In this short course, we covered the popular network scanner, nmap. We discussed scanning types starting with basic scans all the way till advanced scanning techniques. We also discussed IDS & firewall evasion with Nmap. Additionally, we covered scanning networks, IP addresses, vulnerability scanning, port scanning and many more. If you are preparing for OSCP and need a refresh on Nmap, then this course is for you.

Table of Contents

– Scanning IP Addresses

– Scanning Networks

– Port Scanning

– Vulnerability Scanning

– Bypass Firewalls & IDS

– Scanning Techniques

– Practical Scenarios

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Blue Team Study Notes

OSCP Study Notes

Basic Nmap scan to reveal services with their version

You can control the intensity with --version-intensity LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light has an intensity of 2, while -sV --version-all has an intensity of 9.

nmap -sV 10.10.10.3

It is important to note that using -sV will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS is not possible when -sV option is chosen.

Using Nmap scripting engine to scan for vulnerabilities

 You can choose to run the scripts in the default category using --script=default or simply adding -sC
   nmap --script=default vuln 10.10.10.4  
 Checking for vulnerabilities on the target we use the category vuln

nmap --script vuln 10.10.10.4

Some scripts belong to more than one category. Moreover, some scripts launch brute-force attacks against services, while others launch DoS attacks and exploit systems. Hence, it is crucial to be careful when selecting scripts to run if you don’t want to crash services or exploit them.

You can also specify the script by name using --script "SCRIPT-NAME" or a pattern such as --script "ftp*", which would include ftp-brute.

Using TCP ACK Scan for Firewall & IDS Evasion

An ACK scan will send a TCP packet with the ACK flag set. Use the -sA option to choose this scan. The target would respond to the ACK with RST regardless of the state of the port. This kind of scan would be helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall.

nmap -sA 10.10.224.131

Full Video Course

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles