root@oco:~$ nmap -sn {ipAddress | networkAddress/CIDR}
* the -sn option only performs host discovery via ping scan w/o port scanning
- by default, newer versions of Windows OS automatically block ping (ICMP Echo Requests)
SERVICE VERSION DETECTION
root@oco:~$ nmap -sV {ipAddress | networkAddress/CIDR} -p-
* the -sV option enables version detection
BASIC CHECKS
root@oco:~$ nmap --script-help all
* displays all available scripts
root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 23
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
VULNERABILITY SCANNING
root@htb:~$ sudo nmap --script=vuln {targetIP} -p {port}
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 23
- e.g., weak Telnet configurations, or known vulnerabilities in the Telnet
service
- if no results are found then the service may be fully patched!
