Scribd
Upload
19 views4 pages

Day 4 - Nmap Commands

The document provides advanced Nmap commands for network reconnaissance and vulnerability scanning, emphasizing techniques like using decoys to hide IP addresses, scanning for vulnerable services, and detecting the Heartbleed vulnerability. It highlights the importance of speed, caution with UDP scans, and common mistakes to avoid when using Nmap. Additionally, it offers pro tips for effective scanning and encourages learning Nmap Scripting Engine for custom scans.

Uploaded by

bocoo7025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views4 pages

Day 4 - Nmap Commands

The document provides advanced Nmap commands for network reconnaissance and vulnerability scanning, emphasizing techniques like using decoys to hide IP addresses, scanning for vulnerable services, and detecting the Heartbleed vulnerability. It highlights the importance of speed, caution with UDP scans, and common mistakes to avoid when using Nmap. Additionally, it offers pro tips for effective scanning and encourages learning Nmap Scripting Engine for custom scans.

Uploaded by

bocoo7025
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Day 4: Nmap Commands

Nmap (Network Mapper) is not just a port scanner — it’s a multi-tool for
reconnaissance, vulnerability scanning, and stealth assessments. Here are
five powerful commands that most Instagram “hackers” won’t teach you —
but real professionals use every day.

1️⃣ Scan with Decoys (Hide Your IP)


Command:
nmap -D RND:10 [Link]

Purpose: Makes your scan appear as if it’s coming from multiple IPs
instead of just yours.

⚙ How it works:
- `-D` enables decoy mode.
- `RND:10` generates 10 random fake IPs to mask your real one in IDS logs.

Why it’s useful: Confuses automated monitoring systems and adds a


layer of anonymity during authorized penetration tests.

🛠 Bug bounty use: Avoids getting your IP quickly flagged when testing big
corporate scopes.

⚠ Risks & Pro Tip:


- Some IDS can still trace your real IP.
- Combine with a VPN or proxy for more cover.

2️⃣ Scan for Vulnerable Services


Command:
nmap --script=vuln [Link]

Purpose: Automatically detects known vulnerabilities in services


running on a target.
⚙ How it works:
- Uses Nmap Scripting Engine (NSE) to run scripts from the 'vuln' category.
- Checks software versions against known exploits.

Why it’s useful: Saves hours of manual probing and helps prioritize
high-risk findings.

🛠 Bug bounty use: Quickly spot outdated or misconfigured services for


deeper testing.

⚠ Risks & Pro Tip:


- Can be noisy — avoid on live production systems without permission.
- Use `--script=safe,vuln` to reduce disruption.

3️⃣ Timing Template for Speed


Command:
nmap -T4 [Link]

Purpose: Increases scan speed while keeping accuracy.

⚙ How it works:
- Nmap has timing templates from T0 (paranoid) to T5 (insane).
- T4 is a sweet spot for speed without losing too many packets.

Why it’s useful: Perfect for scanning large subnets without waiting
forever.

🛠 Bug bounty use: Saves time when doing wide-scope reconnaissance.

⚠ Risks & Pro Tip:


- Too fast (T5) can flood the network and trigger alarms.
- Use T3 on fragile systems to avoid disruption.

4️⃣ UDP Scan (Often Overlooked)


Command:
nmap -sU [Link]

Purpose: Finds open UDP ports (services that don’t use TCP).
⚙ How it works:
- Sends UDP packets to target ports.
- Identifies running services like DNS, SNMP, TFTP.

Why it’s useful: Many admins forget to secure UDP services, leaving
hidden vulnerabilities.

🛠 Bug bounty use: Finds misconfigured UDP-based services that are easy
to exploit.

⚠ Risks & Pro Tip:


- UDP scans are slow and sometimes unreliable.
- Combine with `-sU -T4` for faster results.

5️⃣ Detect Heartbleed Vulnerability


Command:
nmap -p 443 --script=ssl-heartbleed [Link]

Purpose: Checks if a system is vulnerable to the Heartbleed bug (CVE-


2014-0160).

⚙ How it works:
- Uses an NSE script to send malicious heartbeat requests.
- If the server leaks data back, it’s vulnerable.

Why it’s useful: Confirms SSL/TLS misconfigurations quickly.

🛠 Bug bounty use: If in scope, proves a serious vulnerability with minimal


effort.

⚠ Risks & Pro Tip:


- Never test Heartbleed on live systems outside legal scope.
- Always document and report findings immediately.

🚨 Common Mistakes When Using Nmap


1. Scanning without scope — Illegal & traceable.

2. Using aggressive scans on fragile systems — May crash them.


3. Not using output logs — Always run with -oN or -oA to save results.

🧠 Pro Tips (No One Tells You)


• Stack commands for hybrid scans:

nmap -sS -sU -p- --script=vuln -T4 [Link]

→ Finds TCP & UDP ports, scans all ports, runs vuln scripts — in one go.

• Use --top-ports=100 to focus on most common ports for faster recon.

• Learn NSE scripting — it’s the secret weapon for custom scanning.

You might also like