Network Scanning

Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.


Nmap scans often used

Fast noisy initial scans for labs

-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;

nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries

Sample Nmap scans

Note worthy Nmap switches:

Scan network for live hosts

nmap -sP

Scan network for specific ports open/closed

-sT: TCP Connect (Full open scan)

sudo nmap -sT -p 80,443

Stealth scan network for specific ports open/closed

-sS: SYN Scan (Half-open scan)

sudo nmap -sS -p 80,443

Scan host with OS detection

sudo nmap -O $IP

Scan host with all detections

-A: Enables OS detection, version detection, script scanning, and traceroute

sudo nmap -A $IP

Stealth scan and add a decoy traffic

-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.

sudo nmap -sS -D $IP

Scan to identify HTTP WAF

sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" 

Nmap Scripting Engine

List of all NSE scripts:

Scan host with all vuln NSE scripts

sudo nmap --script vuln $IP

Nmap Scanning resources

Null byte using nmap to scan for DoS attacks:



Scan network for IP and mac address

python3 -t


import scapy.all as scapy
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
    options = parser.parse_args()

    #Check for errors i.e if the user does not specify the target IP Address
    #Quit the program if the argument is missing
    #While quitting also display an error message
    if not
        #Code to handle if interface is not specified
        parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
    return options
def scan(ip):
    arp_req_frame = scapy.ARP(pdst = ip)

    broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
    broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame

    answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
    result = []
    for i in range(0,len(answered_list)):
        client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}

    return result
def display_result(result):
    print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
    for i in result:
        print("{}\t{}".format(i["ip"], i["mac"]))

options = get_args()
scanned_output = scan(


TCP Connect (Full open scan)

SYN Scan (Half open Scan)

Other scanning tools

Multi-threaded Python Port Scanner:

Last updated