Footprinting & Scanning

Basic Host Discovery using ping scan

nmap -sn <target_IP>

Basic Port Scan

nmap -sS -T4 -p- <target_IP>

Service Version Detection

nmap -sS -sV -p- -T4 <target_IP>

OS Detection along with Service Version

nmap -sS -sV -O -p- -T4 <target_IP>

Aggressive OS Scan for Accurate Results

nmap -sS -O --osscan-guess -p- <target_IP>

Aggressive Version intensity Scanning for Accurate Results

nmap -sS -sV - --version-itensity 8 -p- -T4 <target_IP>

Nmap Scripting Engine (NSE)

Default Nmap Script Scan:

nmap -sS -sC -p- -T4 <target_IP>

Listing all the NSE Scripts:

ls -al /usr/share/nmap/scripts/ | grep -e "http"
# This will list all nse scripts related to http service
ls -al /usr/share/nmap/scripts/ | grep -e "ftp"
# This will list all the nse scripts related to FTP Service

Running Specific Script Scan :

nmap -sS --script=<scriptname> -T4 -p- / -p(specified port) <target_ip>

Running OS , Service Detecting , Default Script , Traceroute :

nmap -sn -A -p- -T4 <target_IP>

Running Multiple Script Scans:

nmap -sS --script=<scriptname>,<scriptname> -p- -T4 <target_IP>

Firewall Detection and IDS Evasion

nmap -Pn -sS -F <target_IP>
- This will disbale host discovery and perform SYN Scan to find the ports 

nmap -Pn -sA -p<port_numbers> <target_IP>
- This will tell us whether that particular is behind the firewall or not . 

nmap -Pn -sS -f --mtu 8 <target_IP>
- -f Stands for Fragmentation which means it will fragment the each packet that nmap is sendig to the target 
- --mtu 8 : MTU Stands for "Minimum Transmission Unit" which will fragment each packet to 8 Bytes 

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D -g 53 <your gateway IP > <target IP>
- --data-length 200 will fix the data length and -D will enable Decoy IP which is actually your Gateway IP so that IDS Systems assume they are coming from the Router
-  -g 53 will specify from which port you want to send the data