The Quick Win

nmap -Pn -n -sV -sC -oN ~/Documents/nmap.txt -p 21,22,23,25,465,587,53,80,8080,443,8443,110,995,111,123,135,137,139,143,993,389,445,1025,1433,2082-2083,2086-2087,3306,3389,5060,5432,5900,6001

Full Scan

nmap -Pn -n -sV -p- -T4 <target>

Nmap TCP ping

• The following command can be used to avoid firewalls that drop ping requests.

nmap -n -sn -PS<ports> <target_ip>

Nmap ping

• Nmap -sn usees ICMMP requests and a TCP scan on ports 80 and 443. The -PE flag can be added to do ICMP scans only.
• ICMP echo requests sent to multiple hosts. Nowadays ICMP is often disabled on perimeter routers and firewalls so ICMP scans are no longer that reliable in determining whether a host is live or not.

nmap -sn [IP range]
nmap -sn -PE [IP range]

ARP Scanning

• Nmap ARP Scanning

nmap -PR <target_ip>

• Netdiscover ARP Scanning

netdiscover -i <interface> -r <target_ip_range>

Advanced port scans

hping3 port scan

Uses SYN scan (-S) and specifies port to scan.

• RST/ACK == port closed