Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Overview
  • Key Components
  • 1. Host Discovery
  • 2. Port Scanning
  • 3. Service Enumeration
  • 4. NSE (Nmap Scripting Engine)
  • 5. Performance Optimization
  • 6. Firewall/IDS Evasion
  • Essential Command Reference
  • Basic Scanning
  • Host Discovery
  • Port Scanning
  • Service and Version Detection
  • Output Options
  • NSE Scripts
  • Performance and Timing
  • Firewall/IDS Evasion
  • Advanced Usage
  • Best Practices

Network Mapping and Security Auditing Tool

Overview

Nmap (Network Mapper) is an essential open-source tool for network analysis and security auditing. It's primarily used for discovering hosts and services on networks, conducting security audits, and network inventory.

Key Components

1. Host Discovery

  • Used to identify active systems on a network.

  • Utilizes ICMP echo requests, ARP and other protocols.

  • Results should always be stored for documentation.

2. Port Scanning

Six possible port states:

  • open : Connection established.

  • closed : Port responds with RST flag.

  • filtered : No response/blocked by firewall.

  • unfiltered : Accessible but state unclear.

  • open|filtered : No response received.

  • closed|filtered : Unclear if closed or filtered.

3. Service Enumeration

  • Identifies applications and versions running on pots.

  • Essential for vulnerability assessment.

  • Can use banner grabbing for additional information.

4. NSE (Nmap Scripting Engine)

Categories include:

  • auth : Authentication testing.

  • brute : Credential brute forcing.

  • vuln : Vulnerability detection.

  • discovery : Service evaluation.

  • safe : Non-intrusive scripts.

5. Performance Optimization

  • Various timing templates (-T0 to -T5).

  • Packet rate control.

  • Parallelism options.

  • Timeout settings.

6. Firewall/IDS Evasion

  • Packet fragmentation.

  • Decoy scanning.

  • TCP ACK scanning.

  • Various stealth techniques.

Essential Command Reference

Basic Scanning

# Quick scan of top 1000 ports
nmap <target>

# Full port scan with service version detection
nmap -p- -sV <target>

# Aggressive scan (OS detection, version detection, script scanning, and traceroute)
nmap -A <target>

# Quick scan of top 100 ports
nmap -F <target>

Host Discovery

# Scan network range
nmap -sn 192.168.1.0/24

# Scan from file
nmap -sn -iL hosts.txt

# No ping scan
nmap -Pn <target>

Port Scanning

# SYN scan (requires root)
sudo nmap -sS <target>

# TCP connect scan
nmap -sT <target>

# UDP scan
sudo nmap -sU <target>

# Specific ports
nmap -p 22,80,443 <target>

# All ports
nmap -p- <target>

Service and Version Detection

# Version detection
nmap -sV <target>

# Version detection with intensity level
nmap -sV --version-intensity 5 <target>

# OS detection
sudo nmap -O <target>

Output Options

# Save in all formats
nmap -oA filename <target>

# Save in normal format
nmap -oN filename.txt <target>

# Save in XML format
nmap -oX filename.xml <target>

# Grep-friendly output
nmap -oG filename.txt <target>

NSE Scripts

# Default scripts
nmap -sC <target>

# Specific script
nmap --script=<script-name> <target>

# Vulnerability scan
nmap --script vuln <target>

# Multiple scripts
nmap --script=http-title,http-headers <target>

Performance and Timing

# Fastest timing template
nmap -T5 <target>

# Set minimum rate
nmap --min-rate 300 <target>

# Parallel host scan
nmap --min-parallelism 100 <target>

# Aggressive timing + version detection
nmap -T4 -sV <target>

Firewall/IDS Evasion

# Decoy scan
nmap -D RND:5 <target>

# Fragment packets
nmap -f <target>

# Specify specific source port
nmap --source-port 53 <target>

# MAC address spoofing
nmap --spoof-mac MAC <target>

Advanced Usage

# Comprehensive scan with timing template
sudo nmap -sS -sV -T4 -A -O -p- <target>

# Quiet scan with version detection
nmap -sV -T2 --version-intensity 0 <target>

# Advanced vulnerability scan
nmap -sV --script vuln -p- -T4 <target>

# Complete network enumeration
nmap -sn -T4 -PE -PM -PS80,443 -PA3389 -PU40125 -PY <target>/24

Best Practices

  1. Start with host discovery in large networks.

  2. Use appropriate timing for the environment.

  3. Save scan results for documentation.

  4. Verify findings manually when possible.

  5. Consider network load and target stability.

  6. Use steatlh options when necessary.

  7. Combine different scan types for comprehensive results.

PreviousWelcome to NoirChapeau GitbookNextFootprinting - Enumeration and Information Gathering Notes