For the full Red Team recon workflow (OSINT → DNS → service scan → web surface → cloud), see c. Service & Infrastructure Enumeration.
Nmap
Basics
# Ping sweep
nmap -T4 -sn 192.168.0.0/24
# Ping sweep, clean up output and check for hostnames
nmap -sn -n -iL ranges.txt -oN nmap-icmp.tmp
cat nmap-icmp.tmp | awk '/is up/ {print up}; {gsub (/\(|\)/, ""); up = $NF}' > live-hosts.txt
for ip in $(cat live-hosts.txt); do echo $ip" - "$(dig -x $ip +short) >> hostnames.txt; done
# Quiet scan
nmap -sS -Pn 192.168.0.1
# SYN with services and default scripts
nmap -sSVC -Pn 192.168.0.1 -oA ./filename
# UDP scan for common ports
nmap -sUV --top-ports 1000 -Pn 192.168.0.1 -oN ./filename
# Alternate services/OS
nmap -sV -O -Pn 192.168.0.1 -oA /directory/*.txt
# Noisy and slow but thorough
nmap -A -p- 192.168.0.1
# URL scanning
nmap -sSVC [FQDN] -oA ./TCPscan
nmap -sU [FQDN] -oA ./UDPScan
# Script Engine
nmap -sC 192.168.0.1
nmap -sV --script=ssh* 192.168.0.1
nmap -sV -p 443 --script=[scriptname].nse 192.168.0.1
# List scripts
ls /usr/share/nmap/scripts/ssh*
locate nse | grep script
nmap --script-help=$scriptnameRefining Results
# Grep open ports from host and feed into Aggressive mode
host=10.1.2.3; file=scan_results.gnmap; nmap -A -p $(grep -h "Host: $host " "$file" | grep -oE '[0-9]+/open' | cut -d/ -f1 | sort -n | uniq | paste -sd, -) $host -oN "${host}_aggressive.txt"
Advanced Tricks
# Fragment packets, set decoy IPs, spoof MAC, and randomise host order
nmap -f --data-length 25 -D RND:10 --spoof-mac 0 -iL ips.txt --randomize-hosts -oA evasive_scan
# IPv6 scanning
nmap -6 -sV <IPv6 address>
ARP (Layer 2)
arp-scan
# All subnets
arp-scan --interface=eth0 --localnet
# Specific subnet
arp-scan --interface=eth0 192.168.1.1/24netdiscover
# Single device
netdiscover -i 192.168.0.1
netdiscover -r 192.168.0.1/24 -P outputfile.txt
-l targetranges.txt
-m targets.txt
-f # Fast scan only top/bottom of rangeMisc
masscan
masscan -p80,8000-8100 10.0.0.0/8
--banners # Handshake and banner-grabrustscan
rustscan -a <target> --ulimit 5000 -- -A -oA rustscan_nmap_outputnetcat
# Test connection to particular ports (slow!)
nc -v -n -z -w1 [TargetIPaddr] [start_port]-[end_port]PowerShell
# Port scanner for single IP
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.100",$_)) "Port $_ is open!"} 2>$null
# Scan range for single port
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
# IP/Port Range Scanner
1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}
# Test egress filtering
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open" } 2>$nullUseful Scripts
# Scan and create a grepable file
sudo masscan 10.0.0.0/8 -p445 --rate=10000 -oG smb_scan.grep
# Extract just the IP addresses from the results
grep "Host:" smb_scan.grep | awk '{print $2}' > live_hosts.txt