📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • -sS
  • -sT
  • -sU
  • -sY
  • -sZ
  • -sN; -sF; -sX
  • -sM
  • -sA
  • -sW
  • -s0
  1. Networking
  2. Nmap

Scan types

-sS

  • Quick and lightweigth since the handshake is not completed

  • Allow to differentiate between opened, filtered and closed ports

  • Default when nmap is run as root

-sT

  • Less efficient than -sS since it has to wait for the whole TCP handshake to complete

  • Leaves traces in target's logfiles

  • Default when nmap is not run with root privileges

  • Guaranteed to work with proxychains

-sU

  • UDP scan, can be combined with TCP ones

  • Very slow since most systems limit the number of responses per second

  • Better prioritize the most used ports instead of scanning all 65535

-sY

  • SCTP equivalent of the TCP Syn scan

  • Fast and efficient

-sZ

  • SCTP equivalent of -sN scan

  • Stealthier and reliable

  • Cannot distinguish between open and filtered ports

-sN; -sF; -sX

  • Exploit a loophole in RFC that can be used to sneak through IDS

  • More chance of hiding the attack from detection

  • The effectiveness of the scan depends on the implementation of the RFC 789 on the target machine

  • More reliable against Unix-based systems

  • Cannot distinguish open ports from filtered ones

-sM

  • Works like the -sN scan, but with ACK/FIN flags

  • Many BSD-based systems simply drop the packet

-sA

  • Is used to map firewall rulesets, finding out which ports are filtered

  • All reachable ports are mapped as unfiltered

  • Ports that are unreachable or send back certain ICMP error messages are mapped as filtered

  • Unable to determine if a port is open or closed

-sW

  • Works the same way as the -sA scan

  • Is also able to differentiate between open and closed ports depending on the size of their window (0 if port is closed)

  • Unreliable, only a minority of all devices implement the window in this way

  • System that don't support this scan report all ports as closed

  • If you find lots of closed ports and just a handful of filtered ones, than the system might be suscectible, even the reverse is true: if you find lots of filtered ports and just a couple of closed ones then they might actually be open

-s0

  • Allows to detect which IP protocols run on a given port

  • Certain systems expect custom headers so some ports might be flagged as closed or open|filtered

  • Does not test for TCP, UDP, ICMP, SCTP, and IGMP

PreviousNmapNextTCPDump

Last updated 4 years ago