Nmap

Scanning when pings are allowed:
1- Discover online hosts
nmap -v -iL [file with scope] -sn -n -oG live_hosts.txt.gnmap
cat live_hosts.txt.gnmap | grep Up | cut -d' ' -f2 > live_hosts.txt
2- Port discovery of online hosts
nmap -v -sS -top-ports 2000 -n -oA top2000.online -iL live_hosts.txt
3- OS and version detection, default scripts on the discovered hosts (noisy)
nmap -A -oA [output] -iL live_hosts.txt
​

Flag
Description
-sS
SYN scan, used to test if ports are open/filtered
-sT
TCP scan (default when run without root)
-sA
ACK scan, used to test firewall settings
-sU
UDP scan
-A
Performs -sV and -sC (scripts, version detection, etc)
-Pn
Do not ping the host; just scan it
-O
OS detection (not scripts)
-T5
Most noisy scan, maximum bandwidth.
-R/-n
Never do DNS resolution

Flag
Description
-T4 or -T5
T5 results in the fastest possible scanning (may overload the target)
--max-rtt-timeout X
Per-port timeout: X time to get a result. X is seconds, for MS put "Xms"
--host-timeout X
Per-host timeout: X time to get all results from a host in seconds
​
​

Flag
Description
-sC
Use default NSE scripts
--script dns-brute
Guess common subdomains

If you do not have the database running yet, follow this kali guide​
Stealth scan on an ip, no ping, with version detection, saving the information on the msfconsole database
msf6 > db_nmap -sS -Pn -A [ip]

mySQL Enumeration (courtesy of hacktricks)
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
SMB enumeration (courtesy of codecentric)
nmap -sV --script=smb-enum-shares -p445 $ip
note to self: if you get this far and you do not have the machine in your hosts file, you're going to miss subdomains.

​
Copy link
On this page
Scan Methodology
General flags
Speedy flags
Script flags
Nmap + msfconsole host database
Enumeration
More Resources