Networking Scanning

// work in progress: 

Network scanning examples with nmap, netcat and simple bash scripts. Do not scan any networks you do not own!

Scanning port range with netcat

Quick SYN/ACK scan on TCP ports:
Quick SYN/ACK scan on UDP ports:

Other options:

          -4          Use IPv4
          -6          Use IPv6
          -C          Don’t use cellular connection
          -D          Enable the debug socket option
          -d          Detach from stdin
          -l          Listen mode, for inbound connects
          -n          Suppress name/port resolutions
          -r          Randomize remote ports
          -s addr          Local source address
          -t          Answer TELNET negotiation
          -u          UDP mode
          -v          Verbose


Check whois namespace:

List all DNS severs:
Query DNS for all entries:



Quick ICMP sweep (-sL) and save output into grepable file:
Ping scan (returns if host is up + MAC address):
Full initial scan (SYN only, no ACK, kind of stealthy, pretty aggressive, output into file):
Disable ping (-PN) to scan ALL specified targets, no matter if they show as up or not. Should be done in a serious pentest, but will take a very long time, but can be run in the background.
Using TCP SYN ping (-PS) to check if host is up. Several ports can be specified. Nmap will send a SYN, waits for a SYN/ACK, then cancels the handshake with RST:
Using TCP ACK ping (-PA) will send ACK packages to hosts that have not yet received a SYN and therefore will reply with a RST. This might work to trick firewall rules:
To prevent intrusion detection (IDS) data can be added to the packets using –data-length. 32 bytes make it look like a ping from Windows, 56 like Linux:
Broad initial scan to catch Windows and Linux hosts behind firewalls. Adding a random high port range in case firewall has sloppy configuration:
Adding –packet-trace will enable verbose output of every single packet.
Port 0 can be specified with -p0 or in combination for a range like -p0-65353. Specifying only -p0 will scan all TCP ports. Timing policy is changed with -T option. Aggressive (fast) would be -T5
Ranges from -T0 to -T5
On macOS the port list file is stored in: /usr/local/Cellar/nmap/7.30/share/nmap/nmap-services
Decoy IP (spoof own IP):

Configuring numbers of ports scanned:

Fast scan to scan only 100 most common ports: -F
No option given will scan 1000 most common ports.
Manually specify the number of ports: –top-ports

Scanning methods:

TCP SYN Scan (-sS) | Fastest scan. Only sends SYN, but no ACK or RST if host answers with SYN,ACK
TCP ACK Scan (-sA) | Maps out firewall rulesets and check if firewall is stateful
UDP Scan (-sU)
TCP FIN, Xmas and Null to exploit firewalls, depending on the system used. Non-stateful Firewalls and filtering Routers try to prevent incoming TCP connections, by blocking any TCP packets with the SYN bit set and ACK cleared, but allow outbound ones:
Null Scan (-sN) | Does not set any bits (TCP flag header is 0)
FIN Scan (-sF) | Sets just the TCP FIN bit
Xmas Scan (-sX) | Sets the FIN, PSH and URG flags, lighting the packet up like a Christmas tree

Output format:

Can be combined with multiple outputs at the sane time and has to be given a filename for outputs
Normal: -oN
Grepable: -oG
XML: -oX
All at once: -oA

Example Scenarios:

A specific networks with 4096 possible hosts needs to be quickly scanned for port 80 being open. Limiting round-trip time for faster scanning. Ping the target and check for round-trip time before:
-n = no reverse DNS lookup
%D = add the current date to filename
-PN = Skip ping test, just scan every host
-T4 = pretty aggressive timeout
Full SYN scan against all TCP and UDP Ports, with decoy and high aggression, no DNS resolution

Measuring the traffic produced by a port scan

122kb data have been sent through the network to scan this single IP address

A full portscan against the same IP address produced 12MB of traffic

Performance Tweaking

Defining the maximum number of packet retransmission (the lower, the fast, but result can be inacurate):
–max-retries 0

The minimum rate of packets per second. A rate too high can have negative effects as being disconnected, dropped by firewalls or detected by IDS:
–min-rate 100

–min-hostgroup 0

–min-parallelism 0


–max-rtt-timeout 200

Author: kimbo

Leave a Reply

Your email address will not be published. Required fields are marked *