Nmap scan mode

Nmap scan mode generally has the following (commonly used): TCP connect () scan:-sTTCP SYN or semi-open scan:-sSTCP FIN, NULL and XMAS: -sF,-sN and-sXUDP scanning:-sU 1. Obtain the port information of the remote host and identify the host operating system (Get info about remote host ports and OS detection) nmap-sS-P0-sV-O <target> can be an independent IP address, a host name, or a subnet-sS tcp syn scan (also called half-open or hidden scan) -P0 option allows you to disable the ICMP ping-sV option to enable Version Detection-O indicates attempting to identify other options in the remote operating system: -Option A: Enable OS fingerprint and Version Detection.-v uses "-v" twice to View Details. nmap-sS-P0-A-v <target> 2. Obtain the server columns that open the specified port. Table (Get list of servers with a specific port open) nmap-sT-p 80-oG-192.168.1. * | when grep open changes the-p parameter, you can specify a port and view the nmap homepage to find different methods for specifying the address range. 3. Find all active IP addresses in a network nmap-sP 192.168.0. * There are many other options. This is just a simple example. Another option: nmap-sP 192.168.0.0/24 for a specific subnet 4. ping An IP address in a range (Ping a range of IP addresses) nmap-sP 192.168.1.100-254namp accepts multiple types of address symbols and multiple directories/ranges. 5. Find an unused ip address (Find unused IPs on a given subnet) in the stator network nmap-T4-sP 192.168.2.0/24 & egrep "00: 00: 00: 00: 00: 00 "/proc/net/arp 6. Scan the conficker virus on the local network (Scan forthe Conficker virus on your LAN ect .) nmap-PN-T4-p139, 445-n-v -- script = smb-check-vulns-script-args safe = 1 192.168.0.1-254 can replace 192.168.0.1-256 With the address you want to detect. 7. Scan an illegal access point in the Network (Scan Network for Rogue APs .) nmap-A-p1-85, 113,443,808 0-8100-T4 -- min-hostgroup 50 -- max-rtt-timeout 2000 -- initial-rtt-timeout 300 -- max-retries 3 -- host-timeout 20 m -- max-scan -delay 1000-oA wapscan10.0.0.0/8 I used this to successfully find multiple illegal access points in a very large network. Here, using -- max-rtt-timeout and the-T option can significantly shorten the scanning time, because sometimes the scanning probe sent by nmap will be dropped by the firewall of the other party, as a result, nmap expects to receive SYN/ACK or RST/ACK, which can shorten the scanning time. -- Max-rtt-timeout: a better way to set the time value before using nmap, ping the host to be scanned-T [0-5] to set the time speed template. The larger the value, the faster the scan speed, for details, see man namp 8. Use deception technology during scanning to avoid getting the Administrator's attention (Use a decoy while scanning ports to avoidgetting caught by the sys admin) sudo nmap-sS 192.168.0.10-D 192.168.0.2 scan the open port of the target device/computer (192.168.0.10) and set a spoofing address (192.168.0.2 ), the target security log displays the spoofed address instead of your IP address. The spoofed address must be alive. Check the security log (/var/log/) of the target host to determine whether it works. 9. List DNS reverse records in a subnet (List of reverse DNS records for a subnet) nmap-R-sL 209.85.229.99/27 | awk '{if ($3 = "not") print "(" $2 ") no PTR "; else print $3 "is" $2} '| grep' ('This command uses the nmap word to query reverse DNS information in the subnet. It generates a list of IP addresses in the subnet and corresponding PTR records. You can enter the subnet (I. e. /24 for a ClassC), if you need to query a specific DNS server, you can add "-dns-serversx.x.x.x" behind-sL, some installed namp may need sudo, I also want awk to be the standard for most releases. 10. How many Linux and Windows devices are there in your network? (How Many Linux And Windows Devices AreOn Your Network ?) Sudo nmap-F-O 192.168.0.1-255 | grep "Running:">/tmp/OS; echo "$ (cat/tmp/OS | grep Linux | wc-l) linux device (s) "; echo" $ (cat/tmp/OS | grep Windows | wc-l) Window (s) devices"