KagisoSec_
Recon
RECON

Network Enumeration (Nmap)

Nmap from the CPTS path: host discovery, scan types, full TCP/UDP and vuln scans, NSE scripts, output formats, performance tuning and firewall/IDS evasion. Every command separated.

recon nmap enumeration port-scanning cpts

Host discovery

Ping-sweep a range, no port scan (list live hosts):

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

Sweep from a host list:

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Check a single host is alive (with reason):

sudo nmap 10.129.2.18 -sn -oA host -PE --reason

Scan types

FlagTypeUse when
-sSSYN (stealth)Default, fastest, half-open
-sTTCP connectNo root access
-sUUDPSNMP 161, TFTP 69, DNS 53
-sAACKMap firewall rules (filtered vs not)
-sVVersionDetect service versions
-sCDefault scriptsSafe NSE scripts
-AAggressiveOS + version + traceroute + scripts

Port scans

Quick look - top 10 ports:

sudo nmap 10.129.2.28 --top-ports=10

Full TCP port scan with versions and scripts:

sudo nmap 10.129.2.28 -p- -sV -sC -oA full_scan

UDP scan - top 100:

sudo nmap 10.129.2.28 -F -sU

Run the vuln NSE category:

sudo nmap 10.129.2.28 -p 80 -sV --script vuln

Aggressive scan of one port:

sudo nmap 10.129.2.28 -p 80 -A

NSE scripts

Run named scripts:

sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Script categories:

safe       safe for production
discovery  query services for info
default    default scripts (-sC)
vuln       check for known vulns
intrusive  may affect the target
exploit    attempt exploitation

Update the script database:

sudo nmap --script-updatedb

Output formats

All three formats at once:

sudo nmap 10.129.2.28 -p- -oA target

Convert XML to an HTML report:

xsltproc target.xml -o target.html

Performance tuning

-T <0-5>                 timing template (0 slow, 5 loud/fast)
--min-rate 300           at least 300 packets/sec
--max-rtt-timeout 200ms  cap the wait per probe
--max-retries 2          stop retrying after 2

Firewall / IDS evasion

Decoy scan - hide among 5 random source IPs:

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping -D RND:5

Spoof the source port as DNS (53):

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n --source-port 53

Fragment packets to slip past DPI:

sudo nmap 10.129.2.28 -p 80 -sS -Pn -n -f

ACK scan to map a stateless firewall:

sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping