First of all, we need to know what exist on the network nmap run a ping scan:

nmap -sn

The above command will test whether all machines in the subnet are alive (– You may need to change this for your network.

Once I have chosen a host, the first thing I always do is:

nmap -A -oA nmap $targetip

This will scan the 1024 most common ports, run OS detection, run default nmap scripts, and save the results in a number of formats in the current directory.

Scanning more deeply:

nmap -v -p- -sT $targetip

This will scan all 65535 ports on $targetip with a full connect scan. This scan will probably take a very long time. The -v stands for verbose, so that when a new port is discovered, it will print it out straight away instead of having to wait until the end of the scan, scanning this many ports over the internet takes a long time. I would often leave the scan running overnight.

More to come on the NMAP



About Author

Comments are closed.