Advanced network scanning techniques in Bash
This section will go more in depth, demonstrating some of the most common advanced options of Nmap. Then, we’ll follow up with a primer on parsing the report output.
This is the Nmap scan command I use most often for network pentesting:
$ sudo nmap -sS -sV -sC -p 21,22,23,25,53,80,81,88,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3268,3269,3306,3389,4333,4786,4848,5432,5800,5900,5901,5985,5986,6000,6001,7001,8000,8080,8181,8443,10000,16992-16993,27017,32764 --open -oA [output file] -iL [input file] --exclude-file [exclude file]
Here is the explanation:
-sS: SYN scan, or half-open scan. This sends only the first part of the TCP handshake and scans much faster than the default connect (-sT) scan, which completes the TCP three-way handshake.-sV: A version scan fingerprints the service name and version instead of the default, which only prints the default service...
