About

This will be written exclusively written with Nmap in mind. However, in the future, I may switch to using rustscan and may change this at a future date. Technically, you CAN combine both of these scans, but it can be horribly slow. I may change my mind on this later if I combined them or not.

Initial Scan

The initial scan is done AFTER each individual host is discovered on the network. The idea here is we want to find ALL of the open service ports before attepting to get service versions.

nmap -Pn -p- -T4 <IP>

Do this for each host
-Pn disables ping, which can be useful if firewall blocks ICMP, plus it’s unnecessary network traffic.
This doesn’t check for UDP ports. If UDP is thought to be a concern, running a separate -SU scan could reveal any.

Port Scan with Service Checking and OS detection

nmap -Pn -p #,##,###,###,<etc> -sV -sC -O <IP> -oA DiscoveredPortsScan

#,##,###,<etc> can be replaced with the ports comma separated.
Will put the output into the 3 different output formats. The XML version can be imported into Metasploit later.
-sV will attempt to get service versions of the ports.
-sC will use the default set of scripts for any services discovered.
-O will attempt OS discovery on the host. It usually gets it right enough. Later enumeration can find more correct version numbers.

Drew's Cyber Ops

Explorer

Port Scanning

About

Initial Scan

Port Scan with Service Checking and OS detection

Graph View

Table of Contents

Backlinks