is filtered (likely by a firewall).
-sW: This option enables a TCP Window scan.
The TCP Window scan works by analyzing the TCP window size in the response from the target to a
packet. The idea behind this scan is that different systems respond differently to TCP packets with an
open window.
By examining the size of the window in the returned TCP header, nmap can infer whether a port is
open or closed. For example:
A larger window size may indicate that the port is open.
A smaller or zero window size may suggest that the port is closed.
Window size behavior is often influenced by the OS and the type of firewall between the scanning
system and the target.
-vv: This flag increases the verbosity of the nmap output. With -v (the first v), nmap gives you more
details, and with -vv (the second v), it gives even more detailed information about each step of the
scan, including port status and specific responses.

<ip>: This is the target IP address you are scanning. Replace <ip> with the actual IP address (or
domain name) of the system you want to scan.

Example Command:

nmap -sA -sW -vv 192.168.1.1

What the Command Does:

TCP ACK Scan (-sA): Detects whether a firewall is present and identifies filtered ports.
Sends packets with the ACK flag and analyzes the response to determine which ports are filtered.
TCP Window Scan (-sW): Uses the TCP window size in the response to determine if a port is open or
closed.
This is useful in environments where normal scans might be blocked or obscured by firewalls or
packet filters.
Verbose Output (-vv): Increases the level of detail provided in the scan results, helping you
understand the flow and status of the scan and the target system.

Use Cases:
Firewall and Filtering Device Detection: This combined scan can help you understand firewall
behavior and deduce whether ports are open, closed, or filtered.
OS Fingerprinting: The TCP Window scan can sometimes provide information about the operating
system of the target based on how it handles window sizes.
Port Scanning in Complex Environments: The use of both ACK and Window scans helps when there
are firewalls or other filtering devices in place, as these scans do not rely on completing the full TCP
handshake.

63/121
Example Output (with -vv verbosity):
You might see output like the following, showing detailed information for each port scanned:

Nmap scan report for 192.168.1.1

Host is up (0.0034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
80/tcp filtered http
443/tcp open https

...

Key Points:
-sA (TCP ACK Scan): Helps to determine if a firewall is in place and whether certain ports are filtered.
-sW (TCP Window Scan): Attempts to identify open or closed ports by inspecting the TCP window size
in responses.
Verbose Output (-vv): Provides detailed information about the scan’s progress and results.

Considerations:
Firewalls and IDS/IPS: Modern firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) can
sometimes detect these types of scans, especially when combined with verbose output.
Accuracy: The Window scan (-sW) may not always be as reliable as a traditional SYN scan,
particularly if the target is behind an advanced firewall or filtering system.
Legality: Always make sure you have permission to scan the target system. Unauthorized scanning
may be illegal and subject to penalties under various cybersecurity laws.

14. IDLE/IPID HEADER SCAN:

nmap -Pn -p- -sI <ZOMBIE HOSTNAME> <TARGET HOSTNAME>
The command nmap -Pn -p- -sI <ZOMBIE HOSTNAME> <TARGET HOSTNAME> uses several nmap
options that are designed to perform a stealth scan using a zombie host (also known as IDLE scan).
Let’s break down each part of the command:

Components of the Command:

nmap: This is the command-line tool for network scanning and security auditing. It’s commonly used
to discover hosts and services, as well as check for vulnerabilities.

-Pn: This option disables host discovery. By default, nmap attempts to determine
whether a target is up (alive) before scanning it by sending a variety of probes (like ICMP
echo requests, or SYN packets). When you use -Pn, nmap skips this host discovery
phase and assumes that the target is up. This is useful when scanning hosts that may
block ICMP or other discovery probes (for example, firewalled hosts).

-p-: This option tells nmap to scan all 65,535 TCP ports. By default, nmap scans the
most common 1,000 ports, but with -p-, it will scan every port from 1 to 65535.

-sI <ZOMBIE HOSTNAME>: This is the key option in your command. It specifies an Idle
scan using a zombie host:

The -sI option activates Idle scan, which is a type of stealth scan that allows the attacker
to scan a target without directly interacting with it. Instead, it sends packets through a
third-party machine, which acts as the zombie.
The zombie host (in this case <ZOMBIE HOSTNAME>) is used to send the probes to the

64/121
target system. The target system will respond to the zombie host, not to the actual
scanning machine. This can allow the attacker to perform the scan without revealing
their own IP address.
The Zombie Host must be chosen carefully. It needs to be a machine that can send
packets to the target and respond to requests without being suspicious (i.e., it must not
have any obvious connection to the attacker).
Idle scan is based on manipulating the IP ID field of the IP header, so it only works under
certain conditions (e.g., the target system and zombie host must behave in a predictable
manner).
<TARGET HOSTNAME>: This is the target you want to scan. Replace <TARGET
HOSTNAME> with the actual IP address or hostname of the system you wish to scan.

Example Command:

nmap -Pn -p- -sI 192.168.1.100 192.168.1.1

This would Use 192.168.1.100 as the zombie host.

Scan all 65,535 ports on 192.168.1.1 using the Idle scan technique.

How the Idle Scan (-sI) Works:

The Idle scan technique works by exploiting the behavior of IP packet sequencing:

The attacker sends packets to the target host, but the actual packets are relayed through a zombie
host (i.e., a third party).
The target responds to the zombie, not the attacker.
By analyzing the responses from the target (through the zombie), the attacker can infer whether the
target port is open or closed by observing the IP ID field in the responses.

Why Use an Idle Scan?

Stealth: One of the biggest advantages of the Idle scan is that it allows the attacker to scan the target
without revealing their own IP address. The target only sees the IP address of the zombie host.
Avoiding Detection: Since the attacker never directly communicates with the target, it can be difficult
for intrusion detection systems (IDS) or firewalls to detect the scan.

Use Case:
Stealth Port Scanning: This scan is typically used by attackers who want to perform a stealth scan of
a target without directly communicating with it. It's useful when the attacker wants to avoid detection
or log tracing. Network Reconnaissance: If an attacker knows of a vulnerable zombie host and wants
to probe a target’s open ports without revealing their own IP address, they would use this technique.

Limitations:
Zombie Host Requirements: The zombie host must have an open port that is not being filtered or
blocked. Additionally, the target host and zombie must behave predictably, especially in terms of IP
ID increments. This makes finding a suitable zombie host difficult.

Firewall and IDS/IPS Detection:

While the Idle scan is stealthy, sophisticated firewalls and intrusion detection systems (IDS/IPS) can
still detect unusual patterns of traffic that might indicate a scan.
Not Always Reliable: Some targets or intermediate routers may not allow such scans, and this
technique relies on specific networking behaviors that might not be present in all environments.
Example Output (with -vv verbosity):
With the verbosity flag (-vv), you might see more detailed output, such as the scanning process,
responses, and inferred port states, for example:

65/121
Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
...

Important Considerations:
Legal and Ethical: Unauthorized scanning of networks is illegal in many countries. Always ensure you
have permission to scan a system.
Detection: Although the scan tries to mask the attacker's IP, skilled network administrators may still
be able to detect unusual traffic patterns indicative of a zombie scan.

15. SSDP SCANNING :

THE SIMPLE SERVICE DISCOVERY PROTOCOL (SSDP) IS A NETWORK
PROTOCOL THAT WORKS IN CONJUCTION WITH THE UPNP TO DETECT
PLUG AND PLAY DEVICES. VULNERABILITIES IN UPNP MAY ALLOWS
ATTACKERS TO LAUNCH BOF OR DOS ATTACKS. ATTACKERS MAY USE
THE UPNP SSDP M-SEARCH INFORMATION DISCOVERY TOOL TO
CHECK IF THE MACHINE IS VULNERABLE TO UPNP EXPLOITS OR NOT.

msf6> use auxiliary/scanner/upnp/ssdp_msearch

msf6> st RHOSTS <ip>
msf6> SHOW OPTIONS
msf6> exploit

SSDP (Simple Service Discovery Protocol) is a network protocol used for

discovering services in a local network. It is often used by devices in the
UPnP (Universal Plug and Play) ecosystem, such as printers, routers,
smart TVs, and other IoT devices, to advertise their services to other
devices in the same network.

In nmap, you can scan for devices or services that are using SSDP by performing a specialized scan.
SSDP typically runs over UDP port 1900 and can be discovered with specific nmap flags.

SSDP Scanning in nmap

Using nmap to Scan for SSDP Devices
To scan for SSDP devices in your network using nmap, you can use the -p option to specify UDP port
1900, as this is the default port for SSDP.

Here is a basic example of an SSDP scan using nmap:

66/121
nmap -p U:1900 --open <target_ip_or_network>

Where:
-p U:1900: This specifies scanning for UDP port 1900, which is the port
used by SSDP.
U: specifies that the port should be scanned for UDP (instead of the
default TCP).
--open: This option ensures that nmap only reports open ports, which
helps filter out unnecessary results.
<target_ip_or_network>: Replace this with the IP address or range of IPs
you want to scan. For example, 192.168.1.0/24 to scan all devices on your
local network.

Example:
If you want to scan for SSDP devices on a local network (192.168.1.0/24), the command would look
like this:

nmap -p U:1900 --open 192.168.1.0/24

Explanation:
This will scan all hosts on the 192.168.1.0/24 network for open UDP port 1900 (the SSDP port).
If any devices are running SSDP (typically devices that are part of a UPnP network), their services will
be reported as open on port 1900.

Example Output:
If devices are found, the output might look like this:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-11-28 15:33 UTC

Nmap scan report for 192.168.1.10
Host is up (0.0034s latency).
PORT STATE SERVICE
1900/udp open upnp
...
Nmap scan report for 192.168.1.15
Host is up (0.0047s latency).
PORT STATE SERVICE

67/121
1900/udp open upnp
...

This would indicate that devices at 192.168.1.10 and 192.168.1.15 are running SSDP
services (UPnP services), which are commonly associated with printers,
cameras, routers, and other IoT devices.

Additional Considerations:
UDP vs. TCP: SSDP operates over UDP and not TCP. Therefore, always specify UDP port 1900 (U:1900)
to ensure you're scanning the right protocol.

Service Discovery:
While nmap can identify devices that are advertising SSDP services, the actual service details (e.g.,
device information or capabilities) are typically retrieved via a different process, such as by sending
SSDP queries to the device using tools like curl or specialized SSDP clients.

Security Implications:
SSDP can expose sensitive information about devices on your network. It has been a target for
certain types of attacks, like DDoS amplification attacks, where SSDP is misused to amplify malicious
traffic. Therefore, it's important to ensure that unnecessary devices using SSDP are properly
secured.

Summary:
To scan for SSDP services, use the -p U:1900 option in nmap.
You can use the --open flag to only report open services, and specify the target IP range.
SSDP is commonly used for device discovery in UPnP environments, but it can be a security concern
if left unprotected.

16. LIST SCAN:

THIS TYPE OF SCAN SIMPLY GENERATES AND PRINTS A LIST OF IPs/
NAMES ACTUALLY PINGING THEM.A REVERSE DNS RESOLUTION IS
PERFORM TO IDENTIFY HOSTNAME.
List Scan ( -sL ) List scan is a degenerate form of host discovery that
simply lists each host on the network(s) specified, without sending
any packets to the target hosts. By default, Nmap still performs
reverse-DNS resolution on the hosts to learn their names.

#nmap -sL -vv

17. IPv6 SCAN:

nmap -6 <ip>
If you're scanning the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the command
would look like this:

68/121
nmap -6 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Important options for IPv6 scanning:

Scan multiple IPv6 addresses:
nmap -6 2001:0db8:85a3::1 2001:0db8:85a3::2

Scan a range of IPv6 addresses:

Nmap does not support ranges for IPv6 in the same way it
does for IPv4, but you can use Nmap to scan multiple
targets by specifying them with a space or by using a file
that lists the IPs:
nmap -6 -iL ipv6_addresses.txt

Scan specific ports:

To scan a specific port (e.g., port 80), use the -p option:
nmap -6 -p 80 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Scan a range of ports:

If you want to scan a range of ports (e.g., 1-1000):
nmap -6 -p 1-1000 2001:0db8:85a3:0000:0000:8a2e:
0370:7334

Aggressive Scan:
An aggressive scan performs multiple tests, including OS
detection, version detection, script scanning, and
traceroute:
nmap -6 -A 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Scan IPv6 Subnet:

To scan an entire subnet (e.g., 2001:0db8:85a3::/64):
69/121
nmap -6 2001:0db8:85a3::/64

70/121
SERVICE DISCOVERY
Service discovery in nmap refers to the process of identifying
which services are running on a target system, which ports
those services are running on, and sometimes identifying the
version and details of those services. This is essential for
security assessments, as it helps to understand which
services are exposed on the network, and potentially identify
vulnerabilities related to those services.
nmap provides several options to discover and identify services running on a target. These options
can be combined in various ways to enhance the accuracy and depth of the discovery process.

1. Basic Service Discovery

To identify open ports and the services running on them, use the -sV option. This triggers nmap to
probe the open ports and attempt to identify the service running on each port.

Example:
nmap -sV <target_ip>

Where:

-sV: This option enables service version detection. It causes nmap to query open ports
to determine the software and version of the service running on each port.
What the command does:
Scans the target IP for open ports.
Probes the open ports to identify the services and their versions (e.g., Apache, OpenSSH,

71/121
FTP).
Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-11-28 16:15 UTC

Nmap scan report for 192.168.1.1
Host is up (0.0035s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2
80/tcp open http Apache httpd 2.4.38
443/tcp open ssl/https Apache httpd 2.4.38
8080/tcp open http Tomcat/Coyote JSP engine 9.0.31
MAC Address: 00:14:22:01:23:45 (Cisco Systems)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Aggressive Service Discovery

For a more comprehensive service discovery that includes additional features such as operating
system detection, version detection, and script scanning, use the -A flag.

Example:
nmap -A <target_ip>
Where:

-A: Enables aggressive scan mode, which performs a combination of:

OS detection (using -O).
Service version detection (using -sV).
Script scanning (using the nmap scripting engine to run additional checks).
Traceroute (to determine the network path to the target).
Example Output:

Starting Nmap 7.91 ( https://nmap.org ) at 2024-11-28 16:20 UTC

Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
Not shown: 1000 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2
80/tcp open http Apache httpd 2.4.38
443/tcp open ssl/https Apache httpd 2.4.38
8080/tcp open http Tomcat/Coyote JSP engine 9.0.31
MAC Address: 00:14:22:01:23:45 (Cisco Systems)

OS details: Linux 3.10 - 4.11, Linux 4.12 - 4.19, Linux 5.0 - 5.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3. Using nmap Scripting Engine (NSE) for Service

Discovery
nmap comes with a powerful scripting engine (NSE) that can run custom scripts for more in-depth
service discovery. These scripts are designed to identify vulnerabilities, detect the software running,
and even check for configuration issues.
To run a specific service-related NSE script, you can use the --script option. For example, you might
want to run the http-title script to retrieve the title of web services.

72/121
Example:
nmap --script=http-title -p 80 <target_ip>

This will use the http-title script to retrieve the title of a website running on port 80 (if the service is
an HTTP server).
Running Multiple Scripts:
You can also run multiple scripts with the -sC option, which activates a set of default scripts for
various services.

Example:
nmap -sC -p 80,443,8080 <target_ip>

Where:
-sC: Runs the default scripts included with nmap, which covers a wide range of service
discovery and security checks.
-p 80,443,8080: Limits the scan to the specified ports.

4. Combining Service Discovery with Host

Discovery
You can combine service discovery with host discovery by using the -Pn option (disables host
discovery) or by scanning a range of hosts.

Example:
nmap -Pn -sV 192.168.1.0/24
Where:

73/121
-Pn: Skips the host discovery phase and assumes that all hosts in the range are up.
-sV: Performs service version detection.
This can be useful when scanning multiple hosts, especially if you're sure the hosts are
live, or when you're dealing with firewalled hosts that block ping probes.

5. Service Discovery Using UDP

Service discovery typically focuses on TCP ports, but nmap can also be used to discover services
running over UDP. For this, you specify the -sU option to perform a UDP scan.

Example:

nmap -sU -p 161,162 <target_ip>

Where:

-sU: Performs a UDP scan.

-p 161,162: Scans UDP ports 161 and 162, which are used by SNMP (Simple Network
Management Protocol).
Summary of Useful nmap Options for Service Discovery:
-sV: Detects the version of the services running on open ports.
-A: Performs an aggressive scan (includes OS detection, version detection, script
scanning, and traceroute).
--script=<script_name>: Runs specific nmap scripts for service discovery and
vulnerability assessment.
-sU: Scans UDP ports for services.
-Pn: Skips host discovery (useful when dealing with firewalled or unreachable hosts).
-sC: Runs the default nmap scripts for service discovery and checks.

YOU CAN USE THESE NMAP SWITCHES TO DETECT

SERVICES MORE AGREESIVELY:

allports ------→ SCAN ALL PORTS

--version-light---→ ENABLE LIGHT MODE . LOWER
POSSIBILITY OF CORRECTNESS, FASTER.
--version-all ---→ ENABLE INTENSITY LEVEL 9.
HIGHER POSSIBILITY OF CORRECTNESS. FASTER.
74/121
--version-trace-→ enables detailed debugging
output during version detection
--version-intensity--------→ INTENSITY LEVEL
0-9.HIGHER POSSIBLE OF CORRECTNESS. SLOWER
ALSO.

Practical Example:
If you want to do a full service discovery on all hosts in your local network and identify versions and
operating systems, you could run:
nmap -A -p 1-65535 192.168.1.0/24
This will Scan all 65,535 TCP ports on each host in the 192.168.1.0/24 network. Use the Aggressive
Scan (-A) to detect services, versions, operating systems, and run default scripts.

Conclusion:
Service discovery with nmap is a powerful tool for understanding the services running on a network
and assessing the security of those services. By using options like -sV, -A, and the nmap scripting
engine, you can gather detailed information about services and their potential vulnerabilities.
Always ensure that you have permission to scan the network or system in question.

75/121
OS DISCOVERY
OS Fingerprinting and Discovery in Nmap
Nmap (Network Mapper) is a powerful open-source tool for network
discovery and security auditing. One of its key features is OS
fingerprinting, which helps determine the operating system (OS) of a
target host based on network responses to a variety of probes.

1. OS Fingerprinting in Nmap
OS fingerprinting in Nmap works by sending various probes to the target machine and analyzing the
responses. By examining these responses, Nmap compares them to a database of known OS
signatures to estimate which operating system is running on the target.

The fingerprinting process includes:

TCP/IP Stack Characteristics: Different operating systems have unique implementations of the TCP/IP
stack (e.g., differences in how packets are handled, flags are set, or how certain options are
processed).
Banner Grabbing: Nmap may also gather information from services running on open ports (e.g.,
HTTP, SSH) and their response banners, which can reveal details about the OS.
TCP/IP Options and Behavior: Variations in how OSs handle specific TCP/IP behaviors like the TCP
window size, IP options, or TTL (Time-to-Live) values.

2. Types of OS Detection in Nmap

TCP/IP Stack Fingerprinting:
This is the primary method, based on differences in how each OS implements the TCP/IP stack.
Service Version Detection:
Nmap can also detect the versions of services running on the target, which may give clues about the
underlying OS.
Application Layer Fingerprinting:
Banner grabbing of application-level protocols (e.g., HTTP, FTP, SMTP) can provide additional hints.

3. OS Discovery Command in Nmap

To perform OS fingerprinting with Nmap, you can use the -O option:

nmap -O <target>

76/121
This command attempts to detect the operating system of the target IP.

4. Advanced OS Detection
You can combine OS detection with other Nmap options to refine the results or perform additional
tests:
Enable aggressive scan (-A): This runs OS detection along with version detection, script scanning,
and traceroute, providing a more comprehensive discovery.

nmap -A <target>

77/121
78/121
Increase verbosity (-v): Use this to see more details about the scan process.

nmap -v -O <target>
Use the -sS option: To perform a SYN scan (stealth scan), which is typically quicker than a full TCP
connect scan.

nmap -O -sS <target>

5. OS Detection Results
If Nmap successfully detects the OS, the output might look something like this:

OS details: Microsoft Windows Server 2019 Standard or Datacenter

Network Distance: 1 hop
It will show the operating system name, version, and sometimes the network distance (i.e., the
number of hops from your machine to the target).

If Nmap cannot conclusively determine the OS, it will provide a guessed OS with an associated
confidence level, e.g.,:

OS guesses:
Linux 3.x or 4.x (96%)
Linux 2.6.32 - 3.x (85%)

6. Why OS Fingerprinting is Important

OS fingerprinting helps network administrators, security professionals, and attackers (in the case of
penetration testing) identify:

79/121
Vulnerabilities specific to the operating system.
Network behavior and potential attack surface.
Service versions and configuration weaknesses.

7. Limitations of OS Detection
Accuracy: OS fingerprinting is not always 100% accurate, especially if firewalls, intrusion detection
systems (IDS), or other filtering devices block or alter network packets.
Detection Evasion: Some OSs can be configured to respond in ways that obscure their real identity,
making it harder for Nmap to determine the exact OS.

8. Additional Fingerprinting Tools

While Nmap is widely used for OS detection, other tools can complement or serve as alternatives:

XProbe2: Another open-source tool for OS fingerprinting.

p0f: Passive fingerprinting tool that does not require active probing.

9. USE SIMPLE PING UTILITY AND LOOK FOR THE

TTL VALUES TO IDENTIFY OS.
10. USE WIRESHARK TO LOOK FOR THE TTL VALUES
IN ORDER TO DETERMINE OS.
11. USE p0f utility to determine target OS.
# p0f -i any -p -O /tmp/sniff.log

HERE:
-i ---------→ IS INTERFACE
-p ----------→ ITPUT THE LISTENING INTERFACE IN PROMISCUOUS MODE.
-O --------→ OUTPUT

12. THIS FEATURE LIMITS THE OS DETECTION TO

PROMISING TARGET.
--osscan-limit
The --osscan-limit option in Nmap is used to limit OS detection to only the most likely candidates.
When you run a scan with OS detection enabled (using the -O option), Nmap attempts to identify the
operating system of the target machine by analyzing various characteristics of the network
response, such as IP stack behavior, open ports, and service versions.
By default, Nmap will try to be thorough in its OS detection, which may involve sending several
probes and potentially trying many different methods to identify the operating system. This
thoroughness can take longer and sometimes may lead to false positives or unnecessary efforts to
determine the OS when the result is not very certain.

When you use the --osscan-limit option, Nmap will restrict the OS detection process to only the most

80/121
likely OS guesses, essentially avoiding any tests that are less likely to provide useful information.
This can speed up the scan and reduce the number of probes sent.

nmap -O --osscan-limit <target>

Where <target> is the IP address or hostname of the machine you're scanning.

nmap -O --osscan-limit 192.168.1.1

This command tells Nmap to:

Perform OS detection (-O option).

Limit the OS detection process to only the most probable results using --osscan-limit.

13. THIS FEATURE USED TO GUESS OS DETECTION

RESULTS.
--osscan-guess: --fuzzy
The options --osscan-guess and --fuzzy in Nmap are related to OS (Operating System) detection and
are used to modify how aggressively Nmap tries to identify the target system's OS. These options
are used when you want to make more educated guesses about the target's OS, but they come with
trade-offs in accuracy.

--osscan-guess
The --osscan-guess option tells Nmap to make more aggressive guesses when determining the
target's operating system during an OS scan (using the -O flag). It forces Nmap to be more lenient
with its OS fingerprinting and allow less certain guesses about the operating system, even if the
evidence is not very strong.

Without --osscan-guess: Nmap will only report OS candidates that it is very confident about. It will not
report guesses where the evidence is unclear or weak.
With --osscan-guess: Nmap will report a wider range of OS guesses, even if the evidence is not
entirely conclusive. This can increase the number of possible OS matches Nmap will report.

nmap -O --osscan-guess <target>

This command tells Nmap to:

Perform OS detection (-O option).

Make more aggressive guesses and report any plausible OS, even if the evidence is weak, using --
osscan-guess.

--fuzzy
The --fuzzy option is closely related to --osscan-guess and further increases the fuzziness of the OS
detection. When used in combination with --osscan-guess, --fuzzy makes Nmap even more
aggressive in its OS detection guesses.
With --fuzzy: Nmap will include OS guesses that are even less certain or more speculative. It takes
"guessing" a step further by allowing very fuzzy or improbable OS guesses based on marginal
evidence.

81/121
Example:

nmap -O --osscan-guess --fuzzy <target>

This command tells Nmap to:

Perform OS detection (-O option).

Make aggressive OS guesses using --osscan-guess.
Allow even fuzzier, less reliable guesses with --fuzzy.

14. SET THE MAXIMUM NUMBER OF OS DETECTION

TRIES AGAINST A TARGET.
The --max-os-tries option in Nmap is used to limit the number of attempts Nmap will make when
performing OS fingerprinting during a scan. OS fingerprinting involves sending various probes to a
target system and analyzing the responses to determine the operating system. The --max-os-tries
option helps control how many retries or additional probes Nmap will make if it doesn’t get enough
information to determine the operating system on the first attempt.

By default, Nmap will try several different probes and attempts to identify the operating system of
the target. If the target is behind a firewall or a filtering device, or if the system's responses are
inconsistent or fragmented, Nmap might not be able to accurately determine the OS in one attempt.

The --max-os-tries option allows you to specify the maximum number of retries Nmap should make
when trying to detect the OS.

--max-os-tries

nmap --max-os-tries <number> <target>

<number>: The maximum number of tries Nmap will make to determine the OS. The default is
typically 10, but you can modify this depending on your needs.
<target>: The IP address or hostname of the target system.

15. SMB OS DISCOVERY:

It tells Nmap to run the smb-os-discovery.nse script against the target machine.
The script attempts to identify the operating system and version by interacting with the SMB service.
It uses the unsafe=1 argument to potentially enable more aggressive probes, which may increase
the accuracy of the results but also the risk of triggering alerts or firewall blocks.
The scan is focused on port 445, which is used for SMB communication.

nmap --script smb-os-discovery.nse --script-args=unsafe=1 -p

445 <target ip>

82/121
16. MANUAL BANNER GRABBING :
CONNECT TO THE PORT AND INVESTIGATE THE RESPONSE.

#nc -vn <ip> <port>

# nc -vn <ip> 21

17.BANNER GRABBING WITH DMITRY:

#dmitry -pb <ip>

83/121
18. OS DISCOVERY USING IPv6 FINGERPRINTING:
#nmap -6 <ip>

84/121
SCANNING BEYOND FIREWALL
THROUGH FIREWALLS AND IDS CAN PREVENT MALICIOUS TRAFFIC FROM
ENTERING A NETWORK , ATTACKERS CAN MANAGE TO SEND INTENDED
PACKETS TO THE TARGET BY EDITING AND IDS OR FIREWALL THROUGH
THE FOLLOWING TECHNIQUES:

1. PACKET FRAGMENTATION
2. SOURCE ROUTING
3. SOURCE PORT MANIPULATION
4. IP ADDRESS DECOY
5. IP SPOOFING
6. MAC SPOOFING
7. CREATING CUSTOM PACKETS
8. RANDOMIZE HOST ADDRESS AND SENDING BAD CHECKSUM
9. PROXY SERVERS
10. ANONYMIZERS
11. FTP BOUNCE SCANNING
12. EXOTIC SCAN FLAGS
13.SET YOUR OWN OFFSET SIZE

1. Packet Fragmentation in Nmap

Packet fragmentation is a technique used in network communication to break down larger packets
into smaller segments so that they can pass through networks with size limitations (e.g., routers with
Maximum Transmission Unit (MTU) restrictions). In the context of Nmap, packet fragmentation refers
to splitting Nmap's scan packets into smaller fragments to evade detection by firewalls, intrusion
detection systems (IDS), or other security mechanisms that might block or analyze unfragmented
packets.

1. Why Packet Fragmentation?

Packet fragmentation in Nmap is primarily used to evade network security systems, such as:

Firewalls: Firewalls that analyze traffic at the IP layer may detect and block suspicious patterns in
packets. Fragmenting packets can make it harder for these systems to see the full content of the
packet, especially if they're blocking scans based on the full content or flags.
Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS): IDS/IPS tools often look for
suspicious signatures or abnormal traffic patterns. Fragmented packets can evade detection by
splitting the attack signature into smaller parts.
Network Filters: Some network filters or monitoring systems might not reassemble fragmented
packets and thus fail to detect the scan or attack.
However, while fragmentation can help bypass certain detection mechanisms, it doesn't guarantee
complete evasion, and it can also make the scan more detectable depending on how the network
devices handle fragmented packets.

2. Packet Fragmentation in Nmap

Nmap provides the option to fragment packets during a scan using the -f option. By default, Nmap
sends packets in full size, but you can instruct Nmap to break them into smaller fragments using this

85/121
option.

Nmap Fragmentation Option:

-f: This option enables packet fragmentation, causing Nmap to fragment packets for scans.
Example command to perform a fragmented scan:

nmap -f <target>

This will send fragmented packets to the target, attempting to avoid detection.

3. Additional Fragmentation Settings

You can also specify the number of bytes to fragment packets into by using the --mtu option, which
allows you to set the Maximum Transmission Unit (MTU) of the packets. The MTU defines the size of
the largest possible packet that can be sent over the network without fragmentation. Reducing the
MTU value can result in smaller fragments.
For example, to set a smaller MTU (e.g., 128 bytes), you can use:

nmap -f --mtu 128 <target>

86/121
This would break packets into smaller fragments of up to 128 bytes each.

4. How Fragmentation Works in Nmap

When fragmentation is enabled, Nmap divides the packets into smaller chunks. Here's a high-level
overview of the process:

Nmap Packet Construction: Nmap creates a normal packet for the scan (e.g., a SYN scan, ICMP echo
request, etc.).
Fragmentation: It then splits this packet into smaller segments, each with its own fragment offset
and more fragment flag, as per the IP header.
Transmission: Nmap transmits these fragmented packets to the target machine.
Reassembly: The target machine is responsible for reassembling the fragments back into the original
packet before processing it. If the target does not reassemble packets correctly, the scan may fail or
produce incorrect results.

5. Limitations and Considerations

While fragmentation can be useful in bypassing detection systems, there are several considerations
and limitations:

Not Always Effective: Some IDS/IPS devices or firewalls are capable of reassembling fragmented
packets and detecting suspicious activity. Advanced firewalls might inspect individual fragments
before reassembly, making fragmentation ineffective in some cases.

Fragmentation Overhead: Fragmenting packets increases network overhead because the

reassembly process requires additional resources. This can make scans slower and more resource-
intensive.

Legal and Ethical Concerns: Using fragmentation to evade detection could be seen as an attempt to
circumvent security controls, which could lead to legal and ethical concerns, especially in
unauthorized scans.

87/121
Fragmentation and Firewall Behavior: Some firewalls might block fragmented packets altogether.
Firewalls that operate at lower network layers might drop fragmented packets to prevent evasion
techniques.

Detection by Advanced IDS/IPS: Advanced systems often employ deep packet inspection (DPI) and
can detect fragmented packets based on patterns or anomalies in the fragment structure, reducing
the effectiveness of fragmentation.

6. Other Options Related to Fragmentation in Nmap

In addition to -f and --mtu, Nmap has other related options for controlling how packets are sent:

--send-eth: This option sends packets directly at the Ethernet level, bypassing some network layers
like IP. It’s useful for advanced scanning but doesn’t specifically control fragmentation.

-D (Decoy Scan): Instead of fragmenting packets, decoys are used to make the scan seem like it’s
coming from multiple sources. This is a form of evasion, though it doesn’t rely on fragmentation.

-T (Timing Template): You can adjust the scan timing using -T to control the rate at which packets are
sent. A slower scan may evade detection better than a fast one, without the need for fragmentation.

7. Example: Fragmentation in a Stealth Scan

To perform a stealth scan that fragments the packets, you can combine the -f option with a SYN scan
(-sS), which is often used in stealth scans because it doesn’t complete the TCP handshake. This can
evade some detection mechanisms.

nmap -sS -f <target>

88/121
This will perform a SYN scan and fragment the packets to potentially bypass firewall or IDS detection.

8. Limitations of Fragmentation for Evasion

It's important to note that fragmentation is not a foolproof method of evasion, as many modern
security devices are capable of detecting fragmented packets or may reassemble them before
analyzing them. Therefore, while fragmentation may help evade basic firewalls or IDS systems, more
advanced systems might still detect your scans.

2. SOURCE ROUTING:
Source Routing is a technique where the sender of a packet can specify the route that the packet
should take through the network. Essentially, the sender can dictate the sequence of IP addresses
(routers) the packet should pass through before reaching its destination.In Nmap, source routing is a
feature that allows you to specify a route for the packets to follow, which can be used to evade
network security systems or potentially identify network topologies. However, this feature is rarely
used and may be limited due to its security implications. Many modern routers and firewalls block or
discard packets that attempt to use source routing, as it can be exploited for malicious purposes,
such as evading detection or bypassing security devices.

89/121
1.Why Use Source Routing?
In the context of Nmap, source routing can be used to:

Evade Detection: By directing packets through certain routers, you might avoid detection by a
firewall, intrusion detection system (IDS), or other security devices on the path.
Identify Network Topology: It can help an attacker or network administrator discover the routing path
between two systems, which can be useful in mapping the network structure.
Bypass Network Filters: If a firewall or filter blocks traffic from certain IP addresses or ranges, source
routing can potentially bypass these filters by specifying a route through another network path.
However, source routing is rarely used in modern networks due to the security concerns outlined
below.

2. Source Routing Types

There are two primary types of source routing:

Loose Source Routing: The sender specifies a route, but the packet is allowed to take any
path between the specified routers. The packet must pass through at least the listed
routers, but it can take any intermediate route.
Strict Source Routing: The packet must strictly follow the specified route, passing
through each of the listed routers in the order specified by the sender. No intermediate
routers are allowed.

3. Using Source Routing in Nmap

In Nmap, source routing can be enabled using the --route option. This option allows you to specify
one or more intermediate hops (routers) that the packet should traverse.
Nmap Source Routing Command
To use source routing in Nmap, you can use the following syntax:

nmap --route <router1>[,<router2>,...] <target>

<router1>, <router2>, etc., are the IP addresses of the routers (intermediate devices) you want the
packet to pass through.
<target> is the IP address of the target system.
For example, to route a packet through two routers (192.168.1.1 and 192.168.1.2) before reaching
the target 10.0.0.5, you would use:

nmap --route 192.168.1.1,192.168.1.2 10.0.0.5

This tells Nmap to send the packet through the routers 192.168.1.1 and 192.168.1.2 before it reaches
the final destination (10.0.0.5).

4. Limitations and Risks of Source Routing in Nmap

While source routing can be an interesting tool for certain types of network exploration or evasion, it
comes with several limitations and risks:

Blocked by Modern Security Devices: Most modern routers and firewalls prevent or discard packets
with source routing headers due to security concerns. Source routing can be exploited for malicious
activities, such as DoS (Denial of Service) attacks, network mapping, or evading security controls. As
a result, source routing is often disabled by default in modern network equipment.

Not Supported by All Networks: Even if source routing is supported by a few devices, it is not
guaranteed that all routers or intermediate devices in the network path will honor the source routing
header. This could lead to fragmented, incomplete, or dropped packets.

90/121
Security Concerns: Source routing can be used by attackers to forge the path that a packet takes,
potentially bypassing security controls or discovering information about the internal network. As a
result, many network security administrators disable or filter source routing to avoid security
vulnerabilities.

Deprecation and Obsolescence: Source routing is considered an obsolete and risky feature in modern
networking. Many organizations explicitly block it due to the risks of misuse.

5. Example of Source Routing in Practice

Suppose you have the following scenario:
You want to scan a target IP address (10.0.0.5).
You know there are two intermediate routers in the network path: 192.168.1.1 and 192.168.1.2.
You can use the following Nmap command to route your scan through these routers:

nmap --route 192.168.1.1,192.168.1.2 10.0.0.5

This tells Nmap to send packets destined for 10.0.0.5 via routers 192.168.1.1 and 192.168.1.2.

If the routers and the target system allow source routing, the scan will proceed as expected. If source
routing is blocked by intermediate devices, the packets may not reach their destination, or the scan
may fail.

6. Security and Ethical Considerations

While source routing might be useful for network administrators or penetration testers in certain
scenarios, its use is generally discouraged in most professional environments because:It can be
used maliciously for network reconnaissance or attack evasion.
Ethical Issues: Using source routing without permission could be considered an attempt to bypass
security measures, leading to legal or ethical concerns.
When performing network scans, it's important to ensure that you have proper authorization from
the target network or system owners. Unauthorized scanning can be illegal and unethical.

7. Disabling Source Routing

Many modern devices and firewalls automatically block source routing as a security measure. For
example, some Cisco routers and modern Linux distributions block packets with source routing
headers by default.If you're testing a network and you're unsure whether source routing is supported
or if it's enabled on the devices you're scanning, check the device documentation or use a tool like
Wireshark to observe whether source-routed packets are being handled correctly.

3. SOURCE PORT MANIPULATION:

In Nmap (Network Mapper), source port manipulation is a technique used to alter the source port of
packets sent during a scan. This can be useful in various scenarios, such as avoiding detection by
firewalls or intrusion detection systems (IDS), or even when trying to bypass certain network filtering
mechanisms that are configured to block or log scans based on their source ports.

Here’s a breakdown of how source port manipulation works in Nmap:

1. Using the --source-port Option in Nmap

The --source-port option in Nmap allows you to specify a particular source port for packets during
the scan. This is typically used for stealth purposes, to make the scan look like it's coming from a
trusted or normal source port (such as port 80 or 443).

91/121
Example Command:

nmap --source-port 80 <target-ip>

This command tells Nmap to send packets with a source port of 80 (HTTP), which is commonly
allowed through firewalls, to the target.

2. Why Use Source Port Manipulation?

Source port manipulation can be helpful in a few situations:

Evasion of Detection: Some firewalls, IDS, or intrusion prevention systems (IPS) might be set up to
detect or block scans that come from certain source ports. By changing the source port, you can
potentially avoid detection or bypass filtering mechanisms.
Mimicking Legitimate Traffic: Many networks allow traffic from well-known ports like 80 (HTTP), 443
(HTTPS), or 53 (DNS). By using these source ports, you can disguise a scan as legitimate traffic,
making it harder to detect as a probe or attack.
Bypassing Port-Specific Filtering: Some security devices block or flag specific ports commonly
associated with malicious activity, such as port 6660-6669 (commonly used by IRC). By changing the
source port, you can circumvent this kind of filtering.

3. Possible Use Cases

Avoiding IDS/IPS:
If you're performing a scan on a network with an IDS/IPS system that monitors traffic patterns,
changing the source port can help you avoid detection. For example, using a source port like 53
(DNS) might help evade detection if DNS traffic is less scrutinized.

Firewall Bypass:
Some firewalls may block scans that come from random or non-standard ports. By setting the source
port to a common port (e.g., port 80 for HTTP), you can increase the chances of your scan passing

92/121
through the firewall undetected.

4. Example Scenarios of Source Port Manipulation

Scan with Source Port 53 (DNS):

nmap --source-port 53 <target-ip>

This command sends packets with a source port of 53, which is typically used for DNS traffic. Many
firewalls may allow DNS traffic through by default, making it harder to detect the scan.

Scan with Source Port 443 (HTTPS):

nmap --source-port 443 <target-ip>

Similarly, port 443 is commonly used for HTTPS traffic, which may be allowed through firewalls and
other network security systems.

5. Limitations and Considerations

May Not Always Work: Some advanced firewalls and security systems inspect not only the source
port but also other packet attributes (e.g., flags, payloads, and more) to detect suspicious activity. In
these cases, source port manipulation might not be effective.

93/121
Spoofing Limits: While changing the source port is useful for evasion, if you're attempting to perform
port spoofing or more advanced evasion techniques, it might be necessary to combine source port
manipulation with other techniques like fragmentation, decoy scans, or timing options.

Legal and Ethical Considerations: It’s important to ensure that you have authorization before running
any Nmap scans, especially if you are using techniques meant to evade detection. Unauthorized
scanning can be considered illegal or malicious activity.

4. IP ADDRESS DECOY:
In Nmap, an IP address decoy is a technique used to conceal the true source of a scan by sending the
scan from multiple decoy IP addresses along with the actual IP address. This can help obscure your
identity, making it harder for the target system or network security systems (like Intrusion Detection
Systems, or IDS) to identify the source of the scan.

How Decoy Scanning Works in Nmap

When using IP address decoys in Nmap, the tool will create a scan where the packets appear to
originate from multiple IP addresses, not just the real source address. This helps to confuse detection
systems that rely on identifying the origin of network traffic, as they may not be able to distinguish
between the decoy IPs and the actual IP.

Example Command:

nmap -D RND:10 <target-ip>

This command uses the -D option, which tells Nmap to use decoys. In this
example:
RND:10 means Nmap will use 10 randomly chosen decoy IP addresses in
94/121
addition to the real source IP.
<target-ip> is the target you want to scan.
Options for Using Decoys in Nmap
Random Decoys (RND:<number>): You can tell Nmap to generate a
certain number of random decoys.

For example:

nmap -D RND:5 <target-ip>

This would add 5 random decoys to your scan.
Specific Decoy IPs: You can also specify a list of specific IP addresses to use as decoys. For example:

nmap -D <decoy-ip1>,<decoy-ip2>,<decoy-ip3> <target-ip>

This command uses the IPs <decoy-ip1>, <decoy-ip2>, and <decoy-ip3> as decoys in the scan.

Mixing Random and Specific Decoys: Nmap allows you to combine both random and specific decoys.
For example:

nmap -D <decoy-ip1>,RND:3 <target-ip>

This command uses <decoy-ip1> as a specific decoy and adds 3 random decoys.

Avoiding Overuse of Decoys: Using too many decoys may make your scan more noticeable or
increase the load on the network. It's important to find a balance.

How Decoy Scanning Helps

Decoy scanning helps in several ways:

Obfuscates the Origin:

By using multiple decoy IPs, the real source of the scan becomes harder to pinpoint.
Avoids Detection: Intrusion Detection Systems (IDS) or firewalls might become confused by the
traffic originating from multiple IPs. They may not easily recognize the real source of the scan.
Stealthier Scanning:
The more decoys used, the more difficult it becomes for the target to detect the real scanning
machine.
Potential Use Cases for Decoy Scanning
Avoiding Detection by Intrusion Detection Systems (IDS):
Security systems that monitor for suspicious activity might flag scans that originate from a single
source IP address. By using decoys, Nmap can make it look like the scan is coming from multiple IPs,
reducing the likelihood of detection.

Bypassing Firewalls and Filters:

Some firewalls or packet filters may block scans originating from certain IPs. By using decoys, you
can reduce the chance that your scan will be blocked based on IP-based filtering rules.

Privacy and Anonymity:

In cases where you need to keep the identity of the scanning system private (for example, in
penetration testing or ethical hacking scenarios), decoys can help mask the real source.

95/121
Limitations and Considerations
Legitimate Traffic Confusion:
If the decoy IPs are not properly chosen or are too numerous, it could confuse legitimate network
traffic or make the scan more detectable in some cases.
Accuracy of Results:
Using decoys may lead to some false positives in your scan results. Since the packets originate from
multiple IP addresses, the scan might produce incomplete or misleading results.
Decoy Detection:
Advanced IDS and network monitoring systems may detect unusual patterns of scanning from
multiple decoys, especially if they are IPs not seen in the network before.
Legal and Ethical Issues:
Always ensure that you have permission to perform such scans. Unauthorized scanning, especially
with decoys, can be considered malicious and may be illegal in many jurisdictions.
Example Scenarios

Random Decoy Scanning (Default Decoys)

nmap -D RND:5 192.168.1.1

This command will scan the target 192.168.1.1 and use 5 random IP addresses as decoys.

Specific Decoy IP Addresses

96/121
nmap -D 192.168.1.10,192.168.1.20,192.168.1.30 192.168.1.1
Here, you use 3 specific decoy IPs: 192.168.1.10, 192.168.1.20, and 192.168.1.30 to mask the origin
of the scan against 192.168.1.1.

A Combination of Random and Specific Decoys

nmap -D 192.168.1.10,RND:3 192.168.1.1

In this example, one specific IP address (192.168.1.10) is used along with 3 random decoys.

Conclusion
Decoy scanning is a powerful Nmap feature for enhancing stealth and obscuring the true origin of a
scan. By using the -D option to add multiple decoy IP addresses, you can help bypass network
security measures, avoid detection, and make your scanning activities more difficult to trace.
However, it's important to be mindful of the limitations, ethical considerations, and the potential for
scan inaccuracies when using decoys.

5. IP SPOOFING:
IP Spoofing in Nmap refers to the technique of modifying the source IP address of packets to make it
appear as though the scan is coming from a different address than the actual one. This can be useful
for evading detection, hiding the true origin of the scan, or bypassing network security controls that
rely on IP-based filtering.

How IP Spoofing Works in Nmap

When performing an Nmap scan, you can spoof the source IP address by manipulating the IP header
of the packets that Nmap sends. This means that the target host will see the packets as originating
from a different IP address, not your real one.

Key Points:
The IP address in the packet’s header is modified, and the packet appears to come from a spoofed IP.
The target system may respond to the spoofed IP, but the response won’t reach the actual scanning
machine, because the source IP is not real.
This technique can be useful for stealth scans, but it has limitations because the response traffic will
be sent to the spoofed IP, not your actual machine.
How to Perform IP Spoofing in Nmap
Nmap provides a built-in option to spoof the source IP using the --source-ip option. This lets you set a
custom source IP for outgoing packets.

Example Command:

nmap --source-ip <spoofed-ip> <target-ip>

Where:

<spoofed-ip> is the IP address you want to appear as the source of the

scan (the spoofed IP).
<target-ip> is the target machine you want to scan.

97/121
For example:

nmap --source-ip 192.168.1.100 10.0.0.1

In this case, Nmap sends packets to the target 10.0.0.1, but the source IP in the packet header is
192.168.1.100, which is spoofed.

Why Use IP Spoofing in Nmap?

Evasion of Detection:
Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) may monitor traffic
originating from suspicious or unusual IPs. By spoofing the IP address, you can avoid detection by
making it appear as though the scan is coming from a different source.
Hiding the True Source:
If you are performing a scan in a scenario where you don’t want the target to know your real IP
address (for example, during penetration testing or ethical hacking), IP spoofing can help conceal
your identity.
Bypassing Network Filtering:
Some firewalls or packet filters might block traffic from specific IP addresses or ranges. Spoofing the
IP can help bypass these filters.
Obscuring Scan Origins:
By spoofing multiple IP addresses or using a random set of addresses, you can create the illusion
that a scan is coming from multiple sources, making it harder for the target to determine where the
scan originated.
Limitations and Considerations of IP Spoofing in Nmap
While IP spoofing can be useful in some situations, it has several important limitations:
No Response to the Scanner:
Since the source IP is spoofed, any response from the target system (such as an open port response)
will be sent to the spoofed IP address, not your real IP. This means that you won’t be able to receive
the response packets, making it difficult to interpret results from the scan. This is why IP spoofing is
often used for stealth scans, but it is not ideal for all types of scans.

Limited Scanning Options:

TCP scans (like SYN scan or ACK scan) rely on receiving responses from the target machine to
determine open or closed ports. With IP spoofing, since you can't receive the responses, these types
of scans become impractical.
Stealth scans such as SYN scans may still be useful for some cases, but they require additional
methods to detect open ports.
Firewall and IDS/IPS Detection:
While IP spoofing can confuse basic firewalls or IDS/IPS systems, more advanced systems may still
detect the presence of the spoofing technique through anomalies like response packets not reaching
the expected source or suspicious patterns of communication.

Legal and Ethical Considerations:

Spoofing IP addresses is illegal in many jurisdictions, especially if done without explicit permission.
This technique is commonly associated with malicious activity like Denial of Service (DoS) or
Distributed Denial of Service (DDoS) attacks.
Always obtain proper authorization before using IP spoofing in a scan, and use this technique only
for legitimate penetration testing or other authorized activities.
Example of IP Spoofing with Specific Port Scan
If you want to perform an IP spoofed scan using a specific port, you can combine IP spoofing with a
scan type. For instance, a TCP SYN scan with a spoofed IP:

98/121
nmap -sS --source-ip 192.168.1.100 10.0.0.1
This performs a SYN scan (-sS) on the target 10.0.0.1 with the source IP 192.168.1.100.

Practical Considerations
Use of Randomized IPs:
While you can spoof a specific IP, some advanced users might use randomized or even multiple IP
addresses to make it harder for a target to recognize the real source of the scan. This is similar to the
decoy scanning method mentioned earlier.

Advanced Techniques:
IP spoofing is often combined with other techniques, such as fragmentation or stealth scanning (e.g.,
using SYN scans or FIN scans), to make the scan even more difficult to detect.

Conclusion
IP spoofing in Nmap can be an effective way to mask the true origin of a network scan. By using the
--source-ip option, you can change the source IP address of packets to appear as if the scan is
coming from another address. However, it’s important to understand the limitations and ethical
concerns associated with IP spoofing. It can be useful for avoiding detection or evading security
measures, but it also has drawbacks, such as the inability to receive responses from the target.
Always use these techniques with caution and ensure you have proper authorization before
conducting any scans.

6. MAC SPOOFING:
In Nmap, you can spoof or change the MAC address used in your network scans using the --spoof-
mac option. This can be useful for various reasons, including privacy or evading detection by
network security systems.

Syntax for MAC Spoofing in Nmap

nmap --spoof-mac <MAC address> <target>

Key Details:
<MAC address>: This is the MAC address you want to spoof. It can be:
A specific MAC address (e.g., 00:11:22:33:44:55).
One of the manufacturer names, where Nmap will generate a random MAC address associated with
that manufacturer.
The special keyword 0 to use a random MAC address.
<target>: This is the target IP or range you want to scan.

Example 1: Spoof a Specific MAC Address

To spoof a specific MAC address, use the following:

nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

99/121
This command will make Nmap send packets with the MAC address 00:11:22:33:44:55 when
scanning the host at 192.168.1.1.

Example 2: Random MAC Address

To use a random MAC address:

nmap --spoof-mac 0 192.168.1.1

Nmap will choose a random MAC address each time the scan runs.

Example 3: Spoof MAC Address from a Manufacturer's List

You can also choose a MAC address based on a manufacturer name. For example:

nmap --spoof-mac Apple 192.168.1.1

In this case, Nmap will use a random MAC address associated with Apple.

Important Notes:
Root/Administrator Privileges:
To change the MAC address, you typically need root or administrative privileges on the system
running Nmap.

Limited Scope:
MAC spoofing in Nmap affects the local network packets. For scans over the internet or between
different networks, it won't be as effective in masking your identity or origin.

Detection:
Some security systems may still be able to detect anomalies or inconsistencies in MAC addresses if
they have additional monitoring tools in place.
MAC spoofing is a simple but powerful technique for evading detection or changing your apparent
network identity during a scan.
100/121
7. CREATING CUSTOM PACKETS:
In Nmap, creating custom packets involves crafting specific packet types and behaviors to tailor
your scan for particular needs, such as evading firewalls, performing stealth scans, or testing the
effectiveness of intrusion detection systems (IDS). While Nmap does not have a built-in feature for
creating arbitrary custom packets, you can use several features and options to simulate custom
behaviors. Here are a few ways to approach this:

1. Using the --data Option for Custom Payloads

You can use the --data option to inject custom data into packets. This is often useful for sending
custom payloads in your probes or in the SYN, UDP, or other packet types.

Example: Customizing a TCP Scan with a Data Payload

nmap -p 80 --data "custompayload" 192.168.1.1

This will append the string custompayload to the TCP packet sent to port 80 of the target.

2. Using the --source-port Option

You can specify a source port to send your packets from. This can be useful for evading certain
firewall rules or testing response behavior for specific ports.

Example: Setting a Custom Source Port

nmap -p 80 --source-port 12345 192.168.1.1

This sends packets from source port 12345 to port 80 of the target.

3. Advanced Options for Custom Scans

Nmap offers several advanced scan types that let you customize packet behavior. These are often
used to perform specific attack or diagnostic functions, or to simulate unusual traffic patterns that
are less likely to be flagged by security systems.

TCP SYN Scan (-sS): This is a stealth scan that sends SYN packets and doesn't complete the TCP
handshake.

TCP ACK Scan (-sA): This sends ACK packets to infer information about firewall rules without opening
a connection.

UDP Scan (-sU): This sends UDP packets to detect open ports that respond with ICMP "port

101/121
unreachable" messages when closed.

Example of a SYN scan:

nmap -sS -p 80,443 192.168.1.1

4. Using nmap -sZ for Zero-Copy Scanning

Nmap offers zero-copy scanning which can be helpful for more aggressive or experimental packet
crafting techniques. This allows Nmap to send packets in a way that minimizes the processing
overhead on the system while maintaining the high-speed transmission.

nmap -sZ 192.168.1.1

5. Using --script to Modify Packet Behavior

Nmap's scripting engine (NSE) allows you to run custom scripts that modify the behavior of the scan
or generate unique packets for different purposes.
For example, you can use the following to run a custom Nmap script:

nmap --script=my_custom_script.nse 192.168.1.1

6. Using nmap with nping for Custom Packets

Nmap includes the nping tool, which is designed for crafting and sending custom packets. Nping
allows you to control virtually every aspect of the packets being sent, including the payload, IP flags,
and more.

102/121
Example: Crafting a Custom ICMP Echo Request Packet

nping --icmp --data-string "custom echo" 192.168.1.1

Example: Custom TCP Packet with Nping

nping --tcp -p 80 --data "customdata" 192.168.1.1

This allows you to create fully customized packets and test the responses from the target system.

What Happens When You Run This Command?

TCP packets are sent to the IP address 192.168.150.131 on port 80.
The packet will have "customdata" as the payload, which can be used for a variety of purposes such
as testing the handling of custom data by a server, network intrusion detection systems, or simply
ensuring that the data is sent correctly.

7. Use the --packet-trace Option for Debugging Custom

Packets
If you're not sure how Nmap is constructing packets, the --packet-trace option can be useful to
visualize the packets that are being sent out. This is particularly useful for debugging custom
behaviors.

nmap -p 80 --packet-trace 192.168.1.1

This will show you detailed information about every packet that Nmap sends and receives.

8. Using the --badsum Option for Sending Corrupted Packets

If you want to create malformed or corrupted packets to test network defenses or IDS/IPS systems,
you can use the --badsum option.

nmap --badsum -p 80 192.168.1.1

103/121
This causes Nmap to send packets with invalid checksums, which may trigger responses from
intrusion detection systems (IDS).

Conclusion:
While Nmap is not specifically designed for arbitrary packet crafting, its flexibility with options like
custom payloads, source ports, and scanning types allows users to simulate a variety of custom
traffic patterns. For highly specialized packet crafting, you might need to look at additional tools like
nping (from Nmap's suite), or other packet crafting utilities like Scapy, which provide deeper control
over packet creation and manipulation.

8. RANDOMIZE HOST ADDRESS AND SENDING BAD

CHECKSUM:
To randomize the host address and send a bad checksum in nmap, you can use a combination of
nmap options. Here's a breakdown of how you can achieve both:

1. Randomizing Host Address

To randomize the host addresses in nmap, you can use the --randomize-hosts option. This causes
nmap to randomly choose the order of hosts in the specified range or list.

Example:

nmap --randomize-hosts 192.168.1.0/24

104/121
105/121
This will randomize the order of scanning hosts within the 192.168.150.0/24 network.
2. Sending a Bad Checksum
To send a bad checksum, nmap provides the --send-eth and --spoof-mac options. However, nmap
doesn't have a direct option to modify or deliberately cause a bad checksum, but you can use other
techniques or tools for crafting bad checksums (like scapy or manually manipulating packets).

In the context of nmap, sending a bad checksum could typically be achieved by:

Using a custom script or tool like scapy to create packets with bad checksums and inject them into
the network.
Sending malformed packets using nmap might be possible with --
data-length or --randomize-hosts to modify packet content, but
this doesn't directly "create" a bad checksum.
Alternative: Using a Packet Crafting Tool (e.g., Scapy) If you want to specifically create a packet with a
bad checksum, it's easier to use a tool like Scapy, which allows you to craft packets with incorrect
checksums. Here's an example of how you might do this using Scapy:

from scapy.all import *

# Create a basic IP packet

ip = IP(dst="192.168.1.1")

# Create a TCP packet

tcp = TCP(dport=80, flags="S")

# Send the packet with a bad checksum

send(ip/tcp, checksum=False)
This creates a TCP packet with an incorrect checksum and sends it to
192.168.1.1.

3. Combining Both in nmap

To randomize hosts in nmap and perform scanning with potential manipulation, you could run:

nmap --randomize-hosts -sS 192.168.1.0/24

106/121
This command will randomize the host order for a SYN scan (-sS).

107/121
If you specifically need to generate packets with bad checksums and randomization, I recommend
using scapy for the checksum manipulation and nmap for network scanning separately.

9. PROXY SERVERS:
In nmap, proxy servers can be used to route your scan traffic through an intermediary, helping you
obscure your scanning source or bypass network restrictions. While nmap does not natively support
proxies for all types of scans, it can use SOCKS proxies and HTTP proxies with specific options.
Application-level proxies, particularly for the Web, have become popular due to perceived security
and network efficiency (through caching) benefits. Like firewalls and IDS, misconfigured proxies can
cause far more security problems than they solve. The most frequent problem is a failure to set
appropriate access controls. Hundreds of thousands of wide-open proxies exist on the Internet,
allowing anyone to use them as anonymous hopping points to other Internet sites. Dozens of
organizations use automated scanners to find these open proxies and distribute the IP addresses.
Occasionally the proxies are used for arguably positive things, such as escaping the draconian
censorship imposed by the Chinese government on its residents. This “great firewall of China” has
been known to block the New York Times web site as well as other news, political, and spiritual sites
that the government disagrees with. Unfortunately, the open proxies are more frequently abused by
more sinister folks who want to anonymously crack into sites, commit credit card fraud, or flood the
Internet with spam.

While hosting a wide-open proxy to Internet resources can cause numerous problems, a more serious
condition is when the open proxies allow connections back into the protected network. Administrators
who decide that internal hosts must use a proxy to access Internet resources often inadvertently
allow traffic in the opposite direction as well. The hacker Adrian Lamo is famous for breaking into
Microsoft, Excite, Yahoo, WorldCom, the New York Times, and other large networks, usually by
exploiting this reverse-proxy technique.

Nmap does not presently offer a proxy scan-through option, though it is high on the priority list. the
section called “SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy
Detection” discusses a way to find open proxies using Nmap version detection. In addition, plenty of
dedicated free proxy scanners are available on Internet sites such as Packet Storm. Lists of
thousands of open proxies are widespread as well.

Proxy Usage in Nmap

Using a SOCKS Proxy: nmap can use a SOCKS proxy (such as Tor or other SOCKS proxies) to route its
traffic. This is helpful when you want to anonymize your scan or when you're scanning from behind a
firewall.

Syntax for SOCKS Proxy:

nmap --proxy socks5://<proxy-ip>:<port> <target>

socks5://<proxy-ip>:<port> specifies the SOCKS proxy you are using. Replace <proxy-ip> and
<port> with the appropriate proxy server's IP address and port number.
<target> is the target IP or range you want to scan.
Example:

nmap --proxy socks5://127.0.0.1:9050 192.168.1.1

This command routes the scan through the local SOCKS5 proxy running on 127.0.0.1 (localhost) at

108/121
port 9050.

Using an HTTP Proxy: You can also route your scans through an HTTP proxy using the --proxy option.
This might be helpful for bypassing restrictions on HTTP traffic or to obfuscate the scan origin.

Syntax for HTTP Proxy:

nmap --proxy http://<proxy-ip>:<port> <target>

http://<proxy-ip>:<port> specifies the HTTP proxy to use.

Example:

nmap --proxy http://192.168.1.100:8080 192.168.1.1

This would route the scan through the HTTP proxy at 192.168.1.100 on port 8080.

Additional Options for Proxy Usage:

Proxy Authentication: If the proxy requires authentication (username and password), you can specify
it like this:

nmap --proxy http://<username>:<password>@<proxy-

ip>:<port> <target>
For SOCKS proxies, you would provide authentication like this:

nmap --proxy socks5://<username>:<password>@<proxy-

ip>:<port> <target>
Combining with Tor: One common use case is routing traffic through Tor (which provides anonymity)
by configuring nmap to use a SOCKS proxy running on the Tor network (usually on port 9050).

Example with Tor (SOCKS proxy):

nmap --proxy socks5://127.0.0.1:9050 192.168.1.1

This command routes the nmap scan traffic over the Tor network, anonymizing your IP address.

Limitations of Proxy Usage in Nmap:

Limited Scan Types:
Not all types of nmap scans can be effectively used with proxies. Some scans, especially those that
rely on raw packet sending (e.g., -sS SYN scans), might not work properly through proxies because
they require direct access to lower layers of the network stack.

Performance:
Routing traffic through a proxy, especially an HTTP or SOCKS proxy, can significantly slow down the
scan due to the additional overhead.
109/121
Scanning Accuracy:
Using proxies can sometimes lead to inaccurate scan results, as network characteristics may differ
between your machine and the proxy server (e.g., latency, routing paths, etc.).

Example of a Proxy Scan Setup:

nmap -sT --proxy socks5://127.0.0.1:9050 192.168.1.0/24

This example runs a TCP connect scan (-sT) using a SOCKS proxy to scan the network
192.168.1.0/24.
By leveraging proxies in nmap, you can make your scanning activities more discreet or route traffic
in a way that allows you to bypass firewalls or filtering devices.

10. ANONYMIZERS:
In nmap, anonymizers are methods or tools used to hide the origin of your scan or to obfuscate your
IP address. This is useful in situations where you want to perform scanning without revealing your
real IP address, to protect your privacy, or to bypass network restrictions. The most commonly used
anonymizers with nmap are Tor (via SOCKS proxy) and VPNs. These are not native features of nmap
but can be integrated using proxy options.

1. Using Tor as an Anonymizer in Nmap

Tor (The Onion Router) is a widely-used tool that provides anonymity by routing your traffic through
multiple relays, encrypting it at each step. You can use Tor as an anonymizer for nmap scans by
routing the traffic through a SOCKS proxy provided by Tor.

Setting Up Tor as a Proxy:

Install Tor on your machine (you can use Tor Browser or the Tor service).
By default, Tor runs a SOCKS5 proxy on localhost:9050.
You can configure nmap to use this SOCKS proxy to anonymize the traffic.
Example Command:

nmap --proxy socks5://127.0.0.1:9050 <target>

--proxy socks5://127.0.0.1:9050 tells nmap to route the scan traffic through the SOCKS5 proxy
running on the local machine (Tor default).
<target> is the IP address or range you want to scan.
2. Using HTTP Proxies with Nmap
An HTTP proxy can also be used to anonymize nmap scans. While it's not as secure or effective as
Tor in terms of anonymity, it's still a useful method for obfuscating the source of your scan,
especially if you're trying to bypass network filters or firewalls.

Example Command:

nmap --proxy http://<proxy-ip>:<proxy-port> <target>

Where:

<proxy-ip> is the IP address of the HTTP proxy you are using.

<proxy-port> is the port on which the proxy is running (commonly 8080
for HTTP proxies).
110/121
<target> is the target IP address or network range.
Proxy Authentication:
If your HTTP proxy requires authentication, you can specify your credentials in the following format:

nmap --proxy http://<username>:<password>@<proxy-

ip>:<proxy-port> <target>

3. Using a VPN as an Anonymizer in Nmap

A VPN (Virtual Private Network) routes all of your internet traffic through a remote server, effectively
masking your real IP address. While nmap does not have a built-in VPN option, you can simply
connect to a VPN and then run your nmap scan as normal. All traffic will be routed through the VPN,
anonymizing your scan's origin.

Example Setup:
Connect to a VPN:

Use your VPN client (e.g., OpenVPN, WireGuard, or a commercial VPN service) to connect to the VPN.
Run the Nmap Scan: Once connected to the VPN, your IP address will be the one assigned by the
VPN, and the scan will appear to originate from that address.

nmap <target>
Using a VPN in conjunction with nmap effectively masks your IP and ensures that the scan traffic
comes from the VPN’s exit node, not your local machine.

4. Using a Proxy Chain for Enhanced Anonymity

For more robust anonymity, you can combine multiple proxies into a "proxy chain." A proxy chain
routes traffic through multiple proxy servers, adding layers of obfuscation to your traffic.

Proxychains is a popular Linux tool that can route network traffic through a chain of proxies, including
Tor or HTTP proxies.
Setting up Proxychains with Nmap:
Install proxychains on your system (e.g., sudo apt install proxychains on Debian-based systems).
Configure proxychains by editing /etc/proxychains.conf to include your proxies (e.g., SOCKS5, HTTP).
Run nmap through proxychains:

proxychains nmap <target>

This will route the nmap scan through the chain of proxies you have set up in proxychains.

5. Limitations and Considerations:

Scan Type Compatibility:
Not all types of nmap scans work well with proxies. For instance, certain scans that rely on low-level
network access (like SYN scans, -sS) may not function properly through proxies, especially SOCKS
proxies. TCP connect scans (-sT) are more likely to work over a proxy.
Performance Impact:
Routing traffic through anonymizers such as Tor or VPNs can introduce latency and slow down the
scan considerably.
Detection Risk:
While proxies and VPNs can help obfuscate your IP address, some advanced network monitoring
systems might detect proxy usage or correlate scan traffic, especially if you scan at a large scale or
111/121
use identifiable patterns.
6. Example of Anonymizing Nmap with Tor + Proxychains:

# Start Tor (usually the SOCKS proxy is at 127.0.0.1:9050)

tor

# Use Proxychains to run the scan through Tor

proxychains nmap --proxy socks5://127.0.0.1:9050 <target>

This would route your scan through Tor and make it harder to trace back to your real IP address.

Conclusion:
Using anonymizers in nmap is a great way to protect your identity and maintain privacy during a
network scan. Tor and VPNs are the most common options, but they come with limitations such as
slower performance and scan incompatibility with certain types of scanning techniques. For stronger
anonymity, combining multiple proxies in a proxy chain can offer additional layers of obfuscation.
Always be mindful of the ethical and legal implications of scanning networks, especially when using
anonymizers to hide your identity.

11. FTP Bounce Scan

While only a small percentage of FTP servers are still vulnerable, it is worth checking all of your
clients' systems for this problem. At a minimum, it allows outside attackers to utilize vulnerable
systems to scan other parties. Worse configurations even allow attackers to bypass the
organization's firewalls. Details and examples of this technique are provided in the section called
“TCP FTP Bounce Scan (-b)”. Example 10.9 shows an HP printer being used to relay a port scan. If this
printer is behind the organization's firewall, it can be used to scan normally inaccessible (to the
attacker) internal addresses as well.

Example 10.9. Exploiting a printer with the FTP bounce scan

abhishek~>
nmap -p 22,25,135 -Pn -v -b XXX.YY.111.2
scanme.nmap.org
Starting Nmap ( https://nmap.org )
Attempting connection to ftp://anonymous:-wwwuser@@XXX.YY.111.2:21
Connected:220 JD FTP Server Ready
Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against scanme.nmap.org (64.13.134.52)
Adding open port 22/tcp
Adding open port 25/tcp
Scanned 3 ports in 12 seconds via the Bounce scan.
Nmap scan report for scanme.nmap.org (64.13.134.52)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc

Nmap done: 1 IP address (1 host up) scanned in 21.79 seconds

112/121
12. Exotic Scan Flags
The previous section discussed using an ACK scan to map out which target network ports are filtered.
However, it could not determine which of the accessible ports were open or closed. Nmap offers
several scan methods that are good at sneaking past firewalls while still providing the desired port
state information. FIN scan is one such technique. In the section called “ACK Scan”, SYN and ACK
scans were run against a machine named Para. The SYN scan showed only two open ports, perhaps
due to firewall restrictions. Meanwhile, the ACK scan is unable to recognize open ports from closed
ones. Example 10.6 shows another scan attempt against Para, this time using a FIN scan. Because a
naked FIN packet is being set, this packet flies past the rules blocking SYN packets. While a SYN scan
only found one open port below 100, the FIN scan finds both of them.

Example 10.6. FIN scan against stateless firewall

# nmap -sF -p1-100 -T4 <ip>
Starting Nmap ( https://nmap.org )
Nmap scan report for para (192.168.10.191)
Not shown: 98 filtered ports
PORT STATE SERVICE
22/tcp open|filtered ssh
53/tcp open|filtered domain
MAC Address: 00:60:1D:38:32:90 (Lucent Technologies)

Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds

Many other scan types are worth trying, since the target firewall rules
and target host type determine which techniques will work. Some
particularly valuable scan types are FIN, Maimon, Window, SYN/FIN, and
NULL scans.

13.SET YOUR OWN OFFSET SIZE:

The command nmap --mtu 32 <ip> sets the Maximum Transmission Unit (MTU) size for the packets
Nmap sends to 32 bytes when scanning the target IP address. The MTU determines the maximum
size of a packet that can be transmitted over the network.

Here's a breakdown of the command:

nmap: This is the tool you're using for network scanning.
--mtu 32: This option sets the MTU size for the packets to 32 bytes. It can be useful for bypassing
certain network restrictions or testing how different packet sizes affect the scan's results.
<ip>: Replace this with the actual IP address of the target you want to scan.

Why might you use this?

Network Restrictions/Firewalls: Some networks or firewalls may block larger packets or fragment
them. By reducing the MTU size, you can avoid potential blocking or fragmentation issues.
Packet Analysis: Setting a smaller MTU could help when you're trying to analyze network behavior
with smaller packets.
Performance Testing: You may want to see how a network handles very small packets.
Example:

nmap --mtu 32 192.168.1.1

113/121
This will perform a scan on the IP address 192.168.1.1, with each packet having an MTU size of 32
bytes.
Be aware that reducing the MTU to a very low value could make the scan slower or less effective,
depending on the network setup. Typically, the default MTU size is much larger (e.g., 1500 bytes).

114/121
NMAP SCRIPT ENGINE (NSE)
The Nmap Script Engine (NSE) is a powerful feature of Nmap that allows
users to automate a variety of network scanning tasks, from service
discovery to vulnerability detection. NSE uses Lua scripting language to
write custom scripts that can interact with network services and perform
various types of tasks. These scripts can be used to detect
vulnerabilities, gather information, and exploit weaknesses, making
Nmap a versatile tool for network administrators, penetration testers,
and security professionals.

Key Features of Nmap Script Engine (NSE):

Automation of tasks:
Scripts can automate repetitive scanning tasks such as brute-force login attempts or vulnerability
scanning.
Extensibility:
Users can write their own scripts or modify existing ones.
Categories of scripts:
NSE scripts are divided into various categories, including those for discovery, brute force,
vulnerability detection, and more.
Integration with Nmap:
The Nmap Script Engine integrates seamlessly with Nmap’s scanning features, allowing users to run
scripts alongside regular Nmap scanning techniques.

SCRIPTS LOCATION :
/usr/share/nmap/scripts

Nmap Script Categories:

Discovery Scripts:
These scripts are used to gather information about the target system, such as service versions, host
details, and network configuration.

Examples: http-title, dns-brute, snmp-info.

Brute Force Scripts:

These scripts automate the process of brute-forcing usernames, passwords, or other types of
authentication tokens.

Examples: http-brute, ssh-brute, ftp-brute.

Vulnerability Detection Scripts:

These scripts are designed to detect known vulnerabilities in services or software running on a
target machine.

Examples: http-shellshock, smb-vuln-ms17-010, ssl-heartbleed.

115/121
Malware Detection Scripts:
These scripts help to identify signs of malware or suspicious activities on a target.

Examples: http-malware-host, ftp-syst, smtp-open-relay.

Exploit Scripts:
These scripts are used to attempt to exploit vulnerabilities that have been discovered.

Examples: http-sql-injection, http-xssed, msrpc-ms-dcom.

Default Scripts:
These are scripts that are enabled by default during a standard Nmap scan. They provide general
information about the host being scanned.

Examples: banner, ssl-enum-ciphers, http-methods.

Info Gathering Scripts:

These scripts gather and display additional details about a network service or operating system.

Examples: os-fingerprint, ssl-cert, http-headers.

Firewall and Filtering Scripts:

These scripts help identify firewall settings or filtering behaviors.

Examples: firewalk, traceroute, icmp-ipid-sequence.

Intrusion Detection and Response Scripts:

These are designed to detect potential security intrusions and responses.

Examples: http-robot-check, smtp-open-relay, mysql-empty-password.

Miscellaneous Scripts:
A collection of other scripts that don't fall into the categories above, but still offer useful functionality.

Examples: dns-nsid, http-stored-xss, vnc-info.

Some Important Nmap Scripts with Descriptions:

http-title:
This script retrieves the title of a web page hosted on the target, useful for identifying web
applications.

smb-os-fingerprint:
Gathers information about the SMB operating system.

ssl-cert:
Retrieves SSL certificate details from an SSL/TLS service.

smtp-commands:
Checks the SMTP service to see what commands are supported.

116/121
http-methods:
This script checks for which HTTP methods are allowed (e.g., GET, POST, DELETE) on a web server.

vuln-cve-xxxx:
Many scripts are named after specific CVEs (Common Vulnerabilities and Exposures) that they are
designed to test, e.g., smb-vuln-ms17-010 tests for the MS17-010 vulnerability.

http-sql-injection:
Attempts to find SQL injection vulnerabilities on a web server by sending various types of payloads.

ssh-brute:
Performs brute-force attacks against SSH services, trying common usernames and passwords to
gain access.

ftp-brute:
Similar to ssh-brute, but targets FTP services.

dns-nsid:
This script attempts to retrieve the name server identifier (NSID) from a DNS server.

http-robots.txt:
Retrieves the robots.txt file from a web server, which may reveal hidden paths or security
information.

dns-brute:
This script performs brute-force domain name system (DNS) name resolution, attempting a large
number of subdomain names against a given domain.

ssl-heartbleed:
This tests if a server is vulnerable to the Heartbleed bug in OpenSSL, which can expose sensitive
memory content.

http-malware-host:
Detects if the web server is serving malware or hosting malicious content.

smb-enum-shares:
Enumerates shared resources on a target SMB server.

ftp-syst:
Retrieves system information from an FTP server.

List of NMAP Scripts

Use with the nmap –script option

117/121
ALL_NMAP_SCRIPTS_LIST.pdf

118/121
DETECT WAF
Detecting WAF
Web application firewalls (WAF) may drop malicious requests, such as those with SQL injections, or
otherwise interfere with enumeration or testing:

Detect WAF using NMAP:

nmap -p80 --script http-waf-detect [host]

Fingerprint WAF using NMAP:

nmap -p80 --script http-waf-fingerprint [host]

Fingerprint WAF using WAFw00f:

wafw00f.py [url]

119/121
OUTPUT RESULTS
1. NORAMAL OUTPUT TO THE FILE “NORMAL.FILE”
nmap <ip> -oN normal.file

2. XML OUTPUT TO THE FILE XML.FILE

nmap <ip> -oX xml.file

3. GREPABLE OUTPUT TO THE FILE GREP.FILE

nmap <ip> -oG grep.file

4. OUTPUT IN HTE THREE MAJOR FORMATS AT ONCE

nmap <ip> -oA results

5. GREPABLE OUTPUT TO SCREEN , -oN- , -oX-, ALSO

USABLE
nmap <ip> -oG-

6. APPEND A SCAN TO A PREVIOUS SCAN FILE

nmap <ip> -oN file.file --append-output

7. INCREASE THE VERBOSITY LEVEL

nmap -v <ip>

nmap -vv <ip>

WE USE -VV FOR MORE GREATER EFFECT.

8. INCREASE THE DEBUGGING LEVEL

nmap -d <ip>

nmap -dd <ip>

same we use -dd or more for grater effect

120/121
9. DISPLAY THE REASON A PORT IS IN A
PARTICULAR STATE, SAME OUTPUT AS -VV
nmap <ip> --reason

10. ONLY SHOW OPEN OR POSSIBLY OPEN PORTS

nmap <ip> --open

11.SHOW THE HOST INTERFACE AND ROUTES

nmap <ip> --iflist

12. RESUME A SCAN

nmap --resume results.file

121/121