Perform a SYN scan for range of ports:

hping3 -S -p <port> <target>

Specify a port range:

hping3 -S --scan 1-1000 <target>

SYN scan all ports:

hping3 -S --scan all <target>

SYN scan a list of ports:

hping3 -S --scan 80,445,53,21 <target>


Simple SYN scan:

nmap -sS <target>

Increase scan speed by disabling DNS resolution -n and treating parget as online -Pn:

nmap -sS <target> -n -Pn 

Execute TCP connect scan -sT in fast mode -F which scans fewer ports than the default scan:

nmap -sT <target> -F

Scan UDP ports:

nmap -sU <target>

TCP null scan:

nmap -sN <target>

Christmas scan:

nmap -sX <target>

FIN scan:

nmap -sF <target>

Nmap NSE

NSE scripts are located in:


Execute default set of scripts:

nmap -c

Specify certain script:

nmap --script 

How to update scripts:

nmap --script-updatedb

Get help for certain script catagory (example help for SMB discovery scripts):

nmap --script-help “smb*” and discovery

Lookup whois information:

nmap --script whois-domain <website> -sn

SMB OS discovery:

nmap --script smb-os-discovery -p 445 <target>

Enumerate all SMB shares:

nmap --script smb-enum-shares <target> -p 445

Execute all authentication related scripts:

nmap --script auth <target>

Idle Scan Hping Nmap

Idle scan is stealthy because the target host will never know the real attacker's ip

Probes a zombie candidate:

hping3 -S -r -p <port> <zombie_ip>

Spoofs zombie’s IP and probes target:

hping3 -a <zombie_ip> -S -p <dst_port> <target>

Determines if IP ID is incremental:

nmap --script ipidseq <target> -p <port>

Performs Idle scan. (performs previous two steps simultaneously):

nmap -Pn -sI -p <dst_port> <zombie_ip>:<src_port> <target>

Advanced Port Scanning

Fragment packets:

nmap -f <target> -n --disable-arp-ping -Pn

Fragmented SYN scan:

nmap -sS -f <target>

Performs a scan using decoys:

nmap -p <port> -D <decoy1,ME,decoy2,etc..> <target>

Use random number of decays:

nmap -D RND:10 <target> -sS -p <port> -Pn --disable-arp-ping

Port scan using DNS as source port 53:

nmap --source-port 53 <target> -sS

Port scan well known ports using DNS as source port:

hping3 -S -s 53 --scan known <target>

Spoof MAC address (useful if firewall only accepts packets from specific MAC addresses):

nmap --spoof-mac <choose vendor MAC i.e. Apple or Intel etc..> <target> -p <port> -Pn --disable-arp-ping -n

Random MAC address:

nmap --spoof-mac 0 <target> -p <port> -Pn --disable-arp-ping -n

Delayed scan with randomized hosts from a list of hosts:

nmap -iL hosts.list -sS -p <port> --randomize-hosts -T 2

Spoof IP address of alive host:

hping3 -a <alive host on network> -S -p <port> <target>

Evade firewalls that use packet size to detect port scans:

nmap -sS --data-length 10 -p 21 <target>

Last updated