Active Scanning

Scanning IP Blocks

Example nmap commands:

nmap -Pn -sS -p- ip.ad.dr.es/24 --max-retries=0 (for slow scans, do not retry ports. Much quicker than default.)

Execute multiple nmap scans in parallel as oppose to a single nmap with multiple IPs (avoids 1 slow host slowing down all nmap scan):

1) put single IPs in a file

2) split list of IPs in smaller batches e.g. 50 IPs per file:

cd /path/to/folder/
split -l 50 HugeListOfIPs.txt

3) create bash file:

#!/bin/bash
for filepart in $(ls /path/to/folder/)
do
  nmap -v -sS -p T:1-65535,U:1-1024 -Pn --open --reason -iL /path/to/folder/$filepart -oA nmap_sSU_allTCP_1kUDP_$filepart
done

chmod 744 parallelnmap.sh
sudo ./parallelnmap.sh

Vulnerability Scanning

nmap "vulnerable" scripts:

sudo nmap -v -sS -Pn --script=vuln -iL /list/of/ips.txt -oA output

Other scanners:

• Tenable Nessus

• ZAP scanner (web)

• Burp Pro scanner (web)