nmap Pentest


* nmap –script-updatedb
* nmap -p 1-65535 -T4 -A -v
* nmap -p 1-65535 -sV -sS -T4 IP
* nmap -sC -sV -oA name ip
* nmap -T4 -A -sV -v3 -d -oA output –script all target


Ping scan on the local LAN

nmap -sn -n

Service scan on the alive hosts

nmap -Pn -sV -n,126 --script=smb-os-discovery.nse


less name.nmap

  • nmap -sS tcp sync
  • nmap -sT full tcp
  • nmap -sU udp
  • nmap -oX output xml format
  • xsltproc portscan.xml -o portscan.html

Zombie Scan

  1. find incremental fragmentation IP ID +1
  2. nmap -O -v -n ip
  3. if IP ID Sequence is incremental host is good

Use Zombie to scan other host

1.nmap -Pn -sI zombieip:openport targetip -p23 -v

ARP network discovery
sudo netdiscover -i tap0 -r
sudo nmap -PR -sn 172.16.5.*

Scan for DNS servers

sudo nmap -sT -p53
sudo nmap -sU -p53

sudo nmap -sV –script /usr/share/nmap/scripts/nmap-vulners.nse