Advanced Pentest & Offensive
Scanning with nmap and masscan — ports, services, OS fingerprinting, stealth
Scanning is the first active contact with the target. The goal is to map what is exposed: ports, protocols, versions, and operating system. All activity must be performed within authorized scope.
nmap — fundamentals
# Basic TCP scan (top 1000 ports)
nmap 192.168.1.10
# All 65535 ports
nmap -p- 192.168.1.10
# IP range (subnet)
nmap 192.168.1.0/24
# Specific ports
nmap -p 22,80,443,3306,5432 192.168.1.10Version detection and OS fingerprinting
# Service version detection (-sV) + OS (-O)
nmap -sV -O 192.168.1.10
# Aggressive: version + OS + scripts + traceroute
nmap -A 192.168.1.10
Typical output:
22/tcp open ssh OpenSSH 8.9p1 Ubuntu
80/tcp open http Apache httpd 2.4.52
3306/tcp open mysql MySQL 8.0.32
OS: Linux 5.15TCP scan types
SYN scan (-sS) — default, stealth:
→ sends SYN, receives SYN-ACK (open) or RST (closed)
→ does not complete handshake → fewer logs on target
→ requires root/sudo
Connect scan (-sT):
→ full TCP handshake
→ more detectable, does not require root
UDP scan (-sU):
→ much slower (no delivery confirmation)
→ important ports: 53 (DNS), 161 (SNMP), 500 (IPSec)
nmap -sU -p 53,161,500 192.168.1.10
NULL / FIN / Xmas scan:
→ techniques to evade older firewalls
→ behavior defined by RFC 793; modern firewalls ignore themNSE scripts (Nmap Scripting Engine)
# List available scripts by category
nmap --script-help "vuln"
# Detect known vulnerabilities
nmap --script vuln 192.168.1.10
# Specific scripts
nmap --script http-title,http-server-header 192.168.1.10
nmap --script smb-vuln-ms17-010 192.168.1.10 # EternalBlue check
nmap --script ssh-auth-methods 192.168.1.10
# Banner grabbing via NSE
nmap --script banner 192.168.1.10Firewall and IDS evasion
# Packet fragmentation
nmap -f 192.168.1.10
# Decoy scan — disguise origin with fake IPs
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.10
# Timing (T0 = slowest, T5 = fastest)
nmap -T0 192.168.1.10 # very slow, harder to detect
nmap -T4 192.168.1.10 # aggressive default for pentesting
# Custom source port (appears as legitimate traffic)
nmap --source-port 53 192.168.1.10
# Skip ping (target may block ICMP)
nmap -Pn 192.168.1.10masscan — speed on large networks
masscan can scan the entire internet in minutes. For internal networks, it is useful for quickly sweeping large subnets:
# Fast scan of entire subnet
masscan 192.168.1.0/24 -p 1-65535 --rate=10000
# Output in nmap format for later import
masscan 192.168.1.0/24 -p 80,443,22 --rate=5000 -oX result.xml
# Recommended workflow: masscan for ports, nmap for versions
masscan 192.168.1.0/24 -p- --rate=10000 | grep open | awk '{print $6}' \
| sort -u > active_hosts.txt
nmap -sV -iL active_hosts.txtOutput and analysis
# Save in multiple formats
nmap -oA scan_result 192.168.1.0/24
# Generated files:
# scan_result.nmap (human-readable)
# scan_result.xml (import into Metasploit/Nessus)
# scan_result.gnmap (greppable)
# Quick grep for open ports
grep "open" scan_result.gnmapInterpreting results
Port states:
open → service accepting connections
closed → port reachable but no service listening
filtered → firewall drops response (cannot determine state)
open|filtered → indeterminate (common with UDP)
Actions per port:
22 open → try weak credentials, check for vulnerable version
80/443 → enumerate web (directories, technologies, CVEs)
3306 → database externally accessible? authentication required?
445 → SMB: check shares, EternalBlue (MS17-010)
161 UDP → SNMP: community string "public"? config dump possibleScanning is both science and craft: well-tuned parameters avoid alerting the target while ensuring full coverage.