Here is a quick cheat sheet for security testing with nmap
:
Stealth is a key element of penetration testing and network scanning activities, as being stealthy allows for more accurate results and a reduced chance of detection. Nmap provides several features and scanning methods for this purpose:
- Stealth SYN scan
- This type of scan sends a SYN packet, as if it is initiating a TCP connection, but then drops the connection once the target host responds:
nmap -sS 192.168.1.1
- Fragment packets
- This option breaks down the created packets into tiny fragments to sneak past certain firewalls and packet filters:
nmap -f 192.168.1.1
- FIN scan
- This type of scan can bypass certain firewalls by sending a packet with the FIN bit set:
nmap -sF 192.168.1.1
- Xmas scan
- This sends packets with the FIN, URG, and PUSH flags set. Some systems' responses to these unusual flags can reveal useful information:
nmap -sX 192.168.1.1
- Null scan
- This is similar to Xmas scan but it sends a packet with no flags set:
nmap -sN 192.168.1.1
- Idle scan
- This type of scan allows for scanning via a "zombie" device, which hides the scanner's IP:
nmap -sI [Zombie IP] 192.168.1.1
- Specify a decoy
- This option makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too:
nmap -D RND:10 [target] (Randomly selects 10 hosts to act as decoys)
nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the decoys)
- Timing options
- These options can slow down the scan to make it harder to detect:
#(T2 is slower but stealthier. T0 is slowest, T5 is fastest)
nmap -T2 192.168.1.1
Link to my original post: