Here is a quick cheat sheet for security testing with nmap:
Stealth is a key element of penetration testing and network scanning activities, as being stealthy allows for more accurate results and a reduced chance of detection. Nmap provides several features and scanning methods for this purpose:
- Stealth SYN scan - This type of scan sends a SYN packet, as if it is initiating a TCP connection, but then drops the connection once the target host responds:
nmap -sS 192.168.1.1- Fragment packets - This option breaks down the created packets into tiny fragments to sneak past certain firewalls and packet filters:
nmap -f 192.168.1.1- FIN scan - This type of scan can bypass certain firewalls by sending a packet with the FIN bit set:
nmap -sF 192.168.1.1- Xmas scan - This sends packets with the FIN, URG, and PUSH flags set. Some systems' responses to these unusual flags can reveal useful information:
nmap -sX 192.168.1.1- Null scan - This is similar to Xmas scan but it sends a packet with no flags set:
nmap -sN 192.168.1.1- Idle scan - This type of scan allows for scanning via a "zombie" device, which hides the scanner's IP:
nmap -sI [Zombie IP] 192.168.1.1- Specify a decoy - This option makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too:
nmap -D RND:10 [target] (Randomly selects 10 hosts to act as decoys)
nmap -D decoy1,decoy2,decoy3 etc. (Manually specify the decoys)- Timing options - These options can slow down the scan to make it harder to detect:
#(T2 is slower but stealthier. T0 is slowest, T5 is fastest)
nmap -T2 192.168.1.1Link to my original post:
