Network Scanning

Page contains usage for nmap and masscan, glossary for types of scans, and refers to other scanning scripts/tools.


Nmap scans often used

Fast noisy initial scans for labs

-T5: Insane timing ; -sC: enable the most common scripts; -sV: version detection ; -oN: output to file;
nmap -T5 -sC -sV -oN initial-nmap $IP -max-retries

Sample Nmap scans

Note worthy Nmap switches:

Scan network for live hosts

nmap -sP

Scan network for specific ports open/closed

-sT: TCP Connect (Full open scan)
sudo nmap -sT -p 80,443

Stealth scan network for specific ports open/closed

-sS: SYN Scan (Half-open scan)
sudo nmap -sS -p 80,443

Scan host with OS detection

sudo nmap -O $IP

Scan host with all detections

-A: Enables OS detection, version detection, script scanning, and traceroute
sudo nmap -A $IP

Stealth scan and add a decoy traffic

-D: Cloak a scan with decoys. Makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too.
sudo nmap -sS -D $IP

Scan to identify HTTP WAF

sudo nmap -p443 --script http-waf-detect --script-args="http-waf-detect.aggro,http-waf-detect.detectBodyChanges"

Nmap Scripting Engine

List of all NSE scripts:

Scan host with all vuln NSE scripts

sudo nmap --script vuln $IP

Nmap Scanning resources



Scan network for IP and mac address

import scapy.all as scapy
import argparse
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', dest='target', help='Target IP Address/Adresses')
options = parser.parse_args()
#Check for errors i.e if the user does not specify the target IP Address
#Quit the program if the argument is missing
#While quitting also display an error message
if not
#Code to handle if interface is not specified
parser.error("[-] Please specify an IP Address or Addresses, use --help for more info.")
return options
def scan(ip):
arp_req_frame = scapy.ARP(pdst = ip)
broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")
broadcast_ether_arp_req_frame = broadcast_ether_frame / arp_req_frame
answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]
result = []
for i in range(0,len(answered_list)):
client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
return result
def display_result(result):
print("-----------------------------------\nIP Address\tMAC Address\n-----------------------------------")
for i in result:
print("{}\t{}".format(i["ip"], i["mac"]))
options = get_args()
scanned_output = scan(


TCP Connect (Full open scan)
Nmap TCP Connect traffic on 443
SYN Scan (Half open Scan)
Nmap SYN Scan traffic on 443

Other scanning tools

Multi-threaded Python Port Scanner: