In this short course, we covered the popular network scanner, nmap. We discussed scanning types starting with basic scans all the way till advanced scanning techniques. We also discussed IDS & firewall evasion with Nmap. Additionally, we covered scanning networks, IP addresses, vulnerability scanning, port scanning and many more. If you are preparing for OSCP and need a refresh on Nmap, then this course is for you.
Table of Contents
– Scanning IP Addresses
– Scanning Networks
– Port Scanning
– Vulnerability Scanning
– Bypass Firewalls & IDS
– Scanning Techniques
– Practical Scenarios
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Basic Nmap scan to reveal services with their version
You can control the intensity with --version-intensity LEVEL
where the level ranges between 0, the lightest, and 9, the most complete. -sV --version-light
has an intensity of 2, while -sV --version-all
has an intensity of 9.
nmap -sV 10.10.10.3
It is important to note that using -sV
will force Nmap to proceed with the TCP 3-way handshake and establish the connection. The connection establishment is necessary because Nmap cannot discover the version without establishing a connection fully and communicating with the listening service. In other words, stealth SYN scan -sS
is not possible when -sV
option is chosen.
Using Nmap scripting engine to scan for vulnerabilities
You can choose to run the scripts in the default category using --script=default
or simply adding -sC
nmap --script=default vuln 10.10.10.4
Checking for vulnerabilities on the target we use the category vuln
nmap --script vuln 10.10.10.4
Some scripts belong to more than one category. Moreover, some scripts launch brute-force attacks against services, while others launch DoS attacks and exploit systems. Hence, it is crucial to be careful when selecting scripts to run if you don’t want to crash services or exploit them.
You can also specify the script by name using --script "SCRIPT-NAME"
or a pattern such as --script "ftp*"
, which would include ftp-brute
.
Using TCP ACK Scan for Firewall & IDS Evasion
An ACK scan will send a TCP packet with the ACK flag set. Use the -sA
option to choose this scan. The target would respond to the ACK with RST regardless of the state of the port. This kind of scan would be helpful if there is a firewall in front of the target. Consequently, based on which ACK packets resulted in responses, you will learn which ports were not blocked by the firewall.
nmap -sA 10.10.224.131
Full Video Course