Network Scanning
Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.
Nmap
Nmap scans often used
Fast noisy initial scans for labs
-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;
nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries
Sample Nmap scans
Note worthy Nmap switches:


Scan network for live hosts
nmap -sP 10.0.0.0/24
Scan network for specific ports open/closed
-sT: TCP Connect (Full open scan)
sudo nmap -sT -p 80,443 10.0.0.0/24
Stealth scan network for specific ports open/closed
-sS: SYN Scan (Half-open scan)
sudo nmap -sS -p 80,443 10.0.0.0/24
Scan host with OS detection
sudo nmap -O $IP
Scan host with all detections
-A: Enables OS detection, version detection, script scanning, and traceroute
sudo nmap -A $IP
Stealth scan and add a decoy traffic
-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.
sudo nmap -sS -D 10.0.0.50 $IP
Scan to identify HTTP WAF
sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges" www.test.com
Nmap Scripting Engine
List of all NSE scripts: https://nmap.org/nsedoc/
Scan host with all vuln NSE scripts
sudo nmap --script vuln $IP
Nmap Scanning resources
Null byte using nmap to scan for DoS attacks: https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/
Masscan
Python
Scan network for IP and mac address
python3 network_scanner.py -t 10.0.2.1/24
Ref: https://levelup.gitconnected.com/writing-a-network-scanner-using-python-a41273baf1e2
import scapy.all as scapy
import argparse
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
options = parser.parse_args()
#Check for errors i.e if the user does not specify the target IP Address
#Quit the program if the argument is missing
#While quitting also display an error message
if not options.target:
#Code to handle if interface is not specified
parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
return options
def scan(ip):
arp_req_frame = scapy.ARP(pdst = ip)
broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame
answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
result = []
for i in range(0,len(answered_list)):
client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
result.append(client_dict)
return result
def display_result(result):
print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
for i in result:
print("{}\t{}".format(i["ip"], i["mac"]))
options = get_args()
scanned_output = scan(options.target)
display_result(scanned_output)
Glossary
TCP Connect (Full open scan)

SYN Scan (Half open Scan)

Other scanning tools
Multi-threaded Python Port Scanner: https://github.com/dievus/threader3000
Last updated
Was this helpful?