Skip to content

Nmap Port Scanning_ Aggressive

Jump to bottom
TheGetch edited this page Jan 5, 2021 · 1 revision

Nmap Port Scanning: Aggressive

Nmap Port Scanning: Aggressive

After initial results of the top ports scans have been completed and initial investigation into the open ports is about to being, aggressive nmap scans can be initiated in the background.

nmap -oN nmap_x.x.x.x-all_ports_aggressive.txt -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -A -p- --version-intensity 1 -iL x.x.x.x_Active_IPs.txt

Broken down:

  • -T4: timing template - 4 is faster execution
  • -vvv: Max verbosity
  • --max-rtt-timeout: time for nmap to wait for a probe to respond before giving up (100ms is acceptable for a local network scan)
  • --max-retries: number of times for nmap to retry if nmap received no response
  • --host-timeout: If host is taking too long to scan, it'll stop scanning it at the set time. (nmap will be scanning other hosts during this time, so it isn't just waiting around for 30 mins)
  • --max-scan-delay: specifies the largest delay that Nmap will allow. The lower the number, the more likely of missing ports
  • -Pn: no ping
  • -A: enables additional advanced and aggressive options. Equivalent of -O, -sV, -sC, and --traceroute
  • -p-: scan all ports (1 through 65535)
  • --version-intensity: specifies which probes should be applied. The higher the number, the more likely it is the service will be correctly identified. However, high intensity scans take longer. The intensity must be between 0 and 9. The default is 7

UDP equivalent:

nmap -oX nmap_x.x.x.x-top_ports_1800_UDP_aggressive.xml --top-ports 1800 -sU -T4 -vvv --max-rtt-timeout 300ms --max-retries 3 --host-timeout 30m --max-scan-delay 500ms -Pn -sV --version-intensity 1 -iL x.x.x.x_Active_IPs.txt

If scans are not completing or skipping hosts too quickly, change the --max-rtt-timeout and --max-scan-delay settings. Additionally, for a slower, more complete, stealthier approach, the following can be used:

nmap -sT -Pn -p- --max-parallelism 1 --max-retries 0 --max-rtt-timeout 1000ms --max-hostgroup 1 -oX nmap_x.x.x.x-all_ports_slow.xml -iL x.x.x.x_Active_IPs.txt

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally