Nmap | Red Team Operations - Casturity.com

NMAP

RED TEAM OPERATIONS

NMAP QUICK COMMANDS

This is a free and open-source tool that is widely used for network discovery and security auditing. Nmap can be used to discover hosts and services on a computer network, thus building a “map” of the network. It is always recommended to store every single scan. This can later be used for comparison, documentation, and reporting. After all, different tools may produce different results. Therefore it can be beneficial to distinguish which tool produces which results.

Scan Network Range
Stealth SYN Scan
Full TCP Connect Scan
OS Detection / Version Scanning
Aggressive Scan
Script Scanning
Scanning Through a Firewall or IDS
Idle Scan
Using a Specific Source Port
Using a Specific Source IP

This scanning method works only if the firewalls of the hosts allow it. Otherwise, we can use other scanning techniques to find out if the hosts are active or not. We will take a closer look at these techniques in “Firewall and IDS Evasion“.

sudo nmap 192.168.1.1 -sn --reason -oA tnet | grep for | cut -d" " -f5

-sn	tells nmap to perform a ping scan, and not port scan. This is sometimes called a “ping sweep” and is used to see which hosts are up in the specified range.
–reason	tells nmap to display the reason a port is set to a specific state.
-oA tnet	tells nmap to output the results in all formats (normal, XML, and s\|<crIpt kIddi3) with the basename ‘tnet’.
\| grep for \| cut -d” ” -f5	filters and formats the output of the nmap command.

.

.

The cybersecurity information provided on this site is strictly for educational use.

This scan is less likely to be detected by intrusion detection systems (IDS). It sends a SYN packet and waits for a SYN-ACK packet in response, which indicates the port is open. It never completes the TCP handshake, making it stealthy.

nmap -sS 192.168.1.1

-sn	tells nmap to perform a ping scan, and not port scan. This is sometimes called a “ping sweep” and is used to see which hosts are up in the specified range.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

This scan can confirm whether ports are open by establishing a full TCP connection. This can be useful when SYN scans are blocked, but it’s more likely to be logged by firewalls and IDS.

nmap -sT 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

This scan can detect the operating system of a target host and perform service detection to guess what application is running on an open port. Knowing the OS and service versions can be critical for finding known vulnerabilities.

nmap -O -sV 192.168.1.1

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

The aggressive scan enables several features that can gather a lot of information about the target but is also more likely to be detected.

nmap -A 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

Nmap can use its powerful scripting engine to perform a wide variety of additional checks on a target, such as checking for specific vulnerabilities or misconfigurations.

nmap --script=default,vuln 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

If you’re scanning a target that’s behind a firewall or IDS, the decoy option can help make your scans less noticeable by also sending decoy packets from fake IPs.

nmap -sS -p80 -Ddecoy-ip-1,decoy-ip-2,decoy-ip-3 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

This is a very stealthy type of scan where Nmap uses a “zombie” host to scan the target, making it appear that the scan is coming from the “zombie” host rather than the true attacker.

nmap -sI zombie-ip 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

Some firewalls only look at the source port, and might allow traffic if it appears to come from a trusted port like 80 (HTTP) or 53 (DNS).

nmap --source-port 53 192.168.1.1

.

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

Allows you to provide a specific source IP address. This can sometimes bypass firewall rules if the firewall trusts the spoofed IP. Note that you typically need administrator privileges to use this option.

nmap -S spoofed-ip 192.168.1.1

.

.

.

.

.

.

.

The cybersecurity information provided on this site is strictly for educational use.

Red Team Operators simulate full-scale cyber attacks on an organization, essentially playing the role of the attacker. The goal is not only to find vulnerabilities in a system, but also to assess how well the organization’s defenses (people, processes, and technologies), including the Blue Team, can withstand an actual cyber attack. The red team’s operations are designed to be as realistic as possible to simulate real-world threats.

The cybersecurity information provided on this site is strictly for educational use. We hold no responsibility for misuse and urge users to apply these skills ethically, on networks or systems where they have explicit authorization – such as a private home lab.