Nmap

Scan Methodology

Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt

General flags

Flag
Description
-sS
SYN scan, used to test if ports are open/filtered
-sT
TCP scan (default when run without root)
-sA
ACK scan, used to test firewall settings
-sU
UDP scan
-A
Performs -sV and -sC (scripts, version detection, etc)
-Pn
Do not ping the host; just scan it
-O
OS detection (not scripts)
-T5
Most noisy scan, maximum bandwidth.
-R/-n
Never do DNS resolution

Speedy flags

Flag
Description
-T4 or -T5
T5 results in the fastest possible scanning (may overload the target)
--max-rtt-timeout X
Per-port timeout: X time to get a result. X is seconds, for MS put "Xms"
--host-timeout X
Per-host timeout: X time to get all results from a host in seconds

Script flags

Flag
Description
-sC
Use default NSE scripts
--script dns-brute
Guess common subdomains

Nmap + msfconsole host database

If you do not have the database running yet, follow this kali guide
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]

Enumeration

mySQL Enumeration (courtesy of hacktricks)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
SMB enumeration (courtesy of codecentric)
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.

More Resources