# Active Scanning

## Scanning IP Blocks

Example nmap commands:

```
nmap -Pn -sS -p- ip.ad.dr.es/24 --max-retries=0 (for slow scans, do not retry ports. Much quicker than default.)
```

Execute multiple nmap scans in parallel as oppose to a single nmap with multiple IPs (avoids 1 slow host slowing down all nmap scan):

1\) put single IPs in a file 

2\) split list of IPs in smaller batches e.g. 50 IPs per file:

```
cd /path/to/folder/
split -l 50 HugeListOfIPs.txt
```

3\) create bash file:

```bash
#!/bin/bash
for filepart in $(ls /path/to/folder/)
do
  nmap -v -sS -p T:1-65535,U:1-1024 -Pn --open --reason -iL /path/to/folder/$filepart -oA nmap_sSU_allTCP_1kUDP_$filepart
done
```

```bash
chmod 744 parallelnmap.sh
sudo ./parallelnmap.sh
```

## Vulnerability Scanning

nmap "vulnerable" scripts:

```bash
sudo nmap -v -sS -Pn --script=vuln -iL /list/of/ips.txt -oA output
```

Other scanners:

* Tenable Nessus
* ZAP scanner (web)
* Burp Pro scanner (web)