Table of Contents
Introduction
This blog post covers some Nmap scans you need to know if you are a penetration tester, capture-the-flag (CTF) player, or just a cybersecurity enthusiasts. Note that some of these scans can be combined to fine-tune your scan.
Vulnerability Scanning
Nmap scripts are segmented into several categories, one of them being vuln. Vuln scripts check for known vulnerabilities and generally only report results if they are found. We can run all vuln scripts against a target by running the following Nmap scan.
┌──(N3NU㉿kali)-[~]
└─$ nmap <target-ip> --script vuln
Figure 1 below shows the Nmap vuln script scan in action. If we observe the output, we can see that the Windows machine is vulnerable to MS12–020 and MS17–010.
Fast Mode
When using Nmap in fast mode, Nmap scans the 100 most common ports instead of the default 1,000 most common ports. This is useful when working in a slow network where running a default scan might take too long for your needs. Fast mode can also be used as the first scan you run to pick up some open ports to investigate as you wait for your larger scan to finish running in the background.
┌──(N3NU㉿kali)-[~]
└─$ nmap -F <target-ip>
Figure 2 below shows the output of an Nmap scan ran with fast mode. Notice the speed of the scan at the end of the output.
Aggressive Mode
Running Nmap on aggressive mode is a personal favorite of mine. Aggressive mode enables OS detection, version detection, script scanning, and traceroute. This type of scan is great on targets we interact with for the first time and have little to no information on.
┌──(N3NU㉿kali)-[~]
└─$ nmap -A <target-ip>
Figure 3 below displays the wealth of information we get when using aggressive mode.
Timing Templates
Nmap offers six timing templates which are used to adjust the speed of our scans. Looking at table 1 below, we can see that as the timing template option increases so does the speed of the scan.
Keep in mind that as you increase the speed of your scan you sacrifice accuracy and become noisier on the network. The opposite is true as you decrease the speed of your scan.
┌──(N3NU㉿kali)-[~]
└─$ nmap -T5 <target-ip>
An Nmap scan ran with a timing template of insane can be seen below in figure 4. This option should not be ran if you are trying to be evasive or accurate.
Scanning All Ports
One can sometimes forget that nmap does not scan all 65,535 ports by default. Whether you are involved in a capture-the-flag, a real-world assessment, or simply checking your own system exposure, you should know this Nmap option.
┌──(N3NU㉿kali)-[~]
└─$ nmap -p- <target-ip>
Notice how long scanning all of the ports took in figure 5 below. At no surprise, scanning all ports took considerably longer than a default scan which only took about 4.23 seconds.
I hope you have enjoyed reading about some awesome Nmap scans. Subscribe for more tools, tips, and tricks to add to your arsenal.
Until next time…
— N3NU
Disclaimer: My content is for informational and educational purposes only. You may try out these hacks on your own computer at your own risk.