Ping Scan → nmap -sn 192.168.0.0/24
→ checks for active hosts in the network
Strategy for CEH:
arp-scan -l
OR netdiscover -i eth0
Ping-Sweep whole network (-sP, nmap -sP 10.10.10.0/24
OR nmap -sP 10.10.10.*
)→ simple scan IPs (OR -sS/stealthy scan, nmap -sS 10.10.10.12
, nmap -sSV -O 10.10.10.12 -oN Enumeration.txt
) → aggressive scan on ports (-A) → all ports scan (if required) (-p-) → aggressive scan on ports (-A)
NOTE: Ping-Sweep and Ping Scan are same. -sn (new) has replaced -sP (old)
Check list of NSE Scripts- **NSEDoc, /usr/share/nmap/scripts**
SYN scans (-sS) are the default scans used by Nmap if run with sudo permissions. If run without sudo permissions, Nmap defaults to the TCP Connect scan (sT).
nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10
-n
(No DNS resolution) - Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option reduces scanning times.