Tags
ReconResource DevelopmentInitial Access
Here is a quick cheat sheet for security testing with nmap:
Stealth is a key element of penetration testing and network scanning activities, as being stealthy allows for more accurate results and a reduced chance of detection. Nmap provides several features and scanning methods for this purpose:
Stealth SYN scan- This type of scan sends a SYN packet, as if it is initiating a TCP connection, but then drops the connection once the target host responds:Fragment packets- This option breaks down the created packets into tiny fragments to sneak past certain firewalls and packet filters:FIN scan- This type of scan can bypass certain firewalls by sending a packet with the FIN bit set:Xmas scan- This sends packets with the FIN, URG, and PUSH flags set. Some systems' responses to these unusual flags can reveal useful information:Null scan- This is similar to Xmas scan but it sends a packet with no flags set:Idle scan- This type of scan allows for scanning via a "zombie" device, which hides the scanner's IP:Specify a decoy- This option makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too:Timing options- These options can slow down the scan to make it harder to detect:- Putting it all together
nmap -sS <TARGET-IP>nmap -f <TARGET-IP>nmap -sF <TARGET-IP>nmap -sX <TARGET-IP>nmap -sN <TARGET-IP>nmap -sI <Zombie-IP> <TARGET-IP>This will initiate an Idle Scan using zombie_IP as the "zombie" against the target_IP.
Remember, Idle scanning is an advanced technique, and it may not work against all systems. Additionally, it could potentially cause disruption to the "zombie" host.
nmap -D RND:10 [target] (Randomly selects 10 hosts to act as decoys)
nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the decoys)#(T2 is slower but stealthier. T0 is slowest, T5 is fastest)
nmap -T2 <TARGET-IP>nmap -sS -T2 -f -p- <TARGET-IP>
